Virtual private network
Encyclopedia
A virtual private network (VPN) is a network
that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network.
VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.
VPNs may serve any network functionality that is found on any network, such as sharing of data and access to network resources, printers, databases, websites, etc. A VPN user typically experiences the central network in a manner that is identical to being connected directly to the central network. VPN technology via the public Internet has replaced the need to requisition and maintain expensive dedicated leased-line telecommunication circuits once typical in wide-area network installations.
s and/or dial-up phone lines.
Virtual Private Networks reduce network costs because they avoid a need for physical leased lines that individually connect remote offices (or remote users) to a private Intranet
(internal network). Users can exchange private data securely, making the expensive leased lines unnecessary.
VPN systems can be classified by:
Some classification schemes are discussed in the following sections.
s to provide confidentiality
by blocking intercept
s and packet sniffing, allowing sender authentication
to block identity
spoofing
, and provide message
integrity by preventing message alteration.
Secure VPN protocols include the following:
User-created remote access VPNs may use passwords, biometrics
, two-factor authentication
or other cryptographic methods.
Network-to-network tunnels often use passwords or digital certificates, as they permanently store the key to allow the tunnel to establish automatically and without intervention from the user.
s can be used in a point-to-point topology
that would theoretically not be considered a VPN, because a VPN by definition is expected to support arbitrary and changing sets of network nodes. But since most router implementations support a software-defined tunnel interface, customer-provisioned VPNs often are simply defined tunnels running conventional routing protocols.
(MPLS) functionality blurs the L2-L3 identity.
RFC 4026 generalized the following terms to cover L2 and L3 VPNs, but they were introduced in RFC 2547.
Customer edge device. (CE):
A device at the customer premises, that provides access to the PPVPN. Sometimes it's just a demarcation point between provider and customer responsibility. Other providers allow customers to configure it.
Provider edge device (PE):
A PE is a device, or set of devices, at the edge of the provider network, that presents the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and maintain VPN state.
Provider device (P):
A P device operates inside the provider's core network, and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provider.
User-visible PPVPN services
This section deals with the types of VPN considered in the IETF; some historical names were replaced by these terms.
The customer determines the overall customer VPN service, which also can involve routing, bridging, or host network elements.
An unfortunate acronym confusion can occur between Virtual Private Line Service and Virtual Private LAN Service; the context should make it clear whether "VPLS" means the layer 1 virtual private line or the layer 2 virtual private LAN.
A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains, interconnected via trunks using the IEEE 802.1Q
trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE).
Virtual private LAN service (VPLS)
Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. The former is a layer 1 technology that supports emulation of both point-to-point and point-to-multipoint topologies. The method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as Metro Ethernet
.
As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating the full functionality of a traditional local area network
(LAN). From a user standpoint, a VPLS makes it possible to interconnect several LAN segments over a packet-switched, or optical, provider core; a core transparent to the user, making the remote LAN segments behave as one single LAN.
In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service.
Pseudo wire (PW)
PW is similar to VPWS, but it can provide different L2 protocols at both ends. Typically, its interface is a WAN protocol such as Asynchronous Transfer Mode
or Frame Relay
. In contrast, when aiming to provide the appearance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be appropriate.
IP-only LAN-like service (IPLS)
A subset of VPLS, the CE devices must have L3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6.
One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 private address space. The provider must be able to disambiguate overlapping addresses in the multiple customers' PPVPNs.
BGP/MPLS PPVPN
In the method defined by RFC 2547, BGP extensions advertise routes in the IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8-byte Route Distinguisher
(RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE.
PEs understand the topology of each VPN, which are interconnected with MPLS tunnels, either directly or via P routers. In MPLS terminology, the P routers are Label Switch Router
s without awareness of VPNs.
Virtual router PPVPN
The Virtual Router architecture, as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label, but do not need routing distinguishers.
Virtual router architectures do not need to disambiguate addresses, because rather than a PE router having awareness of all the PPVPNs, the PE contains multiple virtual router instances, which belong to one and only one VPN.
does not neatly fit within the secure or trusted categorization. For example a tunnel set up between two hosts that used Generic Routing Encapsulation (GRE)
would in fact be a virtual private network, but neither secure nor trusted.
