EFFECTIVE IMPLICATION OF MULTIPROTOCOL LABEL SWITCHING (MPLS) & VIRTUAL PRIVATE NETWORK (VPN) IN DR. BATRA
Submitted in partial fulfillment of the requirements for Master of Business Administration (MBA) By SUJEET KUMAR CHOUDHARY & VANDANA VIDYARTHI MBA-2009-11
ARMY INSTITUTE OF MANAGEMENT & TECHNOLOGY, PLOT NO M-l, POCKET P-5, GREATER NOIDA-201306 (UP)
JULY 2010
1
ACKNOWLEDGEMENT
It gives us great pleasure in acknowledging the invaluable assistance expended to us by various personalities in the successful completion of this report. Our debts are due to many individuals who provided us guidance, advice and useful comments that helped us in the successful completion of this report. As usual the debts can be only warmly acknowledged but never fully recompensed.
Our thanks is due to Prof. Pratibha Jha and Mr. Abhinav Gupta Product manager MPLS/VPN solution TULIP Telecom Ltd who provided us the knowledge about the field and the timely guidance which helped us lot on the way for the completion of this project
Above all we owe a debt of gratitude to my parents for their encouragement.
Student Name........................................................ Signature...................................... Date..............................................
CERTIFICATE 2
I Sujeet Kumar Choudhary and Vandana Vidyarthi, a full time bonafide student of second year of Master of Business Administration (MBA) Programme of Army Institute of Management & Technology, Greater Noida. We hereby certify that this project work carried out by me at Tulip Telecom the report submitted in partial fulfillment of the requirements of the programmed is an original work of mine under the guidance of the industry mentor Mr. Abhinav Gupta Project Manager and faculty mentor Prof. Prathibha Jha, and is not based or reproduced from any existing work of any other person or on any earlier work undertaken at any other time or for any other purpose, and has not been submitted anywhere else at any time.
(Student's Signature) Date:
(Faculty Mentor's Signature) Date:
ABSTRACT
3
Dr. Batra is India’s largest chain of Homeopathic Clinics which provides individual treatments and extra care to its patients. It works with constant endeavor and provides the best possible services to its customers. The company has a custom designed software to store ad maintain the patients database of medical histories, and the treatment details. The information is exchanged through a secured network which also allows the patients to access relevant data and get them treated as per their convenience. The company has deployed Tulip’s MPLS VPN on fiber and wireless to connect customer’s clinics and offices located across India. The software allows the analysis of various cases that has been taken care by the organization. It runs applications of Video Conferencing so that it gets connected to the various centers and also provides service support which is backed by the best tools and resources to meet the SLA standards. The adoption of the techniques has given various benefits like running medical software and conferencing to get connected. Also the data is secured by trained experts and biometric scans. The software allows collocating the server and securing the Data Center Environment. The whole concept of adopting the MPLS VPN has resulted into higher efficiency and effectiveness of the productivity of the company. It is highly scalable and information is provided as per the customer’s requirement, the company has actually made the customer’s site more feasible and provides high speed of information within short span of time.
INTRODUCTION Label switching or tag switching has been a hot topic in the research-world since the ATM architecture was introduced in the beginning of the 1990’s. This technology has several 4
advantages over regular IP routing, such as higher speeds, more flexibility, better scalability etc. These advantages have been gracefully accepted by the Internet community and Internet Service Providers as a means for overcoming the obstacles that the regular IP forwarding introduced as the requirements increased in respect to speed and scalability.
1.1Label switching technology The idea of label switching is an old concept, used already in the first telephone switches. The goal is to establish a labeled path from the source to the destination. The path is created once and then used for directing the traffic through the network. When the path is created each packet will carry a label telling the next hop router how to act and where to redirect and possibly duplicate the packet. The algorithm used for looking up a local label is faster than the regular IP routing algorithm since the information can be indexed in a better way and the switch does not have to hold as much information as the router. A label switch router can thus achieve greater through output as well as higher flexibility.
