Design and Implementation of QoS VPN Experimental Environment in DiffServ Network

• Main Authors: Yju-Chen, Lee, 李育全
• Other Authors: Shi-Chung, Chang
• Format: Others
• Language: zh-TW
• Published: 2002
• Online Access: http://ndltd.ncl.edu.tw/handle/37628864403379758987

碩士 === 國立臺灣大學 === 電機工程學研究所 === 90 === Virtual private network (VPN) technology enables secure transmission of information through a public network. The most significant advantage of VPNs compared with traditional leased line private networks is its low cost of deployment. However, it cannot guarantee the quality of service (QoS) on networks. How to provide a VPN with QoS over a public carrier network environment remains an important and challenging issue. The focus of this thesis is to combine the concepts and technologies of QoS provisioning and VPN to develop a QoS-assured VPN service architecture. The architecture provides users with a simple, and cryptographic Differentiated Service (DiffServ) environment with bandwidth selectivity. Under this architecture, packet encryption is added after the classification function of the DiffServ architecture on a per flow basis. Encrypted packets of each flow are then added with an IP header of the VPN to which the flow belongs. The QoS guarantee for each VPN flow then follows the DiffServ architecture. Packets are processed in the reverse way at their receiving side. In our design, there are two essential parts, an integrated QoS VPN router and a rule-based service broker. The integrated QoS VPN router is arranged on the boundary of DiffServ network. We provide expedited forwarding (EF) per hop behavior (PHB) of DiffServ architecture and best effort (BE) PHB via two boundary routers deployed. On the boundary router, a multi-field classifier classifies packets according to source address, DiffServ code point (DSCP), and port number, a marker marks different DSCP of packets for every flow and collects several flows in a category. After that, IPSec protocols are adopted to encrypt the VPN traffic without modifying DSCP. A token bucket filter (TBF) is then used to shape the traffic flowing into the buffer of router abided to the terms of their respective service agreements. Packets belonging to different flows are allocated appropriate network resource and transmitted from buffer according to DSCP and weighted round robin (WRR) scheme. We designed a rule-based service broker providing VPN users with dynamic bandwidth configuration service. Service broker provides services for users, including service requests of users, network status interface, router traffic and QoS statistics data . It changes the resource allocation of routers through secure link and configures the routing table. We perform an experimental implementation according to the designed QoS VPN architecture. The QoS VPN router is built on Linux operation system with the installation of FreeS/WAN. We also install iproute2 on QoS VPN router classifying and achieving WRR algorithm, and ntop for analyzing network traffic. A rule-based service broker is also built on Linux operation system. It controls integrated QoS VPN routers through secure link SSH. Protocol analyzer and movie server are installed on Window2000TM and WindowNT4.0 TM, respectively. We design and implement several relative experiments. The implemention results show that the designed experimental environment achieves a DiffServ-based QoS VPN environment correctly. We also preliminarily assessed the scalability of this experimental implementation based on experimental statistics.