Development and evaluation of LISP-based instant VPN services

Abstract

The Locator/ID Separation Protocol (LISP) is being standardized in IETF, which separates the IP address functionality into routing locators (RLOC) and endpoint identifiers (EID). LISP is applicable for instant Virtual Private Network (VPN) services because it has IP tunneling features. However, there are two main issues with application to VPN. One is a Map server/Map resolver (MS/MR) basically allows any third party to know a mapping table even if it is irrelevant to the VPN. The other is an MS/MR should identify the VPN to which the requested site belongs because the requested EIDs can be private addresses and may overlap with other VPN sites. A simple solution is to deploy an independent MS/MR for every VPN. However, this is undesirable from a cost perspective. We present a new LISP-MS/MR that provides a large number of VPN services using a single set. This MS/MR creates a logically separated EID-to-RLOC mapping table for each VPN and selects an appropriate type according to the requesting VPN site. To ensure this, our scheme uses Authentication data included in the Map register for an initial VPN identification of the registering site and associates the identified VPN ID with the registered RLOC. In following Map requests, the appropriate mapping table for the requesting VPN site is selected based on its RLOC. We confirmed the basic network functions of VPN using the prototype system. The results of scalability tests show that our MS/MR completes the transaction for nearly-simultaneous 10,000 Map registers or requests within three seconds.