1.2 What is MPLS? MPLS, or Multi Protocol Label Switching is a label switching protocol that works on top of more than one Link layer protocol, in contrast to ATM. The goal of MPLS is to remove the process of looking into the level 3 header in each hop along the path. This enables wire-speed lookup and gives network trunk card 5 vendors an option to produce cards that only understand MPLS labeled packets, which will reduce the overall cost. In order to achieve this goal a label is added to the packet when it enters a MPLS enabled network. This label identifies an action in the next hop Label Switch Router (LSR) telling it how to forward the labeled packet. When the packet has reached the boundary of the MPLS enabled network the label is removed and regular IP routing is performed at point. The actual MPLS routing is done via a Label Information Base (LIB) that contains the incoming label and a number of outgoing segments with their outgoing interfaces. In this way giving more than one outgoing label can create a multicast route. The labels are distributed with an separate protocol such as the LDP (La-bel Distribution Protocol). The LDP includes functionality for traffic engineering and fast repair if a router inside the network goes down. The protocol can run in two 5
different modes, one where a central Label Manager requests labels (Ordered Control) and the other one where the LSRs act on their own and send out label mappings at any time (Independent control).
1.3 What is VPN In this we would introduce you the topic of VPN ‘Virtual Private Network’, the back bone of this project. This gave us motivation regarding secure remote access, to learn it, deploy and find new implementations. A Virtual Private Network is a private communications network usually used within a company, or by several different companies or organizations, to communicate over a public network. VPN has attracted the attention of many organizations looking to both expand their networking capabilities and reduce their costs. A study of VPN involves many interesting aspects of network protocol design, Internet security, network service outsourcing, and technology standards. Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side. Each packet is encapsulated can provide: •
Confidentiality, Integrity, Authenticity, Non-repudiation.
Obviously these are the four basic properties of Information Security. For example in a military environment, the most important security property is probably confidentiality. In a bank, confidentiality is important, too, but even more important is the integrity of the data. Integrity confines that data has not been modified in the path of communication. Authenticating is just confirming that the sender is reliable and trustworthy. And finally nonrepudiation means that it can be verified that the sender and the recipient were, in fact, the parties 6
who claimed to send or receive the message, respectively. In short, non-repudiation of origin proves that data has been sent, and non-repudiation of delivery proves it has been received.
Classification: The Virtual private networks can be classified into two main categories as follows: Secure and Trusted. Secure VPNs use cryptographic tunneling protocols to provide the necessary confidentiality (preventing snooping), sender authentication (preventing identity spoofing), and message integrity (preventing message alteration) to achieve the privacy intended. When properly chosen, implemented, and used, such techniques can provide secure communications over unsecured networks. Because such choice, implementation, and use are not trivial, there are many insecure VPN schemes on the market. Secure VPN technologies may also be used to enhance security as a 'security overlay' within dedicated networking infrastructures.
Secure VPN protocols include the following: * IPSec (IP security), an obligatory part of IPv6. * SSL used either for tunneling the entire network stack, such as in Open VPN, or for securing what is essentially a web proxy. Although the latter is often called a "SSL VPN" by VPN vendors, it is not really a fully-fledged VPN. * PPTP (point-to-point tunneling protocol), developed jointly by a number of companies, including Microsoft. Some large ISPs now offer "managed" VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. In addition to providing remote workers with secure access to their employer's internal network, sometimes other security and management services are included as part of the package, such as keeping anti-virus and anti-spyware programs updated on each client's computer. 7
Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic. Multi-protocol label switching (MPLS) is commonly used to build trusted VPNs. Other protocols for trusted VPNs include: •
L2F (Layer 2 Forwarding), developed by Cisco.
•
L2TP (Layer 2 Tunneling Protocol), including work by both Microsoft and Cisco.
•
L2TPv3 (Layer 2 Tunneling Protocol version 3).