Besides the GRE example above, native plaintext
tunneling protocols include Layer 2 Tunneling Protocol (L2TP) when it is set up without IPsec
and Point-to-Point Tunneling Protocol (PPTP)
or Microsoft Point-to-Point Encryption (MPPE).
, and instead rely on the security of a single provider's network to protect the traffic.
From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.
, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi
access points. Mobile VPNs have been widely used in public safety
, where they give law enforcement officers access to mission-critical applications, such as computer-assisted dispatch
and criminal databases, while they travel between different subnets of a mobile network. They are also used in field service management
and by healthcare organizations, among other industries.
Increasingly, mobile VPNs are being adopted by mobile professionals and white-collar workers who need reliable connections. They are used for roaming seamlessly across networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. A conventional VPN cannot survive such events because the network tunnel is disrupted, causing applications to disconnect, time out, or fail, or even cause the computing device itself to crash
.
Instead of logically tying the endpoint of the network tunnel to the physical IP address, each tunnel is bound to a permanently associated IP address at the device. The mobile VPN software handles the necessary network authentication and maintains the network sessions in a manner transparent to the application and the user. The Host Identity Protocol
(HIP), under study by the Internet Engineering Task Force
, is designed to support mobility of hosts by separating the role of IP address
es for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections established via the host identity identifier while associating with different IP addresses when roaming between access networks.
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network.
VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.
VPNs may serve any network functionality that is found on any network, such as sharing of data and access to network resources, printers, databases, websites, etc. A VPN user typically experiences the central network in a manner that is identical to being connected directly to the central network. VPN technology via the public Internet has replaced the need to requisition and maintain expensive dedicated leased-line telecommunication circuits once typical in wide-area network installations.
History
Until the end of the 1990s, networked computers were connected through expensive leased lineLeased line
A leased line is a service contract between a provider and a customer, whereby the provider agrees to deliver a symmetric telecommunications line connecting two or more locations in exchange for a monthly rent . It is sometimes known as a 'Private Circuit' or 'Data Line' in the UK or as CDN in Italy...
s and/or dial-up phone lines.
Virtual Private Networks reduce network costs because they avoid a need for physical leased lines that individually connect remote offices (or remote users) to a private Intranet
Intranet
An intranet is a computer network that uses Internet Protocol technology to securely share any part of an organization's information or network operating system within that organization. The term is used in contrast to internet, a network between organizations, and instead refers to a network...
(internal network). Users can exchange private data securely, making the expensive leased lines unnecessary.
VPN systems can be classified by:
- The protocolsTunneling protocolComputer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
used to tunnelIP tunnelAn IP tunnel is an Internet Protocol network communications channel between two networks. It is used to transport another network protocol by encapsulation of its packets....
the traffic - The tunnel's termination point, i.e., customer edge or network provider edge
- Whether they offer site-to-site or remote access connectivity
- The levels of security provided
- The OSI layerOSI modelThe Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity
Some classification schemes are discussed in the following sections.
Security mechanisms
Secure VPNs use cryptographic tunneling protocolTunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
s to provide confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
by blocking intercept
Intercept
Intercept may refer to:*X-intercept, the point where a line crosses the x-axis*Y-intercept, the point where a line crosses the y-axis*Interception *The Mona Intercept, a 1980 thriller novel by Donald Hamilton...
s and packet sniffing, allowing sender authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
to block identity
Digital identity
Digital identity is the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things...
spoofing
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
, and provide message
Message
A message in its most general meaning is an object of communication. It is a vessel which provides information. Yet, it can also be this information. Therefore, its meaning is dependent upon the context in which it is used; the term may apply to both the information and its form...
integrity by preventing message alteration.
Secure VPN protocols include the following:
- IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
(Internet Protocol Security) was developed by the Internet Engineering Task Force (IETF), and was initially developed for IPv6IPv6Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
, which requires it. This standards-based security protocol is also widely used with IPv4IPv4Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
. Layer 2 Tunneling Protocol frequently runs over IPsec. Its design meet the most security goals: authentication, integrity, and confidentiality. IPsec functions by summarizing an IP packet in conjunction with a surrounding packet, and encrypting the outcome. - Transport Layer SecurityTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(SSL/TLS) can tunnelTunneling protocolComputer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
an entire network's traffic, as it does in the OpenVPNOpenVPNOpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...
project, or secure an individual connection. A number of vendors provide remote access VPN capabilities through SSL. An SSL VPN can connect from locations where IPsec runs into trouble with Network Address TranslationNetwork address translationIn computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
and firewall rules. - Datagram Transport Layer SecurityDatagram Transport Layer SecurityIn information technology, the Datagram Transport Layer Security protocol provides communications privacy for datagram protocols. DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery...
