Client INTERNET Link

The Client INTERNET Link offering is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group data centers. VPN traffic is carried over the Internet using secure tunneling technology. Customers will be configured with a VPN to CME Group's production data center.

Client INTERNET Link - Aurora. Offering only provides access to F&O services.

F&O’s VPN equipment is separate from BrokerTec Client INTERNET Link services.
Client INTERNET Link customers around the globe will utilize the internet to connect to futures and options (F&O) VPN equipment located in North America.

Client INTERNET Link - Secaucus. There are two Client INTERNET Link platforms. One provides access to BrokerTec US and the other access to EBS US services.

BrokerTec US’ VPN equipment is separate from BrokerTec EU, EBS US and EU, and F&O’s Client INTERNET Link services.
EBS US' VPN equipment is separate from EBS EU, BrokerTec US and EU, and F&O’s Client INTERNETLink services.
BrokerTec US customers use the Internet to connect to BrokerTec US VPN equipment located in North America.
EBS US customers use the Internet to connect to EBS’s US VPN equipment located in North America.

Client INTERNET Link - Slough. There are two Client INTERNET Link platforms. One provides access to BrokerTec EU and the other access to EBS EU services.

BrokerTec EU’s VPN equipment is separate from BrokerTec US, EBS US and EU, and F&O’s Client INTERNETLink services.
EBS EU's VPN equipment is separate from EBS US, BrokerTec US and EU and F&O’s Client INTERNETLink services.
Client INTERNETLink customers will use the Internet to connect to BrokerTec EU VPN equipment located in Europe.
Client INTERNETLink customers will use the Internet to connect to EBS EU VPN equipment located in Europe.

Contents

1 IPSec
2 Keys
3 Requirements

IPSec

A VPN connection is created using IPSec, the Internet standard protocol for tunneling, encryption, and authentication. It protects data traffic by addressing basic usage issues, including:

Access control
Connection integrity
Authentication of data origin
Protections against replays
Traffic flow confidentiality

The technique used to protect data being transmitted over the Internet is encryption. Data is scrambled (encrypted) when transmitted then it is unscrambled (decrypted) when it is received. An encryption algorithm determines how the data is encrypted and decrypted.

Keys

A key is the secret code that the encryption algorithm uses to create a unique version of encrypted data. Keys are rated by their cryptographic strength. The cryptographic strength of a key refers to the length of the key in bits.
The Internet Key Exchange (IKE) management protocol standard is used in conjunction with the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet security association and key management protocol (ISAKMP) framework. IKE authenticates the IPSec peers, negotiates IPSec keys, and negotiates Security Associations (SAs).
For site-to-site VPN connections, peer devices must authenticate one another before IPSec communications can occur. CME Group uses a Pre-Shared Key (PSK) for device authentication. PSK is the most efficient IKE authentication mechanism.
A unique PSK is the most secure type of PSK since it is tied to a specific IP address. This is ideal for site-to-site VPNs where the identity of the peer device is always known. CME Group will generate and provide customers with a unique key.

Requirements

Please review the prerequisites below to determine any services, addressing tasks, software, or hardware that your firm must have available or complete prior to enabling connectivity for Client INTERNET Link. All IP packets destined for CME Group must be sourced from CME Group-assigned private address space. CME Group will not accept traffic sourced from any customer’s public IP space. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.

Internet Requirements

Customers must provide a high-speed connection to the Internet. The connection must meet the following criteria:

The registered IP address must be static and publicly routable on the Internet.
Internet with bandwidth at least equal to the CIL subscriber rate
Your Internet service provider (ISP) must support VPN protocols.
Non-cloud based due to lack of Generic Routing Encapsulation (GRE) support

Hardware Requirements

CME Group recommends that customers use a Cisco router with support for site-to-site VPN’s. CME Group will provide a sample configuration based on a Cisco router which the customer can tailor for their environment (details on the sample configuration to follow). However, it must be noted that customers are free to select the best vendor for their environment and that they will fully support both their chosen hardware and configuration used to enable the VPN on their side. CME Group is unable to provide configuration support.

Software Requirements

IKEv2
Pre-shared key authentication
IKE Phase One:
- Encryption: AES256
- Hash: SHA256
- Diffie-Hellman group: 14
- Lifetime: 28800 seconds, no volume limit
- Customer VPN device IKEv2 identity must match IP address used for peering
IKE Phase Two:
- Encryption: AES256
- Authentication: SHA256
- Tunnel mode
- PFS: Enabled, using Diffie-Hellman Group 14
- Compression: No
- Security association lifetime: 4608000 kilobytes/3600 seconds
- Security association idletime: 60 seconds

**Multicast Device Requirements - Client INTERNET Link - Aurora *ONLY**

The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the two tunneling configuration options that can be used to create the VPN. To support MDP redundancy, you may want to configure a second device.

Option 1 uses separate units for VPN and GRE tunneling.
Option 2 uses a single unit for VPN and GRE tunneling.

Option 1: Separate Units for VPN and GRE Tunneling

Customers that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.

Figure: Customer-Side Connections for Option 1
This option requires separate VPN and GRE tunneling endpoints.

Option 2: Combined Units for VPN and GRE Tunneling

New CME Group customers and those CME Group customers without previous experience accessing the CME Group production environment may be building a CME Group connection for the first time. Therefore, these users have the opportunity to incorporate a device or service combining VPN and GRE technologies.

Figure: Customer-Side Connections for Option 2
This option requires a device or service capable of the following: ipsec/isakmp crypto, ip multicast, GRE (for market data) CME Group does not make hardware or software recommendations. Customers should contact their network vendor.

Configure the Customer Routers

The customer routers must be configured to PIM (protocol independent multicast) sparse mode (PIM-SM). PIM-SM uses an explicit request approach, where a router has to ask for the multicast feed with a PIM Join message. PIM-SM allows customer to more precisely control traffic, especially if you have large volumes of IP multicast traffic compared to your bandwidth. PIM-SM scales well because packets only go where they are needed, and because it creates state in routers only as needed. The assigned CME Networking engineer provides the data center IP addresses.

Configure the Rendezvous Point IP Address

On each customer side router, such as Customer-Managed Router 1, define the IP address of the corresponding rendezvous point. The CME Group account representative provides the rendezvous point IP addresses.

Configure a Fixed Path Between Router and Corresponding Data Center

The route, or path, of the data feed must be static between each data center and customer-managed router. Customers must define certain router features to ensure the predictability of this path.