The Client INTERNET Link offering is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group data centers. VPN traffic is carried over the Internet using secure tunneling technology. Customers will be configured with a VPN to CME Group's production data center.
Client INTERNET Link - Aurora. Offering only provides access to futures and options services.
Futures and options’ VPN equipment is separate from BrokerTec Client INTERNET Link services.
Client INTERNET Link customers around the globe will utilize the internet to connect to futures and options VPN equipment located in North America.
Client INTERNET Link - Secaucus. There are two Client INTERNET Link platforms. One provides access to BrokerTec US and the other access to EBS US services.
BrokerTec US’ VPN equipment is separate from BrokerTec EU, EBS US and EU, and futures and options' Client INTERNET Link services.
EBS US' VPN equipment is separate from EBS EU, BrokerTec US and EU, and futures and options' Client INTERNETLink services.
BrokerTec US customers use the Internet to connect to BrokerTec US VPN equipment located in North America.
EBS US customers use the Internet to connect to EBS’s US VPN equipment located in North America.
Client INTERNET Link - Slough. There are two Client INTERNET Link platforms. One provides access to BrokerTec EU and the other access to EBS EU services.
BrokerTec EU’s VPN equipment is separate from BrokerTec US, EBS US and EU, and futures and options' Client INTERNETLink services.
EBS EU's VPN equipment is separate from EBS US, BrokerTec US and EU and futures and options' Client INTERNETLink services.
Client INTERNETLink customers will use the Internet to connect to BrokerTec EU VPN equipment located in Europe.
Client INTERNETLink customers will use the Internet to connect to EBS EU VPN equipment located in Europe.
Contents
| Table of Contents |
|---|
IPSec
A VPN connection is created using IPSec, the Internet standard protocol for tunneling, encryption, and authentication. It protects data traffic by addressing basic usage issues, including:
Access control
Connection integrity
Authentication of data origin
Protections against replays
Traffic flow confidentiality
The technique used to protect data being transmitted over the Internet is encryption. Data is scrambled (encrypted) when transmitted then it is unscrambled (decrypted) when it is received. An encryption algorithm determines how the data is encrypted and decrypted.
...
A key is the secret code that the encryption algorithm uses to create a unique version of encrypted data. Keys are rated by their cryptographic strength. The cryptographic strength of a key refers to the length of the of the key in bits.
The Internet Key Exchange (IKE) management protocol standard is used in conjunction with the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet security association and key management protocol (ISAKMP) framework. IKE authenticates the IPSec peers, negotiates IPSec keys, and negotiates Security Associations (SAs).
For site-to-site VPN connections, peer devices must authenticate one another before IPSec communications can occur. CME Group uses a Pre-Shared Key (PSK) for device authentication. PSK is the most efficient IKE authentication mechanism.
A unique PSK is the most secure type of PSK since it is tied to a specific IP address. This is ideal for site-to-site VPNs where the identity of the peer device is always known. CME Group will generate and provide customers with a unique key.
...
Customers must provide a high-speed connection to the Internet. The connection must meet the following criteria:
The registered IP address must be static and publicly routable on the Internet.
Internet with bandwidth at least equal to the CIL subscriber rate
Your Internet service provider (ISP) must support VPN protocols.
Non-cloud based due to lack of Generic Routing Encapsulation (GRE) support
Hardware Requirements
CME Group recommends that customers use a Cisco router with support for site-to-site VPN’s. CME Group will provide a sample configuration based on a Cisco router which the customer can tailor for their environment (details on the sample configuration to follow). However, it must be noted that customers are free to select the best vendor for their environment and that they will fully support both their chosen hardware and configuration used to enable the VPN on their side. CME Group is unable to provide configuration support.
Software Requirements
IKEv2
Pre-shared key authentication
IKE Phase One:
Encryption: AES256
Hash: SHA256
Diffie-Hellman group: 14
Lifetime: 28800 seconds, no volume limit
Customer VPN device IKEv2 identity must match IP address used for peering
IKE Phase Two:
Encryption: AES256
Authentication: SHA256
Tunnel mode
PFS: Enabled, using Diffie-Hellman Group 14
Compression: No
Security association lifetime: 4608000 kilobytes/3600 seconds
Security association idletime: 60 seconds
Multicast Device Requirements - Client INTERNET Link - Aurora *ONLY
The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the two tunneling configuration options that can be used to create the VPN. To support MDP redundancy, you may want to configure a second device.
Option 1 uses separate units for VPN and GRE tunneling.
Option 2 uses a single unit for VPN and GRE tunneling.
Option 1: Separate Units for VPN and GRE Tunneling
Customers that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.
...
Figure: Customer-Side Connections for Option 1
This option requires separate VPN and GRE tunneling endpoints.
...
New CME Group customers and those CME Group customers without previous experience accessing the CME Group production environment may be building a CME Group connection for the first time. Therefore, these users have the opportunity to incorporate a device or service combining VPN and GRE technologies. 
...
Figure: Customer-Side Connections for Option 2
This option requires a device or service capable of the following: ipsec/isakmp crypto, ip multicast, GRE (for market data) CME Group does not make hardware or software recommendations. Customers should contact their network vendor.
...