(DTLS), is used in Cisco's next-generation VPN product, Cisco AnyConnect VPN, to solve the issues SSL/TLSTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
has with tunneling over UDP. - Microsoft Point-to-Point Encryption (MPPE) works with their Point-to-Point Tunneling ProtocolPoint-to-point tunneling protocolThe Point-to-Point Tunneling Protocol is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets....
and in several compatible implementations on other platforms. - Microsoft introduced Secure Socket Tunneling ProtocolSecure Socket Tunneling ProtocolSecure Socket Tunneling Protocol is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking...
(SSTP) in Windows Server 2008 and Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
Service Pack 1. SSTP tunnels Point-to-Point Protocol (PPP)Point-to-Point ProtocolIn networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
or Layer 2 Tunneling Protocol traffic through an SSLTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
3.0 channel. - MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademarkTrademarkA trademark, trade mark, or trade-mark is a distinctive sign or indicator used by an individual, business organization, or other legal entity to identify that the products or services to consumers with which the trademark appears originate from a unique source, and to distinguish its products or...
"MPVPN". - Secure Shell (SSH)Secure ShellSecure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
VPN -- OpenSSHOpenSSHOpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
offers VPN tunneling to secure remote connections to a network or inter-network links. This should not be confused with port forwarding. OpenSSH server provides a limited number of concurrent tunnels and the VPN feature itself does not support personal authentication.
Authentication
Tunnel endpoints must authenticate before secure VPN tunnels can be established.User-created remote access VPNs may use passwords, biometrics
Biometrics
Biometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
, two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
or other cryptographic methods.
Network-to-network tunnels often use passwords or digital certificates, as they permanently store the key to allow the tunnel to establish automatically and without intervention from the user.
Routing
Tunneling protocolTunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
s can be used in a point-to-point topology
Network topology
Network topology is the layout pattern of interconnections of the various elements of a computer or biological network....
that would theoretically not be considered a VPN, because a VPN by definition is expected to support arbitrary and changing sets of network nodes. But since most router implementations support a software-defined tunnel interface, customer-provisioned VPNs often are simply defined tunnels running conventional routing protocols.
PPVPN Building blocks
Depending on whether the PPVPN (Provider Provisioned VPN) runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combine them both. Multiprotocol Label SwitchingMultiprotocol Label Switching
Multiprotocol Label Switching is a mechanism in high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. The labels identify virtual links between...
(MPLS) functionality blurs the L2-L3 identity.
RFC 4026 generalized the following terms to cover L2 and L3 VPNs, but they were introduced in RFC 2547.
Customer edge device. (CE):
A device at the customer premises, that provides access to the PPVPN. Sometimes it's just a demarcation point between provider and customer responsibility. Other providers allow customers to configure it.
Provider edge device (PE):
A PE is a device, or set of devices, at the edge of the provider network, that presents the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and maintain VPN state.
Provider device (P):
A P device operates inside the provider's core network, and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provider.
User-visible PPVPN services
This section deals with the types of VPN considered in the IETF; some historical names were replaced by these terms.
Virtual private wire and private line services (VPWS and VPLS)
In both of these services, the service provider does not offer a full routed or bridged network, but provides components to build customer-administered networks. VPWS are point-to-point while VPLS can be point-to-multipoint. They can be Layer 1 emulated circuits with no data link .The customer determines the overall customer VPN service, which also can involve routing, bridging, or host network elements.
An unfortunate acronym confusion can occur between Virtual Private Line Service and Virtual Private LAN Service; the context should make it clear whether "VPLS" means the layer 1 virtual private line or the layer 2 virtual private LAN.
OSI Layer 2 services
Virtual LANA Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains, interconnected via trunks using the IEEE 802.1Q
IEEE 802.1Q
IEEE 802.1Q is the networking standard that supports Virtual LANs on an Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames...
trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE).
