Provider-provisioned VPN explained

Provider-provisioned VPN (PPVPN) are Virtual Private Network implemented by the connectivity service providers or large enterprises on networks they operate by their own. They can be opposed to "customer-provisioned VPN" where the VPN is implemented by the customer who acquire the connectivity service on top of the technical specificities of the provider.

When internet service providers implement PPVPNs on their own networks, the security model of typical PPVPN protocols is weaker with respect to tunneling protocols used in customer-provided VPN, especially for confidentiality, because data privacy may not be needed.

Provider-provisioned VPN building blocks

Depending on whether a provider-provisioned VPN (PPVPN) operates in Layer 2 (L2) or Layer 3 (L3), the building blocks described below may be L2 only, L3 only, or a combination of both. Multiprotocol Label Switching (MPLS) functionality blurs the L2–L3 identity.[1]

generalized the following terms to cover L2 MPLS VPNs and L3 (BGP) VPNs, but they were introduced in .[2] [3]

Customer (C) devicesA device that is within a customer's network and not directly connected to the service provider's network. C devices are not aware of the VPN.
Customer edge device (CE)A device at the edge of the customer's network which provides access to the PPVPN. Sometimes it is just a demarcation point between provider and customer responsibility. Other providers allow customers to configure it.
Provider edge device (PE)A device, or set of devices, at the edge of the provider network that connects to customer networks through CE devices and presents the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and maintain VPN state.
Provider device (P)A device that operates inside the provider's core network and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of providers.

User-visible PPVPN services

OSI Layer 2 services

VLAN

VLAN is a Layer 2 technique that allows for the coexistence of multiple local area network (LAN) broadcast domains interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE).

Virtual Private LAN Service (VPLS)

Developed by Institute of Electrical and Electronics Engineers, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. Whereas VPLS as described in the above section (OSI Layer 1 services) supports emulation of both point-to-point and point-to-multipoint topologies, the method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as metro Ethernet.

As used in this context, a VPLS is a Layer 2 PPVPN, emulating the full functionality of a traditional LAN. From a user standpoint, a VPLS makes it possible to interconnect several LAN segments in a way that is transparent to the user, making the separate LAN segments behave as one single LAN.

In a VPLS, the provider network emulates a learning bridge, which may include VLAN service optionally.

Pseudo-wire (PW)

PW is similar to VPLS but can provide different L2 protocols at both ends. Typically, its interface is a WAN protocol such as Asynchronous Transfer Mode or Frame Relay. In contrast, when aiming to provide the appearance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be appropriate.

Ethernet-over-IP tunneling

EtherIP [4] is an Ethernet-over-IP tunneling protocol specification. EtherIP has only a packet encapsulation mechanism. It has no confidentiality or message integrity protection. EtherIP was introduced in the FreeBSD network stack[5] and the SoftEther VPN[6] server program.

IP-only LAN-like service (IPLS)

A subset of VPLS, the CE devices must have Layer 3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6.

Ethernet virtual private network (EVPN)

Ethernet VPN (EVPN) is an advanced solution for providing Ethernet services over IP-MPLS networks. In contrast to the VPLS architectures, EVPN enables control-plane-based MAC (and MAC,IP) learning in the network. PEs participating in the EVPN instances learn the customer's MAC (MAC,IP) routes in control-plane using MP-BGP protocol. Control-plane MAC learning brings a number of benefits that allow EVPN to address the VPLS shortcomings, including support for multi-homing with per-flow load balancing and avoidance of unnecessary flooding over the MPLS core network to multiple PEs participating in the P2MP/MP2MP L2VPN (in the occurrence, for instance, of ARP query). It is defined .

OSI Layer 3 PPVPN architectures

This section discusses the main architectures for PPVPNs, one where the PE disambiguates duplicate addresses in a single routing instance, and the other, virtual router, in which the PE contains a virtual router instance per VPN. The former approach, and its variants, have gained the most attention.

One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 private address space.[7] The provider must be able to disambiguate overlapping addresses in the multiple customers' PPVPNs.

BGP/MPLS PPVPNIn the method defined by, BGP extensions advertise routes in the IPv4 VPN address family, which are in the form of 12-byte strings, beginning with an 8-byte route distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE.

PEs understand the topology of each VPN, which is interconnected with MPLS tunnels directly or via P routers. In MPLS terminology, the P routers are label switch routers without awareness of VPNs.

Virtual router PPVPNThe virtual router architecture,[8] [9] as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label but do not need routing distinguishers.

Unencrypted tunnels

Some virtual networks use tunneling protocols without encryption to protect the privacy of data. While VPNs often provide security, an unencrypted overlay network does not fit within the secure or trusted categorization.[10] For example, a tunnel set up between two hosts with Generic Routing Encapsulation (GRE) is a virtual private network but is neither secure nor trusted.[11] [12]

Native plaintext tunneling protocols include Layer 2 Tunneling Protocol (L2TP) when it is set up without IPsec and Point-to-Point Tunneling Protocol (PPTP) or Microsoft Point-to-Point Encryption (MPPE).[13]

See also

External Links

Notes and References

  1. Web site: Configuring PFC3BXL and PFC3B Mode Multiprotocol Label Switching. 24 October 2020. 24 November 2020. https://web.archive.org/web/20201124010817/https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/pfc3mpls.pdf. live.
  2. News: E. Rosen & Y. Rekhter . March 1999 . BGP/MPLS VPNs . Internet Engineering Task Force (IETF) . 2547 . 8 October 2022 . 1 September 2022 . https://web.archive.org/web/20220901001049/http://www.ietf.org/rfc/rfc2547.txt . live .
  3. Book: Lewis, Mark . Comparing, designing, and deploying VPNs . Cisco Press . 2006 . 1587051796 . 1st print. . Indianapolis, Ind. . 5–6.
  4. Web site: Hollenbeck . Scott . Housley . Russell . EtherIP: Tunneling Ethernet Frames in IP Datagrams . September 2002 . 8 October 2022 . 8 October 2022 . https://web.archive.org/web/20221008211737/https://datatracker.ietf.org/doc/rfc3378/ . live .
  5. Glyn M Burton: RFC 3378 EtherIP with FreeBSD, 3 February 2011
  6. net-security.org news: Multi-protocol SoftEther VPN becomes open source, January 2014
  7. https://www.ietf.org/rfc/rfc1918.txt Address Allocation for Private Internets
  8. , A Core MPLS IP VPN Architecture
  9. , E. Chen (September 2000)
  10. Yang . Yanyan . 2006 . IPsec/VPN security policy correctness and assurance . Journal of High Speed Networks . 15 . 275–289 . 10.1.1.94.8561.
  11. Web site: Overview of Provider Provisioned Virtual Private Networks (PPVPN) . 29 August 2016 . Secure Thoughts . 16 September 2016 . https://web.archive.org/web/20160916204432/https://securethoughts.com/overview-provider-provisioned-virtual-private-networks-ppvpn/ . live .
  12. Generic Routing Encapsulation over IPv4 networks. October 1994.

  13. IETF (1999),, Layer Two Tunneling Protocol "L2TP"