A survey of Virtual Private LAN Services (VPLS): Past, present and future

Virtual Private LAN services (VPLS) is a Layer 2 Virtual Private Network (L2VPN) service that has gained immense popularity due to a number of its features, such as protocol independence, multipoint-to-multipoint mesh connectivity, robust security, low operational cost (in terms of optimal resource utilization), and high scalability. In addition to the traditional VPLS architectures, novel VPLS solutions have been designed leveraging new emerging paradigms, such as Software Defined Networking (SDN) and Network Function Virtualization (NFV), to keep up with the increasing demand. These emerging solutions help in enhancing scalability, strengthening security, and optimizing resource utilization. This paper aims to conduct an in-depth survey of various VPLS architectures and highlight different characteristics through insightful comparisons. Moreover, the article discusses numerous technical aspects such as security, scalability, compatibility, tunnel management, operational issues, and complexity, along with the lessons learned. Finally, the paper outlines future research directions related to VPLS. To the best of our knowledge, this paper is the first to furnish a detailed survey of VPLS.University College DublinAcademy of Finlan

Performance evaluation of HIP-based network security solutions

Abstract. Host Identity Protocol (HIP) is a networking technology that systematically separates the identifier and locator roles of IP addresses and introduces a Host Identity (HI) name space based on a public key security infrastructure. This modification offers a series of benefits such as mobility, multi-homing, end-to-end security, signaling, control/data plane separation, firewall security, e.t.c. Although HIP has not yet been sufficiently applied in mainstream communication networks, industry experts foresee its potential as an integral part of next generation networks. HIP can be used in various HIP-aware applications as well as in traditional IP-address-based applications and networking technologies, taking middle boxes into account. One of such applications is in Virtual Private LAN Service (VPLS), VPLS is a widely used method of providing Ethernet-based Virtual Private Network that supports the connection of geographically separated sites into a single bridged domain over an IP/MPLS network. The popularity of VPLS among commercial and defense organizations underscores the need for robust security features to protect both data and control information. After investigating the different approaches to HIP, a real world testbed is implemented. Two experiment scenarios were evaluated, one is performed on two open source Linux-based HIP implementations (HIPL and OpenHIP) and the other on two sets of enterprise equipment from two different companies (Tempered Networks and Byres Security). To account for a heterogeneous mix of network types, the Open source HIP implementations were evaluated on different network environments, namely Local Area Network (LAN), Wireless LAN (WLAN), and Wide Area Network (WAN). Each scenario is tested and evaluated for performance in terms of throughput, latency, and jitter. The measurement results confirmed the assumption that no single solution is optimal in all considered aspects and scenarios. For instance, in the open source implementations, the performance penalty of security on TCP throughput for WLAN scenario is less in HIPL than in OpenHIP, while for WAN scenario the reverse is the case. A similar outcome is observed for the UDP throughput. However, on latency, HIPL showed lower latency for all three network test scenarios. For the legacy equipment experiment, the penalty of security on TCP throughput is about 19% compared with the non-secure scenario while latency is increased by about 87%. This work therefore provides viable information for researchers and decision makers on the optimal solution to securing their VPNs based on the application scenarios and the potential performance penalties that come with each approach.HIP-pohjaisten tietoliikenneverkkojen turvallisuusratkaisujen suorituskyvyn arviointi. Tiivistelmä. Koneen identiteettiprotokolla (HIP, Host Identity Protocol) on tietoliikenneverkkoteknologia, joka käyttää erillistä kerrosta kuljetusprotokollan ja Internet-protokollan (IP) välissä TCP/IP-protokollapinossa. HIP erottaa systemaattisesti IP-osoitteen verkko- ja laite-osat, sekä käyttää koneen identiteetti (HI) -osaa perustuen julkisen avainnuksen turvallisuusrakenteeseen. Tämän hyötyjä ovat esimerkiksi mobiliteetti, moniliittyminen, päästä päähän (end-to-end) turvallisuus, kontrolli-informaation ja datan erottelu, kohtaaminen, osoitteenmuutos sekä palomuurin turvallisuus. Teollisuudessa HIP-protokolla nähdään osana seuraavan sukupolven tietoliikenneverkkoja, vaikka se ei vielä olekaan yleistynyt laajaan kaupalliseen käyttöön. HIP–protokollaa voidaan käyttää paitsi erilaisissa HIP-tietoisissa, myös perinteisissä IP-osoitteeseen perustuvissa sovelluksissa ja verkkoteknologioissa. Eräs tällainen sovellus on virtuaalinen LAN-erillisverkko (VPLS), joka on laajasti käytössä oleva menetelmä Ethernet-pohjaisen, erillisten yksikköjen ja yhden sillan välistä yhteyttä tukevan, virtuaalisen erillisverkon luomiseen IP/MPLS-verkon yli. VPLS:n yleisyys sekä kaupallisissa- että puolustusorganisaatioissa korostaa vastustuskykyisten turvallisuusominaisuuksien tarpeellisuutta tiedon ja kontrolliinformaation suojauksessa. Tässä työssä tutkitaan aluksi HIP-protokollan erilaisia lähestymistapoja. Teoreettisen tarkastelun jälkeen käytännön testejä suoritetaan itse rakennetulla testipenkillä. Tarkasteltavat skenaariot ovat verrata Linux-pohjaisia avoimen lähdekoodin HIP-implementaatioita (HIPL ja OpenHIP) sekä verrata kahden eri valmistajan laitteita (Tempered Networks ja Byres Security). HIP-implementaatiot arvioidaan eri verkkoympäristöissä, jota ovat LAN, WLAN sekä WAN. Kaikki testatut tapaukset arvioidaan tiedonsiirtonopeuden, sen vaihtelun (jitter) sekä latenssin perusteella. Mittaustulokset osoittavat, että sama ratkaisu ei ole optimaalinen kaikissa tarkastelluissa tapauksissa. Esimerkiksi WLAN-verkkoa käytettäessä turvallisuuden aiheuttama häviö tiedonsiirtonopeudessa on HIPL:n tapauksessa OpenHIP:iä pirnempi, kun taas WAN-verkon tapauksessa tilanne on toisinpäin. Samanlaista käyttäytymistä havaitaan myös UDP-tiedonsiirtonopeudessa. HIPL antaa kuitenkin pienimmän latenssin kaikissa testiskenaarioissa. Eri valmistajien laitteita vertailtaessa huomataan, että TCP-tiedonsiirtonopeus huononee 19 ja latenssi 87 prosenttia verrattuna tapaukseen, jossa turvallisuusratkaisua ei käytetä. Näin ollen tämän työn tuottama tärkeä tieto voi auttaa alan toimijoita optimaalisen verkkoturvallisuusratkaisun löytämisessä VPN-pohjaisiin sovelluksiin