VPN Architectures: Intranet VPN: VPN is used to make connection among fixed locations such as branch offices. This kind of LAN-to-LAN VPN connection joins multiple remote locations into a single private network. Extranet VPN: VPN is used to connect business partners such as suppliers and customers. This kind of VPN allows various parties to work in a shared environment. Remote Access VPN: This is a user-to-network connection for the home user and mobile user connecting to corporate private network from various remote locations. This kind of VPN permits secure, encrypted connections between a corporate private network and remote users. Applications Web Email
Employe es
Intranet Extranet
Partners
Database Mainframe
(Remote Access)
E-Commerce
Citizens
Fig 1.1 VPN architectures
8
Typical Elements of a VPN connection: VPN server: A computer accepts VPN connections from VPN clients. A VPN server can provide a remote access VPN connection or a gateway-to-gateway VPN connection. VPN client: A computer initiates a VPN connection to a VPN server. A VPN client can be a remote computer obtaining a remote access VPN connection or a router obtaining a gateway-togateway VPN connection. VPN tunnel: The portion of the connection in which data is encapsulated and encrypted. Tunneling protocols: The communication standards used to manage tunnels and encapsulate data. Tunneled data: Data that is encapsulated and encrypted, and sent across a private link. Transit network: The shared or public network such as a private intranet or the Internet where the encapsulated data passes through it.
Advantages of Using VPN: Listed below are some benefits provided by VPN: Extend geographic connectivity: VPNs employ the Internet for inter - connectivity between remote parts of an intranet. Because the Internet is accessible globally, even the most far flung branch offices, users, and mobile users (such as salesmen) can easily connect to the corporate intranet. Improve security for remote user and network connection: Because VPNs use the tunneling technology to transmit data across "unsecured" public networks; data transactions are secure to an extent. In addition to the tunneling technology, VPNs use extensive security measures, such as encryption, authentication, and authorization to ensure the safety, confidentiality, and integrity 9
of the data transmitted. As a result, VPNs offer a considerably high degree of transaction security. Reduce Implementation and operational costs: VPNs cost considerably less than the traditional solutions, which are based on leased lines, Frame Relay, ATM, or ISDN. This is because VPNs eliminate the need for long-distance connections by replacing them with local connections to a carrier network. By reducing the long-distance telecommunication costs, VPNs also bring down WAN-based network operation costs a considerable extent, the reason behind the lowered cost of operation is explained by the fact that the organization does not need to employ as many trained and expensive networking personnel as it would if the VPN were managed by the organization itself. Provide broadband networking compatibility: In the case of Internet connectivity based on leased lines, the bandwidth is entirely wasted in the absence of an active Internet connection. VPNs, on the other hand, create logical tunnels to transmit data as and when required. As a result, the network bandwidth is used only when there is an active Internet connection. Therefore, there is considerably less chance of available network bandwidth waste. •
Reduce time and transportation costs for remote users
•
Improve productivity since resources can be accessed from remote networks.
•
Simplify network topology in certain scenarios.
•
Provide global networking opportunities.
•
Provide telecommuter support.
•
Provide faster ROI (return on investment) than traditional leased/owned WAN lines: Show a good economy of scale.
LITREATURE REVIEW
10
An autonomous system (AS) is basically a network of routers that are under the control of a single network administration. The Internet backbone is made up of different AS that exchange routing information. In traditional routing as an IP packet travels from one router to the next, every router makes it’s own decision on where the packet should go. Each router reads the packet network layer header, and then runs a routing algorithm against the destination address to determine the next hop. Every router then chooses its own next hop for the packet based on the packet's header and the routing algorithm. Routers will assign each packet into a set of "Forwarding Equivalence Classes (FECs)". They will then map each FEC to a next hop. As far as the router is concerned there is no difference between packets that get mapped into the same FEC when its making a forwarding decision for each packet, different packets which get mapped into the same FEC are indistinguishable. Every packet in the FEC will go to the next hop assigned to that FEC. As the packet moves from hop to hop across the network each router reexamines the packet network layer header and assigns it to a FEC and sends it out the corresponding interface until it reaches its destination.
