1. VPNs, Tunneling, and Overlay Networks
Virtual Private Networks (VPNs)
A virtual private network (VPN) is a data network having connections that make use of public
networking facilities. The (VPN) part of public network is set up "virtually" by a private-sector
entity to provide public networking services to small entities. With the globalization of
businesses, many companies have facilities across the world and use VPNs to maintain fast,
secure, and reliable communications across their branches.
Creating a VPN benefits an organization benefits by providing
• Extended geographical communication
• Reduced operational cost
• Enhanced organizational management
• Enhanced network management with simplified local area networks
• Improved productivity and globalization
2. Remote-Access VPN
Remote-access VPN is a user-to-LAN connection that an organization uses to connect its users to
a private network from various remote locations. Large remote-access VPNs are normally
outsourced to an Internet service provider to set up a network-access server. Other users,
working off campus, can then reach the network-access server and use the VPN software to
access the corporate network.
Tunneling in a remote-access VPN uses mainly the Point-to-Point Protocol (PPP). PPP is the
carrier for other Internet protocols when communicating over the network between a host
computer and a remote point.
Site-to-Site VPN
Site-to-site VPNs can be classified as either intranets or extranets.
• Intranet VPNs connect an organization's remote-site LANs into a single private network.
• Extranet VPNs allow two organizations to work in a shared environment through a tunnel
built to connect their LANs.
In a site-to-site VPN, generic routing encapsulation (GRE) is normally the encapsulating protocol. GRE
provides the framework for the encapsulation over an IP-based protocol. IPsec in tunnel mode is
sometimes used as the encapsulating protocol
3. Tunneling and Point-to-Point Protocol (PPP)
A tunnel is a connection that forms a virtual network on top of a physical network. In computer
networking, a tunnel resembles a telephone line in a public switched telephone network.
Besides Internet protocols, tunneling requires two other types of protocols:
1. Carrier protocols, through which information travels over the public network
2. Encapsulating protocols, through which data is wrapped, encapsulated, and secured
One of the amazing implications of VPNs is that packets that use a protocol not supported on the
Internet, such as NetBeui, can be placed inside an IP packet and sent safely over the Internet.
Point-to-Point Protocol (PPP)
The basic notion in tunneling is packet encapsulation from one protocol into the same or higher-
layer protocol. Thus, a tunnel can also be defined as an encapsulating protocol for protocols at
the lower layers. Tunneling protocols, such as the Point-to-Point Protocol (PPP) or the Point-to-
Point Tunneling Protocol (PPTP) are encapsulating protocols that allow an organization to
establish secure connections from one point to another while using public resources. A PPP
connection is a serial connection between a user and an Internet service provider.
Security in VPNs
Without using dedicated hardware, a VPN uses virtual connections routed through the Internet
from the company's private network to the remote site. Companies can create their own VPNs to
accommodate the needs of remote employees and distant offices. This section looks at methods
4. for keeping VPN connections secure. A well-protected VPN uses firewalls, encryption systems,
IPsec features, and an authentication server.
A firewall provides an effective barrier between a private network and the Internet. Firewalls can
be set up to restrict the number of open ports to monitor what types of packets are passed through
and which protocols are allowed through.
Multiprotocol Label Switching (MPLS)
Multiprotocol label switching (MPLS) improves the overall performance and delay
characteristics of the Internet. MPLS transmission is a special case of tunneling and is an
efficient routing mechanism. Its connection-oriented forwarding mechanism, together with layer
2 label-based lookups, enables traffic engineering to implement peer-to-peer VPNs effectively.
MPLS adds some traditional layer 2 capabilities and services, such as traffic engineering, to the
IP layer.
This technology adds new capabilities to IP-based networks:
• Connection-oriented QoS support
• Traffic engineering
• VPN support
• Multiprotocol support
MPLS network architectures also support other applications, such as IP multicast routing and
QoS extensions. The power of MPLS lies in the number of applications made possible with
simple label switching, ranging from traffic engineering to peer-to-peer VPNs.
MPLS Operation
MPLS is based on the assignment of labels to packets. Assigning labels to each packet makes a
label-swapping scheme perform its routing process much more efficiently. An MPLS network
consists of nodes called label switch routers (LSR). An LSR switches labeled packets according
to particular switching tables. An LSR has two distinct functional components: a control
component and a forwarding component. The control component uses routing protocols, such as
OSPF and the border gateway protocol (BGP). The control component also facilitates the
exchange of information with other LSRs to build and maintain the forwarding table.