On forwarding state control in VPN multicast based on MPLS multipoint LSPs

This work is at: 2012 IEEE 13th International Conference on High Performance Switching and Routing took place June 24-27,2012 in Belgrade, Serbia. Web to event: http://hpsr2012.etf.bg.ac.rs/index.phpThe demand for multicast-capable VPN services, like Virtual Private LAN Service (VPLS), has grown quickly in the last years. In order to save bandwidth, MPLS point-to-multipoint LSPs could be used, but the VPN-specific state information to be handled inside the network may exceed the capacity of core nodes. A well-known solution for this is to aggregate the multicast/broadcast traffic of multiple VPNs into shared p2mp LSP trees. In shared trees, although some bandwidth is wasted because a fraction of the packets are delivered to non-member leaves (either not in the VPN broadcast or multicast group), there is wide working range where a good state vs. bandwidth trade-off is achieved. In this paper we enhance and improve previous works that analyze this trade-off. We propose new techniques for multicast traffic aggregation of VPNs in MPLS-based networks, with the objective of observing the behavior of the aggregation philosophy for different aggregation degrees, which should be very useful for network design and deployment purposes. We assess the aggregation heuristics over different reference networks and VPN geographic distributions. Simulations give a quantitative indication of the relevance of intelligent aggregation, of geographical distribution and group sizes.The work described in this paper was carried out with the support of MEDIANET PRICIT 2009/TIC-1468, from the Community of Madrid; and Fundación Carolina, Spain.Publicad

