To carry out business related activities, it has become absolutely essential for employees, contractors, and business managers to access confidential resources and communicating them across geography. It has become quite common for business executives to log-on and access resources using lap- tops while traveling or when they are in client or business locations. Since the communications generally take place over the public network, confi- dentiality, authentication, and integrity are very important. One prominent communication service which provides these and allows access of re- sources anywhere and anytime is called Virtual Private Networks (VPN).
8.3 Virtual Private Networks (VPN) 169 Before the advent and popularity of VPN technologies, private networks were created using permanent links between corporate sites. VPN tech- nologies extend this concept by providing virtual networks that are dy- namic and connection setup can be provided according to organizational needs. Unlike traditional corporate networks, VPNs do not maintain per- manent links between end points. Rather the connection is torn down as soon as it is not required resulting in bandwidth savings.
VPN technologies are cost effective alternatives to completely private networks which allow different parties to come together and share re- sources in a secure manner.
8.3.1 VPNs and Grid – Types of VPNs
There are mainly two different types of VPN technologies. These are Layer 2 VPN service and Layer 3 VPN service.
Layer 2 VPN Service (L2VPN)
In L2VPNs, the provider extends layer 2 services to the customer sites. A key property of L2VPNs is that the provider is unaware of Layer 3-specific (Network Layer) VPN information. The customer and the provider do not exchange any routing information with each other. Forwarding decisions in the provider network are based solely on Layer 2 (Data Link Layer) infor- mation such as MAC address, ATM VC identifier, MPLS label, and port number. Currently, two different approaches to L2VPNs are described in the literature, Virtual Private Wire Service (VPWS) and Virtual Private LAN Service (VPLS) [153]. The major difference between the two is that the VPWS provides VPN service between one site and another while VPLS provides a service across multiple sites. The VPWS approach can be regarded as a generalized version of the traditional leased line service, in which the sites are connected in a partial or full mesh. The VPLS approach emulates a LAN environment where a site automatically gains connectivity to all the other sites attached to the same emulated LAN.
Layer 3 VPN Service (L3VPN)
In L3VPNs, the provider offers layer 3 (Network Layer) connectivity, typically Internet Protocol (IP), between the different customer sites. At present, there are two dominating L3VPN approaches, BGP/MPLS VPN [154] and Virtual Router (VR) [155]. Both approaches concentrate the VPN functionality at the edge of the provider network (provider edge or
PE nodes) and hide VPN-specific information from the provider core nodes, to improve scalability. In the BGP/MPLS VPN approach, a routing context is represented as a separate routing and forwarding table in the PE. Each PE node runs a single instance of a BGP variant called Multiprotocol BGP (MPBGP) [156] for VPN route distribution across the core network. PE nodes use MPLS labels to keep VPN traffic isolated and transmit pack- ets across the core network in tunnels. The tunnels are not necessarily MPLS tunnels, they can be of any type, such as IPSec (see Chap. 2). If a tunnel type other than MPLS is used, the only nodes that need to know about MPLS are the PEs. Any routing protocol can run between the Cus- tomer Edge (CE) nodes and the PEs, but in practice the customer must use the routing protocol chosen by the provider. In the VR approach, PE nodes have one VR instance running for each VPN context. A VR emulates a physical router and functions exactly like one. VRs belonging to the same VPN are connected to each other via tunnels across the core network.
8.3.2 VPNs and Grid – Issues
If grid computing has to become an important part of any enterprise’s in- frastructure, there is a need to integrate with the VPN technologies which have become a norm with most enterprises for secure access to the internal resources. Let us now discuss some of the issues in integrating VPNs with Grid technologies.
Manageability
VPNs and grids represent two diametrically opposite paradigms.In a typi- cal grid computing environment, different entities share resources. VPNs, on the other hand, are point-to-point security solutions between two enti- ties. In order to use a VPN over each connection between a user and a re- source node, a potentially enormous number of VPNs will be needed, with associated key management challenges for each. This will result in a huge manageability cost for the enterprise. Even a simple example of having one grid node, scheduler, and a few resources, with VPN connections between each of them is not at all feasible.
Performance
Like any other security solutions, VPN will introduce additional overheads which will reduce the overall throughput of the grid systems. Several re- search works have addressed this issue. In the next subsection, we will
8.3 Virtual Private Networks (VPN) 171
throughput in a scalable manner.
Setup
Another issue that hinders the integration of VPN and grid technologies is the requirement of manual configuration required at each VPN. In a grid computing environment, flexibility is one of the key drivers. Nodes are added or deleted on demand based on the utilization of the systems. This is very difficult to achieve in a VPN setup. Added to this is the issue of trust management, which would be really difficult to manage and maintain.It is to be understood that VPNs do not provide end-to-end security, rather pro- vide security at the network or the data link layer (Layer 3 or Layer 2 secu- rity). Grids, on the other hand, require security at the message level. There- fore, integration is needed which is always through manual setup, and hence not scalable.
8.3.3 VPNs and Grid – Some Solutions
Several research efforts have been undertaken in combining VPN and grid services. In this chapter, we will discuss in brief about two such solutions: Hose and On-demand grid support system.
Hose – A Resource Management Solution
The Hose service model [157] is an effort to provide flexible resource management in a VPN environment. Proposed by researchers from AT&T® Research, the Hose service model is characterized by aggregate traffic from a set of end-points to another in a VPN. The hose service model is a flexible alternative to the customer pipe service model, where a customer buys a set of fixed allocations (customer-pipes) from the service provider. In this model, the customers specify the incoming and outgoing traffic aggregated over the different sites in the VPN system.
Figure 8.4 shows a traditional VPN setup where proper provisioning of bandwidth is required to satisfy the Service Level Agreement (SLA) for each customer. Taking the same example for a hose model, each site would be provisioned by the aggregated amount of traffic coming in and going out of the site. Following are the advantages of the Hose model:
• Flexibility: The Hose model allows the flexibility of clubbing to- gether traffic having similar QoS requirements. Overall, it provides more flexibility in terms of resource allocation and utilization.
• On demand resource: This type of model fits nicely with the grid vision as resources could be adjusted on demand.
In spite of the flexibility provided by this model, one of the main dis- advantages of this type of model is the lack of QoS guarantees that it can provide. Since the resources can be shared, the absolute guarantees are hard to provide which became a bottleneck for such a system to be ac- cepted widely.
Fig. 8.4. A traditional VPN setup
On-Demand VPN Support for the Grid
In [158], the authors have proposed a network resource abstraction for re- source discovery of on-demand VPN. The main contribution of the work lies in the abstraction of the information provided so that the VPN re- sources can be discovered. The proposed abstraction is implemented and
8.4 Secure Routing 173