CONCEPT FORMULATION MPLS every packet only has its network layer header examined once, when it enters the MPLS network. After the initial FEC assignment a 32 bit fixed length label is inserted into the packet that contains the assigned FEC then is sent to the next hop router with the label attached. The label is of local significance only. When MPLS routers, which are called label switch routers, are provisioned they will set up a table of label to FEC mappings. Each FEC is assigned a next hop. A label distribution protocol is used to exchange label information between label switch routers that have a direct connection to each other. The protocol usually rides on top of the routing protocol in use by the use of extensions that have been developed for MPLS. As the packet goes from hop to hop across the MPLS network the network layer header no longer has to be examined by every router. Instead, the label is used to determine the next hop and which new label to use. The old label is replaced with the new label, and the packet is forwarded to its next hop. With MPLS forwarding, once a packet is assigned to a FEC, subsequent routers do no further network layer header analysis; the labels drive all forwarding decisions. 11
When a packet first enters into the MPLS network on an interface of Router A, known as the edge label switch router, Router A examines the network layer header determines the FEC that the packet belongs to. Then it checks the label to FEC mapping table to see which label to use. It then puts Label X into the packet and sends it out the interface that corresponds to the next hop for the assigned FEC. Router B receives the packet from Router A and reads Label X Router B looks in his table and sees that when it receives a Label X from Router A it’s new label for the packet will be Label Y. It removes Label X, adds Label Y and sends it out the interface to the next hop that corresponds to the FEC for Label Y. This continues until the packet reaches its destination. Then the label is stripped from the packet and sent out the interface that the destination is on. This method of packet forwarding has many advantages over traditional network layer forwarding. Since a packet is assigned to a FEC when it enters the network, the edge label switch router can use any information about the packet in determining which FEC to use, even if the information is not contained in the network layer header. Packets with the same destination arriving on different ports of the router can be assigned to different FECs. Conventional forwarding, on the other hand, can only consider information that travels with the packet in the packet header. A packet that enters the network at a particular router can be labeled differently than the same packet entering the network at a different router, and as a result forwarding decisions that depend on the ingress router can be easily made. This cannot be done with traditional forwarding, since the identity of a packet's ingress router does not travel with the packet. The methods used determine how a packet is assigned to a FEC can become even more complicated, without any additional effect on the rest of the routers in the MPLS network that merely forward labeled packets. There are times when you may want to have a packet follow a particular route which is chosen when the packet enters the network. This may be done as a matter of policy, or to support traffic engineering requirements. In traditional forwarding this is accomplished by using source routing, where the path of routers are contained inside the packet. In MPLS, labels can be used to represent the route, so that the identity of the explicit route need not be carried within the packet. MPLS can stack labels on the packet to set the path of the packet. Also many routers can analyze a packet's network layer header not only to choose the packet's next hop, but also to determine what precedence or class of service the packet has. They may then use this information to assign different quality of services to each packet. MPLS allows for the precedence or class of service to be fully or partially inferred from the label. This way the 12
label actually represents the combination of a FEC and a precedence or class of service. Now that we have a basic understanding of what MPLS is lets move on to how the MPLS VPN works with the ability to determine the path of the packet through the network, Service Providers could offer a Virtual Private Network across their backbones that could compete with Frame Relay and ATM networks. They make it work with the MPLS network. The service provider will have a customer edge router connect to an interface on the service providers edge label switch router. Each geographically different site that will belong to the VPN will connect a customer edge router into a service provider edge label switch router. The customer edge router will be a routing peer of the service provider’s edge label switch router and can exchange routing information. Individual customer sites will not be routing peers with each other and they don’t even have to know about each other. Because of this the customer does not have to manage the VPN backbone. The service provider will handle all the routing that happens between the customer’s sites. The customer will not have access to the service providers edge label switch router and the service provider will not have access to the customers edge router. The customer will be responsible for maintaining his own sites’ edge routers. The service provider’s edge label switch router will maintain a number of different forwarding tables. An edge label switch router can have multiple customers connecting to it. It will map each customer’s VPN to its own individual forwarding table. The forwarding table will only contain routes to the rest of the customer’s sites that belong to the VPN for the customer. Each forwarding table for each VPN is known as a VPN Routing and Forwarding table. In