Mpls/Vpls: servicio de Lan privada virtual sobre Mpls

En la actualidad MPLS se ha convertido en una de las soluciones más apetecidas para la implementación del transporte en Backbones metropolitanos, las ventajas de una red Multiservicio sobre una red IP son innumerables entre ellas están la implementación de soluciones Ethernet punto a punto en las cuales dos equipos remotos pueden compartir el mismo dominio de broadcast; en estos momentos se esta trabajando en la implementación de VPNs de nivel 2 que permitan solucionar el problema de la conversión de direcciones MAC a IP. Dentro de los antecedentes de las investigaciones sobre la emulación de redes LAN en Backbones, encontramos ATM LANE que emulaba una LAN sobre una WAN ATM, el servicio ATM LANE tenía 4 componentes básicos. Un LEC (Lan Emulation Client), un LECS (Lan Emulation Configuration Server), un LES (Lan Emulation Server) y un BUS (Broadcast Unknow Server), estos componentes interactúan Emulando una LAN en la cual los LEC comparten un mismo dominio de Broadcast; otro antecedente importante tiene que ver con AAL5 y con su mecanismo “LLC Encapsulation” que multiplexa varios protocolos sobre un mismo circuito virtual. Cuando se habla de VPLS es de vital importancia hacer un repaso por los conceptos más importantes de MPLS, explicar como opera el Backbone MPLS con todos sus componentes entre ellos los LSR (Label Switching Router), como se realiza el intercambio de etiquetas y como este intercambio de etiquetas optimiza el envío de paquetes en la re

Creating a Worldwide Network For the Global Environment for Network Innovations (GENI) and Related Experimental Environments

Many important societal activities are global in scope, and as these activities continually expand world-wide, they are increasingly based on a foundation of advanced communication services and underlying innovative network architecture, technology, and core infrastructure. To continue progress in these areas, research activities cannot be limited to campus labs and small local testbeds or even to national testbeds. Researchers must be able to explore concepts at scale—to conduct experiments on world-wide testbeds that approximate the attributes of the real world. Today, it is possible to take advantage of several macro information technology trends, especially virtualization and capabilities for programming technology resources at a highly granulated level, to design, implement and operate network research environments at a global scale. GENI is developing such an environment, as are research communities in a number of other countries. Recently, these communities have not only been investigating techniques for federating these research environments across multiple domains, but they have also been demonstration prototypes of such federations. This chapter provides an overview of key topics and experimental activities related to GENI international networking and to related projects throughout the world

Deliverable JRA1.1: Evaluation of current network control and management planes for multi-domain network infrastructure

This deliverable includes a compilation and evaluation of available control and management architectures and protocols applicable to a multilayer infrastructure in a multi-domain Virtual Network environment.The scope of this deliverable is mainly focused on the virtualisation of the resources within a network and at processing nodes. The virtualization of the FEDERICA infrastructure allows the provisioning of its available resources to users by means of FEDERICA slices. A slice is seen by the user as a real physical network under his/her domain, however it maps to a logical partition (a virtual instance) of the physical FEDERICA resources. A slice is built to exhibit to the highest degree all the principles applicable to a physical network (isolation, reproducibility, manageability, ...). Currently, there are no standard definitions available for network virtualization or its associated architectures. Therefore, this deliverable proposes the Virtual Network layer architecture and evaluates a set of Management- and Control Planes that can be used for the partitioning and virtualization of the FEDERICA network resources. This evaluation has been performed taking into account an initial set of FEDERICA requirements; a possible extension of the selected tools will be evaluated in future deliverables. The studies described in this deliverable define the virtual architecture of the FEDERICA infrastructure. During this activity, the need has been recognised to establish a new set of basic definitions (taxonomy) for the building blocks that compose the so-called slice, i.e. the virtual network instantiation (which is virtual with regard to the abstracted view made of the building blocks of the FEDERICA infrastructure) and its architectural plane representation. These definitions will be established as a common nomenclature for the FEDERICA project. Other important aspects when defining a new architecture are the user requirements. It is crucial that the resulting architecture fits the demands that users may have. Since this deliverable has been produced at the same time as the contact process with users, made by the project activities related to the Use Case definitions, JRA1 has proposed a set of basic Use Cases to be considered as starting point for its internal studies. When researchers want to experiment with their developments, they need not only network resources on their slices, but also a slice of the processing resources. These processing slice resources are understood as virtual machine instances that users can use to make them behave as software routers or end nodes, on which to download the software protocols or applications they have produced and want to assess in a realistic environment. Hence, this deliverable also studies the APIs of several virtual machine management software products in order to identify which best suits FEDERICA’s needs.Postprint (published version