Virtual private LAN service (VPLS)
Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. The former is a layer 1 technology that supports emulation of both point-to-point and point-to-multipoint topologies. The method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as Metro Ethernet
Metro Ethernet
A Metro Ethernet is a computer network that covers a metropolitan area and that is based on the Ethernet standard. It is commonly used as a metropolitan access network to connect subscribers and businesses to a larger service network or the Internet...
.
As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating the full functionality of a traditional local area network
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
(LAN). From a user standpoint, a VPLS makes it possible to interconnect several LAN segments over a packet-switched, or optical, provider core; a core transparent to the user, making the remote LAN segments behave as one single LAN.
In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service.
Pseudo wire (PW)
PW is similar to VPWS, but it can provide different L2 protocols at both ends. Typically, its interface is a WAN protocol such as Asynchronous Transfer Mode
Asynchronous Transfer Mode
Asynchronous Transfer Mode is a standard switching technique designed to unify telecommunication and computer networks. It uses asynchronous time-division multiplexing, and it encodes data into small, fixed-sized cells. This differs from approaches such as the Internet Protocol or Ethernet that...
or Frame Relay
Frame relay
Frame Relay is a standardized wide area network technology that specifies the physical and logical link layers of digital telecommunications channels using a packet switching methodology...
. In contrast, when aiming to provide the appearance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be appropriate.
IP-only LAN-like service (IPLS)
A subset of VPLS, the CE devices must have L3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6.
OSI Layer 3 PPVPN architectures
This section discusses the main architectures for PPVPNs, one where the PE disambiguates duplicate addresses in a single routing instance, and the other, virtual router, in which the PE contains a virtual router instance per VPN. The former approach, and its variants, have gained the most attention.One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 private address space. The provider must be able to disambiguate overlapping addresses in the multiple customers' PPVPNs.
BGP/MPLS PPVPN
In the method defined by RFC 2547, BGP extensions advertise routes in the IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8-byte Route Distinguisher
Route distinguisher
A route distinguisher is an address qualifer used only within a single internet service provider's Multi-Protocol Label Switching network...
(RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE.
PEs understand the topology of each VPN, which are interconnected with MPLS tunnels, either directly or via P routers. In MPLS terminology, the P routers are Label Switch Router
Label Switch Router
A label switch router , is a type of a router located in the middle of a Multiprotocol Label Switching network...
s without awareness of VPNs.
Virtual router PPVPN
The Virtual Router architecture, as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label, but do not need routing distinguishers.
Virtual router architectures do not need to disambiguate addresses, because rather than a PE router having awareness of all the PPVPNs, the PE contains multiple virtual router instances, which belong to one and only one VPN.
Plaintext tunnels
Some virtual networks may not use encryption to protect the data contents. While VPNs often provide security, an unencrypted overlay networkOverlay network
An overlay network is a computer network which is built on the top of another network. Nodes in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network...
does not neatly fit within the secure or trusted categorization. For example a tunnel set up between two hosts that used Generic Routing Encapsulation (GRE)
Generic Routing Encapsulation
Generic Routing Encapsulation is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol internetwork.-Overview:...
would in fact be a virtual private network, but neither secure nor trusted.
Besides the GRE example above, native plaintext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....
tunneling protocols include Layer 2 Tunneling Protocol (L2TP) when it is set up without IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
and Point-to-Point Tunneling Protocol (PPTP)
Point-to-point tunneling protocol
The Point-to-Point Tunneling Protocol is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets....
or Microsoft Point-to-Point Encryption (MPPE).
Trusted delivery networks
Trusted VPNs do not use cryptographic tunnelingTunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
, and instead rely on the security of a single provider's network to protect the traffic.
- Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often with quality-of-service control over a trusted delivery network.
- Layer 2 Tunneling Protocol (L2TP) which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco's Layer 2 Forwarding (L2F) (obsolete ) and Microsoft's Point-to-Point Tunneling Protocol (PPTP).
From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.
VPNs in mobile environments
Mobile VPNs are used in a setting where an endpoint of the VPN is not fixed to a single IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
access points. Mobile VPNs have been widely used in public safety
Public Safety
Public safety involves the prevention of and protection from events that could endanger the safety of the general public from significant danger, injury/harm, or damage, such as crimes or disasters .-See also:* By nation...
