The Client INTERNET Link offering is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group data centers. VPN traffic is carried over the Internet using secure tunneling technology. Customers will be configured with a VPN to CME Group's production data center.
Client INTERNET Link - Aurora. Offering only provides access to F&O services.
- F&O’s VPN equipment is separate from BrokerTec Client INTERNET Link services.
- Client INTERNET Link customers around the globe will utilize the internet to connect to F&O’s VPN equipment located in North America.
Client INTERNET Link - Secaucus. Offering only provides access to BTEC US services.
- BrokerTec US’ VPN equipment is separate from BrokerTec EU and F&O’s Client INTERNET Link services.
- BrokerTec US customers use the Internet to connect to BTEC’s US VPN equipment located in North America.
Client INTERNET Link - Slough. Offering only provides access to BTEC EU services.
- BrokerTec EU’s VPN equipment is separate from BrokerTec US and F&O’s Client INTERNET Link services.
- Client INTERNET Link customers will use the Internet to connect to BTEC’s EU VPN equipment located in Europe.
Contents
IPSec
A VPN connection is created using IPSec, the Internet standard protocol for tunneling, encryption, and authentication. It protects data traffic by addressing basic usage issues, including:
- Access control
- Connection integrity
- Authentication of data origin
- Protections against replays
- Traffic flow confidentiality
The technique used to protect data being transmitted over the Internet is encryption. Data is scrambled (encrypted) when transmitted then it is unscrambled (decrypted) when it is received. An encryption algorithm determines how the data is encrypted and decrypted.
Keys
A key is the secret code that the encryption algorithm uses to create a unique version of encrypted data. Keys are rated by their cryptographic strength. The cryptographic strength of a key refers to the length of the key in bits.
The Internet Key Exchange (IKE) management protocol standard is used in conjunction with the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet security association and key management protocol (ISAKMP) framework. IKE authenticates the IPSec peers, negotiates IPSec keys, and negotiates Security Associations (SAs).
For site-to-site VPN connections, peer devices must authenticate one another before IPSec communications can occur. CME Group uses a Pre-Shared Key (PSK) for device authentication. PSK is the most efficient IKE authentication mechanism.
A unique PSK is the most secure type of PSK since it is tied to a specific IP address. This is ideal for site-to-site VPNs where the identity of the peer device is always known. CME Group will generate and provide customers with a unique key.
Requirements
Please review the prerequisites below to determine any services, addressing tasks, software, or hardware that your firm must have available or complete prior to enabling connectivity for Client INTERNET Link. All IP packets destined for CME Group must be sourced from CME Group-assigned private address space. CME Group will not accept traffic sourced from any customer’s public IP space. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.
Internet Requirements
Customers must provide a high-speed connection to the Internet. The connection must meet the following criteria:
- The registered IP address must be static and publicly routable on the Internet.
- Internet with bandwidth at least equal to the CIL subscriber rate
- Your Internet service provider (ISP) must support VPN protocols.
Software Requirements
The VPN software on your device or service must support the following encryption requirements:
- PSK for Internet Security Association and Key Management Protocol (ISAKMP)/IKE
- 3DES/SHA1 encryption or stronger for phase 1
- AES256/SHA1 encryption or stronger for phase 2
Multicast Device Requirements - Client INTERNET Link - Aurora *ONLY
The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the two tunneling configuration options that can be used to create the VPN. To support MDP redundancy, you may want to configure a second device.
- Option 1 uses separate units for VPN and GRE tunneling.
- Option 2 uses a single unit for VPN and GRE tunneling.
Option 1: Separate Units for VPN and GRE Tunneling
Customers that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.
Figure: Customer-Side Connections for Option 1
This option requires separate VPN and GRE tunneling endpoints.
Option 2: Combined Units for VPN and GRE Tunneling
New CME Group customers and those CME Group customers without previous experience accessing the CME Group production environment may be building a CME Group connection for the first time. Therefore, these users have the opportunity to incorporate a device or service combining VPN and GRE technologies.
Figure: Customer-Side Connections for Option 2
This option requires a device or service capable of the following: ipsec/isakmp crypto, ip multicast, GRE (for market data) CME Group does not make hardware or software recommendations. Customers should contact their network vendor.
Configure the Customer Routers
The customer routers must be configured to PIM (protocol independent multicast) sparse mode (PIM-SM). PIM-SM uses an explicit request approach, where a router has to ask for the multicast feed with a PIM Join message. PIM-SM allows customer to more precisely control traffic, especially if you have large volumes of IP multicast traffic compared to your bandwidth. PIM-SM scales well because packets only go where they are needed, and because it creates state in routers only as needed. The assigned CME Networking engineer provides the data center IP addresses.
Configure the Rendezvous Point IP Address
On each customer side router, such as Customer-Managed Router 1, define the IP address of the corresponding rendezvous point. The CME Group account representative provides the rendezvous point IP addresses.
Configure a Fixed Path Between Router and Corresponding Data Center
The route, or path, of the data feed must be static between each data center and customer-managed router. Customers must define certain router features to ensure the predictability of this path.