Comparision of Ethernet transport technologies

Tässä diplomityössä on tutkittu erinäisiä ratkaisuja, joiden avulla Ethernet-tekniikkaa voidaan hyödyntää palveluntarjoajien verkoissa. Tutkitut ja vertaillu tekniikat ovat PB, PBB, PBB-TE, VPLS, H-VPLS, MPLS-TP sekä PBB-VPLS. Tämän lisäksi työssä tutustuttiin optisiin siirtojärjestelmiin. Tekniikoihin tutustuttiin kirjallisuustutkimuksen avulla. Tietoa löytyi artikkeleista, standardeista sekä laitevalmistajien teknisistä dokumentaatioista. Optisia siirtojärjestelmiä tutkittaessa tutkimusmetodit olivat samat kuin verkkotekniikoita tutkittaessa. Kirjallisuustutkimuksen lisäksi rakennettiin PBB-VPLS -tekniikkaan pohjautuva testiverkko, jonka avulla varmennettiin ratkaisun ominaisuuksia. Verkkotekniikoiden osalta kirjallisuustutkimuksen tulokseksi saatiin, että parhaiten palveluntarjoajien käyttöön soveltuvat PBB-TE, MPLS-TP sekä PBB-VPLS -tekniikat. Se mikä tekniikka sopii tietylle palveluntarjoajalle parhaiten riippuu muun muassa käytetystä verkkotopologiasta, olemassa olevasta laitteistosta sekä verkossa siirretyn liikenteen liikenneprofiilista. Optisten siirtojärjestelmien suhteen havaittiin, että todennäköisimmin tulevaisuudessa hyödynnetty tekniikka on aallonpituuksien multipleksointiin (WDM) pohjautuva optinen siirtojärjestelmä tai mahdollisesti aallonpituuksiin ja aikajaksoisuuteen (WDM ja TDM) pohjautuva järjestelmä. Käytännön testeissä havaittiin, että PBB-VPLS -tekniikka on toteutettavissa ja tekniikka soveltuu hyvin MAC-osoitteiden piilottamiseen VPLS-tekniikkaan pohjautuvasta runkoverkosta. Samalla havaittiin kuitenkin se, että PBB-VPLS -tekniikkaan pohjautuvan verkon toteuttaminen laitteilla, jotka eivät suoraan tue kyseistä yhdistelmätekniikka, ei ole käytännöllistä. Itse PBB-VPLS –tekniikan havaittiin kuitenkin olevan erittäin potentiaalinen.In this Master’s Thesis we have studied various technologies that enable the use of Ethernet within the networks of service providers. The compared technologies were PB, PBB, PBB-TE, VPLS, H-VPLS, MPLS-TP and PBB-VPLS. In addition to these technologies also optical transport technologies were evaluated. The research method was literature study. Information was found in journals, standards and technical documentations of networking device manufacturers. In addition to literature study a test network based on PBB-VPLS was built. This test network was used to verify the properties of the technology. It was found, that the most suitable networking technologies to be used within the networks of service providers are PBB-TE, MPLS-TP and PBB-VPLS. The most suitable technology for a specific service provider depends on issues such as, network topology, existing hardware and the profile of transported traffic. Moreover, it was discovered that the optical technology most likely to be utilized in the future is to be based on wavelength multiplexing (WDM) or a technology that combines wavelength multiplexing with time-division multiplexing (TDM). In practical tests, it was noticed that PBB-VPLS technology is feasible and it is very suitable for masking customer MAC addresses from the VPLS core network. However, it was also discovered that building a PBB-VPLS network, without devices that specifically support the technology, is not practical. Regardless, it was concluded that the PBB-VPLS technology has a great amount of potential

Multicast traffic aggregation in MPLS-based VPN networks

This article gives an overview of the current practical approaches under study for a scalable implementation of multicast in layer 2 and 3 VPNs over an IP-MPLS multiservice network. These proposals are based on a well-known technique: the aggregation of traffic into shared trees to manage the forwarding state vs. bandwidth saving trade-off. This sort of traffic engineering mechanism requires methods to estimate the resources needed to set up a multicast shared tree for a set of VPNs. The methodology proposed in this article consists of studying the effect of aggregation obtained by random shared tree allocation on a reference model of a representative network scenario.Publicad