this way there can be no communications between customers that do not have any VPN in common. The edge label switch router can map different sites to the same forwarding table only if the different sites belong to the same VPN. The forwarding tables get populated with the BGP routing protocol. The customer has a MPLS VPN with Site 1, Site 2, and Site 3 connected to service provider Router 1, Router 2, Router 3 respectively. Router 1, Router 2, and Router 3 will exchange routing information for their respective sites with the use of the BGP routing protocol. The service provider edge label switch router will also contain a default forwarding table that will be populated by the service providers normal routing protocol and will not contain any MPLS VPN routes. After all this router can still be providing Internet access for other customers. There is a possibility that different companies are using the same IP address space. They may be 13
using a RFC 1918 private IP address space and doing network address translation for their Internet access. In fact this has become very common in today’s networks. This is not a problem for MPLS VPN, because each VPN uses its own forwarding table you can have overlapping IP address space between VPNs and not have any routing problems. When the different service provider edge label switch routers exchange their routing information they maintain the separate routes for the same IP address space with the use of the BGP Multiprotocol extension. The extension makes use of a new VPN-IPv4 address. The address is 12 bytes with 8 bytes for the Route Distinguisher portion of the address and 4 bytes for the actual IP address. When multiple MPLS VPN use the same IP address space the edge label switch router will translate the address into the new unique VPN-IPv4 address. This way the routers will populate the multiple forwarding tables with different routes with the same address space for each MPLS VPN. The Route Distinguisher portion of the VPNIPv4 address is controlled by the service provider and structured so there will be no conflict between Route Distinguishers from different service providers. If every service provider’s backbone routers had to maintain routing information for every VPN that the service provider was supporting, sever scalability problems would arise. Because of the label technology employed in the backbone the routing information only needs to be held by the edge label switch router that the VPN attaches to. This makes MPLS VPNs very scalable, much more so than Frame Relay or ATM networks. The service provider only has to manage it own backbone and not multiple VPN backbones. The customer has a lot of flexibility with how they want their MPLS VPN set up. They can have multiple entry points into the service provider’s edge label switch router. The customer might want multiple MPLS VPN set up as Extranets between business partners and some MPLS VPN for their own geographically different offices to be part of their Intranet. Then the customer can control which network traffic goes to which site because they control their own edge router. The MPLS VPN can also be used with VLAN technology. The service provider edge label switch router can analyze the VLAN tag of the packet from the customer edge router and assign it to the correct MPLS VPN for each VLAN. MPLS VPN security is accomplished by using a data plane and control plane approach for security. The data plane protects against a packet from within a MPLS VPN from traveling outside of its VPN boundaries and from packets from outside a MPLS VPN traveling into the boundaries of a MPLS VPN. The service provider will ensure that routers will drop packets that do not belong to MPLS VPN by examining the label of the packet. Control plane security 14
ensures that non-trusted peers can not inject routes into the MPLS VPN. This is accomplished by the use of the MD5 authentication feature of BGP. Control plane security will also ensure that physical security of the routers is maintained to eliminate unauthorized access.
RESEARCH METHODOLOGY RESEARCH DESIGN Research design can be thought of as the structure of research -- it is the "glue" that holds
all of the elements in a research project together. We often describe a design using a concise notation that enables us to summarize a complex design structure efficiently the research design involved in the project is DESCRIPTIVE Research. Descriptive Research (who, what, where, how) 15
Designed to provide further insight into the research problem by describing the variables of interest. Can be used for profiling, defining, segmentation, estimating, predicting, and examining associative relationships. DATA COLLECTION Primary Data: 30% of the content in the project is through personal interview and brief details provided by the concerned person. Secondary Data: 70% of the data is collected through sources of articles, journals, and internet via search engines
FINDING/CONCLUSIONS 1.
The Organization has applications of Video Conferencing and provides service support which is backed by the best tools and resources to meet the SLA standards.
2. VPN is the key component to attract the attention of many organizations looking to both expand their networking capabilities and reduce their costs. 3. Confidentiality, Integrity, Authenticity, Non-repudiation are the basic properties for information security 4. A label distribution protocol is used to exchange label information between label switch routers that have a direct connection to each other 5. Forwarding decisions are dependent on the ingress router that can be easily made. 16
6. The customer having multiple MPLS VPN set up, use it as Extranets between business partners. 7.
MPLS VPN are used by the customers for own geographically located offices to be part of their Intranet.
8. The customer through the MPLS VPN can control the network traffic as which goes to which site because they control their own edge router.
17
