[VPN] Service Provider based IPSec VPN services

Siddhartha Jain losttoy2000 at yahoo.co.uk
Sat Sep 14 01:12:16 EDT 2002


Hi Chris,

> You sent this email to the VPN group, so I'll reply
> to
> all as well.  We'll hold off on that job discussion
> just yet.  :-)

Sorry again. I am not aware of the list policies about
replying. If I do a "Reply All', you end up getting
two messages (very annoying). If I reply to you only,
others get left out of the discussion. For the job
thingy mail me directly. ;)

> One thing to keep in mind, though, is that
> corporations might wish to keep their own internal
> IP addresses even for remote users, the benefit of
> IPSec Tunnel mode of some VPN vendors, where you
>have an
> "outer" IP address which is your public ISP IP
> address
> and an "inner" IP address which is from a subnet on
> the enterprise side.
> 
> This "inner" address might be a RFC1918 private IP,
> or
> as I recommend to my clients, be a dedicated remote
> user subnet, assigned to specifically keep track of
> remote users accessing internal systems.
> 
> For example, if a company assigns 172.30.0.0 to be
> the
> remote user subnet, a quick look or query to ANY
> internal system/server would see when 172.30.0.0
> addresses accessed them.  Great for security audits!

Even if the ISP gives you "inner" IP addresses which
are a chunk from the ISP's IP range, I think they are
still as trackeable as RFC1918 private IPs. If I as an
ISP, dedicate 64 IPs, say 202.54.1.1-64 for customer
A, then the network admin can put access-lists and log
access to his network from these IP addresses. Since
the tunnel ends at the ISP edge, the customer
router/firewall sees cleartext traffic from these IPs,
so you put all kinds of rules in your firewall for
what kind of services these IPs can access in your
network. The only thing is that the customer perimeter
router needs to learn this subnet on its serial
interface. Love to explain all this on the board. ;)

> 
> But going back to Kent's comments (and others): what
> is good for the service provider might not be good
> for
> the enterprise.  What customer problem are you
> trying
> to solve?  Network reach, cost, management,
> monitoring, etc.?

Hmmmm .... the goal is to offer a service to
corporates whereby they can connect their offices in
two cities, A & B without taking a dedicated leased
line between the two offices. This means, that the two
offices connect to the ISP POPs in cities A & B and
the traffic is carried over the ISP's backbone between
A & B. Also, the goal is that the customer should NOT
need to install (read VPN device) or do any special
configurations (read IPSec deployment at the perimeter
router and IOS upgrade). Lofty ideals I suppose. ;)


> 
> I *dislike* SPs pitching MPLS services as VPN, since
> from my viewpoint the P meaning Private is
> encryption.
>  I don't think ANYONE considered Frame or ATM to be
> private, just Virtual, hence instead of a VPN it's a
> VN!

I agree. But the pitch here is connectivity. Anyway,
since traffic is logically separated by MPLS, is
encryption important or relevant?

> 
> Having said that, many SPs are in fact positioning
> MPLS connections as a low-cost alternative to Frame
> and ATM.  If they want security and encryption, then
> CPE-based IPSec can be used (even used THROUGH the
> MPLS connection if you're doing Traffic
> Engineering).

Given my offering constraints, doing IPSec is next to
impossible because all tunnels will end at the ISP
edge router. In other words, tunnels will be between
ISP routers. An end-to-end tunnel will require IPSec
to be configured on the customer's perimeter router or
install a VPN device in the customer's premises. 

> The other disadvantage of MPLS is what do you do if
> the customer has offices that are not servicable by
> your network and have to use someone elses?  Now
> you'll have to support CPE-based IPSec for
> site-to-site VPNs.  So I believe that you need to
> support a hybrid even in site-to-site.

I agree. Since this ISP I am talking to has only two
POPs, customers with offices in other cities will be
left in the cold unless they deploy some kind of VPN
device or IOS Upgrade on the customer side.

