The ABCs of VPNs
Virtual private networks have long allowed the provisioning of private network services across a shared public infrastructure such as the Internet or other WAN backbone. Over the years, however, the proliferation of VPN protocols and technologies, has made it challenging to differentiate between various VPN types and understand how they compare.
- A wealth of technologies enable both site-to-site VPNs and remote access VPNs. Site-to-site VPNs allow connectivity between fixed, geographically dispersed sites (such as a head office and branch offices). Remote access VPNs allow mobile or home-based users to access an organization’s data or other resources.
- Data encryption can be added to the mix to scramble data in transit for extra security. This happens frequently when the WAN used for
- VPN transport is the public Internet, which does not fall under the operational control of a single service provider and is thus considered an “untrusted” network. Many organizations that use network services offered across a carrier’s backbone, such as Frame Relay, ATM, and Multiprotocol Label Switching (MPLS)-based services, opt not to use encryption, because carriers use Layer 2 virtual circuits, labels, or similar technologies to separate customer traffic. These VPNs are called trusted VPNs
- In both types of VPN, tunnels are created between locations by encapsulating users’ traffic within other packets. For this to happen, the tunneled (encapsulated) traffic gains additional header(s), tags, or labels that correspond to the tunneling protocol. Through the encapsulation with an additional packet header, tags, or labels, a VPN gateway, customer edge (CE) device, or provider edge (PE) device can distinguish among customers or users. Therefore, tunneling keeps each organization’s or user’s traffic separate, and thus private, from other traffic flowing on a shared network.
- In a secure VPN, by contrast, customer data traffic is authenticated and encrypted. Examples of secure VPNs are IP Security (IPsec) VPNs, Secure Sockets Layer (SSL) VPNs, and Layer 2 Tunneling Protocol (L2TP) VPNs secured using IPsec. In site-to-site VPNs, data traffic is either tunneled between CE routers or between the public network service operator’s PE routers. The difference is that in a CE-to-CE configuration, the VPN tunnels and associated security extend across the WAN to the customer premises. In a PE-to-PE configuration, the tunnels are confined to the interior of the shared service provider network.
| VPN Type | Application | Attributes | Who Provisions |
|---|---|---|---|
|
BGP/MPLS IP VPN (RFC 4364 / RFC 2547bis) |
Site-to-site; multipoint |
Layer 3; typically enables full-mesh connectivity (hub-andspoke, partial-mesh, and extranet connectivity can also be provisioned) |
Service provider*
|
|
VPLS/IPLS |
Site-to-site; multipoint |
Layer 2 (Ethernet or IP only) transport; enables full-mesh connectivity |
Service provider*
|
|
GRE |
Site-to-site; point-to-point |
Layer 3; transports legacy protocols and IP over an IP backbone |
Service provider or enterprise
|
|
IPsec |
Site-to-site or remote access; point-to-point tunnels; usually used across the public Internet |
Layer 3; encrypts or authenticates IP traffic between security gateways or hosts |
Service provider or enterprise
|
|
Layer 2 Tunneling Version 2 (L2TPv2) |
Remote access |
Layer 2; can encapsulate and tunnel Point-to-Point Protocol (PPP) over an IP backbone |
Service provider or enterprise |
|
L2TPv3 |
Remote access; site-to-site |
Layer 2; encapsulates Layer 2 protocols over a point-to-point IP connection |
Service provider |
|
SSL VPN (WebVPN) |
Remote access |
Layer 4-7; no client software required, so users can deploy dynamically |
Enterprise or service provide |
- Layer 2 site-to-site VPNs—These allow data-link-layer connectivity between separate sites and can be provisioned between switches, hosts, and routers.
- Layer 3 site-to-site VPNs—These interconnect hosts and routers at separate customer sites. Customer hosts and routers communicate based on network-layer addressing, and PE devices forward customer traffic based on the incoming link and on the addresses in the IP header.
- VPN technologies have evolved to solve different problems. Site-to-site Layer 2 VPN technologies allow the tunneling of Layer 2 protocols between PE or CE devices, and enable service providers to consolidate legacy and IP/MPLS networks, as well as allowing them to
deploy newer Ethernet MAN/WAN services. Site-to-site Layer 3 VPN technologies, in contrast, emphasize strong security and low relative cost in the case of IPsec; or any-to-any IP connectivity, simplified customer WAN routing, and QoS in the case of BGP/MPLS IP VPNs. Remote access VPN technologies such as IPsec and SSL allow secure access for mobile or remote users to an organization’s data or other resources.
- Quality of service (QoS) support—How does the technology differentiate levels of service for voice, video, and data applications? MPLS networks typically depend on priority markings in the experimental (EXP) field in the MPLS shim header. Hard QoS guarantees, including both transmission quality and service availability, additionally require support. In IPsec, L2TP, or GRE VPNs, traffic differentiation relies on markings in the type of service (ToS) field of the outer IP header