MPSL Packet Format
MPLS uses label stacking to become capable of multilevel hierarchical routing. A label enables
the network to perform faster by using smaller forwarding tables, a property that ensures a
convenient scalability of the network.
MPLS header encapsulation for an IP packet. An MPLS label is a 32-bit field consisting of
several fields as follows.
• Label value is a 20-bit field label and is significant only locally.
• Exp is a 3-bit field reserved for future experimental use.
• S is set to 1 for the oldest entry in the stack and to 0 for all other entries.
5. • Time to live is an 8-bit field used to encode a hop-count value to prevent packets from
looping forever in the network
Routing in MPLS Domains
An ingress LSR is an edge device that performs the initial packet processing and classification
and applies the first label. An ingress LSR creates a new label. A core LSR swaps the incoming
label with a corresponding next-hop label found from a forwarding table. At the other end of the
network, another edge router, the egress LSR, is an outbound edge router and pops the label from
the packet. It should be noted that multiple labels may be attached to a packet, forming a stack of
labels. Label stacking enables multilevel hierarchical routing. For example, BGP labels are used
for higher-level hierarchical packet forwarding from one BGP speaker to the other, whereas
Interior Gateway Protocol (IGP) labels are used for packet forwarding within an autonomous
system. Only the label at the top of the stack determines the forwarding decision.
6. Tunneling and Use of FEC
In an MPLS operation, any traffic is grouped into FECs. FEC implies that a group of IP packets
are forwarded in the same manner for example, over the same path or with the same forwarding
treatment. A packet can be mapped to a particular FEC, based on the following criteria:
• Source and/or destination IP address or IP network addresses
• TCP/UDP port numbers
• Class of service
• Applications
As mentioned earlier, labels have only local significance. This fact removes a considerable
amount of the network-management burden. An MPLS packet may carry as many labels as
required by a network sender. The process of labeled packets can always be performed based on
the top label. The feature of label stack allows the aggregation of LSPs into a single LSP for a
portion of the route, creating an MPLS tunnel.
Label Distribution Protocol (LDP)
The Label Distribution Protocol (LDP) is a set of rules by which an LSR informs another LSR of
an FEC. LDP enables two LSRs to understand each other's MPLS capabilities.
Traffic Engineering
High-quality connections can be expensive in an Internet service provider domain. Traffic
engineering enables an ISP to route high-quality traffic to offer the best service to users in terms
of throughput and delay. This way, traffic engineering reduces the cost of a network connection.
Traffic engineering substitutes the need to manually configure network devices to set up explicit
routes. In MPLS, traffic engineering is an automated scheme for control signaling and link
bandwidth assignment and has a dynamic adaptation mechanism.
MPLS-Based VPNs
Routine operations of virtual private networks require the use of both wide-area intradomain
routing and interdomain routing schemes. A VPN's request to form a tunnel can be processed at
7. the edge routers. For example, multiprotocol-based Border Gateway Protocol (BGP) makes
MPLS-based VPN easier to manage VPN sites and VPN membership, mainly owing to the
traffic engineering feature of MPLS. In an MPLS network, VPNs can be deployed by delivering
the service using MPLS-aware subscriber equipment on the same infrastructure used for
deploying Internet services.
Overlay Networks
An overlay network is an application-specific computer network built on top of another network.
In other words, an overlay network creates a virtual topology on top of the physical topology.
This type of network is created to protect the existing network structure from new protocols
whose testing phases require Internet use. Such networks protect packets under test while
isolating them from the main networking infrastructure in a test bed.
Overlay networks are self-organized. When a node fails, the overlay network algorithm should provide
solutions that let the network recover and recreate an appropriate network structure. Another
fundamental difference between an overlay network and an unstructured network is that overlays' look-
up routing information is on the basis of identifiers derived from the content of moving frames.
Peer-to-Peer (P2P) Connection
As an overlay network resembles a system consisting of various applications running on a single
operating system, it could also resemble a set of tunnels that interconnect resources and users.
The interconnects are carried out by peer-to-peer (P2P) protocols.
8. Let δ be the time required to establish a connection and tf be the time to finish the service as soon
as the connection establishes. Assuming that the requests arrive at random to a peer node, the
service time s is