> 
> What VPN concentrator are you using?  Some newer
> ones
> might be able to map private IPs on a per-customer
> (or
> per-tunnel) basis.

I intend to use Cisco's 3000 for IPSec (roaming
users). I can group users in 3000 and allocate a chunk
of IPs for each group. Integrate it with a Cisco ACS
server and I can do other cool stuff like time-based
access control, PKI etc etc.

> 
> The other bad point about remote user VPNs from a
> service model is handling the remote user client. 
> That can be a pain and chore on a wide spread basis.

I agree. More with users fiddling around with software
and installing all kinds of stuff which might unsettle
the VPN Client. For the initial installation, the
Cisco VPN client can be pre-configured and distributed
as a self-installing exe.

> 
> Some companies offer this as a service to ISPs
> directly, some vendors have thinner clients, some
> VPN
> vendors are now supporting SSL-based VPNs (watch
> out,
> some of these vendors only support web apps and file
> sharing, not some native apps like Outlook yet!),
> and
> some even do L2TP or L2F tunnelling from the dial
> servers directly with no client needed (but then you
> can do it from any Internet access point).

Hmmm .... SSL based VPN. Now thats a new one for me.
Need to look at it for sure. I have a requirement
where corporate A wants multiple corporates to connect
to its network, a typical extranet. But other
customers have *policy* which allows users to go on
the internet only thru' a HTTP Proxy (duh!!). So no
VPN Client I know of will work thru' a HTTP Proxy for
sure.

> You really need to develop a true hybrid solution
> spread across all access methods (off-net and
> on-net),
> across all VPN types (site-to-site, remote user,
> extranet), and across all technologies (IPSec, MPLS,
> SSL, etc.) with ALL of that leveraged by a single
> unifed back-office function: provisioning, mgmt,
> offer
> management, authentication (even customer-internal
> auth servers), reporting, alerting, support,
> operations, etc.!

Yeah. HUGE JOB for sure. 

Hehehe .... I wish I could convince my management to
do that. 

Regards,

Siddhartha

> 
> --- Siddhartha Jain <losttoy2000 at yahoo.co.uk> wrote:
> > Hi Chris,
> > 
> > Thanks for your input and sorry for rpelying late.
> I
> > have come out with a solution which is a hybrid of
> > MPLS and IPSec.
> > 
> > The brief is that all site to site VPN is handled
> by
> > MPLS. Roaming users connect to a VPN concentrator
> > using IPSec. Each corporate group is allocated a
> > chunk
> > of IPs for its romaing users. From the
> concentrator
> > the traffic needs to be routed to the appropriate
> > MPLS
> > tunnel corresponding to the corporate customer. I
> am
> > gain replying on MPLS to do this.
> > 
> > So, user A, dials to the internet and gets
> > authenticated and connected to the VPN
> concentrator.
> > He gets an IP, say 202.54.3.1, which is an IP from
> > the
> > chunk of IPs (say 202.54.3.1-64) allocated to that
> > corporate for its roaming users. The VPN device
> > connects to the same layer-3 device which takes
> care
> > of site-to-site MPLS VPN. Now when the user
> connects
> > to the VPN device over internet, the layer-3
> device
> > sees an IP (202.54.3.1) coming on its interface
> > which
> > is connected to the VPN device. The layer-3 switch
> > *knows* that the particular IP address belongs to
> > customer A and hence tags (using MPLS) the packet
> > and
> > sends it to the appropriate interface which
> connects
> > to the customer A's router.
> > 
> > Need to run the whole thingy thru' the local Cisco
> > guru. Once that is done, maybe I can share the doc
> > with this group too. :)
> > 
> > How does the solution sound? Got a better idea?
> > 
> > Regards,
> > 
> > Siddhartha
> > 
> > PS. Got a job for me?? ;) Willing to relocate to
> any
> > part of the world. :)
> > 
> >
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! News - Today's headlines
> http://news.yahoo.com 

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com



More information about the VPN mailing list