March 3, 1997, Volume 14, Number 9

Title

Title

Know Your VPN Protocols

As appealing as the idea of virtual private networking (VPN) is to most network managers, the variety of potential solutions being pitched by various vendors and industry groups has many of them confused.

As discussed in last week's article, VPN provides a relatively inexpensive way to connect telecommuters, mobile workers and remote sites to a home office LAN. Security, flexibility and interoperability are three critical design areas.

When studying the protocols being pitched for VPN, network managers should keep those criteria in mind. VPN protocols are:

Point-to-Point Tunneling Protocol (PPTP), championed by Microsoft Corp. (this is probably the best known VPN protocol).

Layer 2 Forwarding (L2F) Protocol, developed by Cisco Systems, Inc.

Layer 2 Tunneling Protocol (L2TP), a combination of the PPTP and L2F offerings that is supported by multiple vendors.

IP Security (IPSec) protocol under development at the Internet Engineering Task Force (IETF).

Tunneling is an important concept to understand when evaluating VPN protocols. Tunneling refers simply to the practice of encasing one protocol in another protocol. In order to carry IPX across a TCP/IP-only network, for example, the protocol has to be encased in an IP packet.

VPN extends tunneling for security purposes. Specifically, private data packets are secured using data encryption, authentication or integrity functions and are then encased in IP packets for transport across the Internet.

Layer 2 or Layer 3?

Two types of VPN tunneling are being proposed: Layer 2 and Layer 3 tunneling. PPTP, L2TP and L2F fall into the former category and IPSec into the latter.

The goal of Layer 2 tunneling protocols is to transport Layer 3 protocols such as AppleTalk, IP and IPX across the Internet. To achieve this, the architects of PPTP and L2F leveraged the existing Layer 2 PPP standard, which is designed to transport different Layer 3 protocols across serial links. In these schemes, Layer 3 packets are encased in PPP frames, which are then encased in IP packets for transport across the Internet.