Multi-Domain VPN

Thomas Schmid

In the context of national research networks we rolled out an europe-wide logical infrastructure to support the rapid implementation of multi-domain VPNs, called MDVPN. The framework we used for this is "Carrier-support-carrier for hierarchical VPNs", as documented in RFC4364 Option c. While this is not a brand new technology, according to vendor statements, nobody seems to have implemented this on a larger scale. An overview will be given on the technology and architecture and use cases be discussed. Special focus will be put on security concerns raised by the community. Since vendors don't support filters that prevent potential intrusion into local VPNs, a netflow-based detector was developed that is able to detect such attacks. In addition an openflow based solution for filtering is under development in cooperation with a switch vendor. As of today ca. 500 PEs take part in the MDVPN domain allowing VPN services such as L2 P2P, VPLS, EVPN, L3 VPNs. In the coming year, a small office-router will be developed that allows rapid connection to the MDVPN cloud