, where they give law enforcement officers access to mission-critical applications, such as computer-assisted dispatch
Computer-assisted dispatch
Computer-assisted dispatch, also called Computer Aided Dispatch , is a method of dispatching taxicabs, couriers, field service technicians, or emergency services assisted by computer. It can either be used to send messages to the dispatchee via a mobile data terminal and/or used to store and...
and criminal databases, while they travel between different subnets of a mobile network. They are also used in field service management
Field Service Management
Field service management is an attempt to optimize processes and information needed by companies who send technicians or staff "into the field" . Optimization is difficult, since it involves intelligent scheduling and dispatching of multiple technicians to different locations daily, while...
and by healthcare organizations, among other industries.
Increasingly, mobile VPNs are being adopted by mobile professionals and white-collar workers who need reliable connections. They are used for roaming seamlessly across networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. A conventional VPN cannot survive such events because the network tunnel is disrupted, causing applications to disconnect, time out, or fail, or even cause the computing device itself to crash
Crash (computing)
A crash in computing is a condition where a computer or a program, either an application or part of the operating system, ceases to function properly, often exiting after encountering errors. Often the offending program may appear to freeze or hang until a crash reporting service documents...
.
Instead of logically tying the endpoint of the network tunnel to the physical IP address, each tunnel is bound to a permanently associated IP address at the device. The mobile VPN software handles the necessary network authentication and maintains the network sessions in a manner transparent to the application and the user. The Host Identity Protocol
Host Identity Protocol
The Host Identity Protocol is a host identification technology for use on Internet Protocol networks, such as the Internet. The Internet has two main name spaces, IP addresses and the Domain Name System. HIP separates the end-point identifier and locator roles of IP addresses...
(HIP), under study by the Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
, is designed to support mobility of hosts by separating the role of IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections established via the host identity identifier while associating with different IP addresses when roaming between access networks.
See also
- Opportunistic encryptionOpportunistic encryptionOpportunistic Encryption refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.Opportunistic encryption can be used to...
- Split tunnelingSplit tunnelingSplit tunneling is a computer networking concept which allows a VPN user to access a public network and a local LAN or WAN at the same time, using the same physical network connection...
- Mediated VPNMediated VPNA mediated VPN is a virtual private networking topology whereby participants connect to a central switchboard server managed typically by a third party in order to create a virtual private network between them, as distinct from a typical VPN arrangement whereby clients of an organisation connect to...
- OpenVPNOpenVPNOpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...
- UT-VPNUT-VPNUniversity of Tsukuba Virtual Private Network, UT-VPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities...
- Tinc (protocol)Tinc (protocol)Tinc is a self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks. It was started in 1998 by Guus Sliepen, Ivo Timmermans, and Robert van der Meulen, and released as a GPL-licensed project....
- DMVPNDMVPNA Dynamic Multipoint Virtual Private Network is an enhancement of the virtual private network configuration process of Cisco IOS-based routers. DMVPN prevents the need for pre-configured IPsec peers in crypto-map configurations and ISAKMP peer statements...
(Dynamic Multipoint VPN) - Virtual Private LAN ServiceVirtual Private LAN ServiceVirtual Private LAN Service is a way to provide Ethernet based multipoint to multipoint communication over IP/MPLS networks. It allows geographically dispersed sites to share an Ethernet broadcast domain by connecting sites through pseudo-wires. The technologies that can be used as pseudo-wire can...
over MPLS - Ethernet Virtual Private LANEthernet Virtual Private LANE-LAN or Ethernet Virtual Private LAN is a MultiPoint-to-MultiPoint Ethernet Virtual Connection defined by the Metro Ethernet Forum — a Carrier Ethernet equivalent of Virtual Private LAN Service or Transparent LAN Services....
(EVP-LAN or E-LAN) defined by MEFMetro Ethernet ForumThe Metro Ethernet Forum , founded in 2001, is a nonprofit international industry consortium, dedicated to worldwide adoption of Carrier Ethernet networks and services....
External links
- JANET UK "Different Flavours of VPN: Technology and Applications"
- List of all VPNs
- Virtual Private Network Consortium - a trade association for VPN vendors
- CShip VPN-Wiki/List
- Virtual Private Networks on Microsoft TechNet
- Creating VPNs with IPsec and SSL/TLS Linux Journal article by Rami Rosen
- curvetun a lightweight curve25519-based multiuser IP tunnel / VPN
- Using VPN to bypass internet censorship in How to Bypass Internet Censorship, a FLOSS Manual, 10 March 2011, 240 pp