How do you spell VPN?

What do you mean when you talk about virtual private networks (VPN)?

Although it's hardly a new phenomenon in this technical world, VPNs are a case where it seems that for every three people talking about them, there are four or more understandings about what exactly they are talking about.

In speaking to people about VPNs and reading the trade press, I've found the following concepts of what VPNs are:

• A set of frame relay or ATM connections between sites, isolated from other users of the same frame relay or ATM infrastructure by the use of virtual circuits. This type of VPN replaces other types of point-to-point leased lines.
• IP-based tunnels between sites run over a separate IP infrastructure, not part of any general ISP service.
• IP-based tunnels between sites run over the public Internet infrastructure.
• IP-based tunnels from a dial-up ISP's remote access concentrators back to a corporate firewall with the logic and control provided by the ISP.
• IP-based tunnels between a remote user and a corporate firewall with the logic and control split between the user's computer and the firewall.
• IP-based tunnels between a client program running on a user's computer and a server at the same or different sites.
• IP-based tunnels between an Internet-based provider of specific services - a pager company, for example - and a firewall or on-site server.

An additional level of confusion is that an IP-based tunnel may or may not be encrypted and may carry protocols other than IP and SNA, for example.

There is a distinct difference between the first of the above definitions and the rest. ATM- or frame relay-based VPN services basically are regular telephony services. They are minor improvements over the long-established private-line services.

In these types of VPNs, the purchaser is responsible for providing all management and other functions above Level 2 connectivity. Buyers can use the connections for anything they want, from PBX interconnections and videoconferences to data networks.

IP specifically is involved in all of the other definitions, but aside from that common feature, they are very different.

In some cases, the VPN is a specific service of an ISP. In others, it's merely something that looks like a normal IP connection over a network.

IP-based tunneling also provides an opportunity for additional confusion. IP tunneling is done by encapsulating a data packet within a normal IP packet for forwarding over an IP-based network. The encapsulated packet does not need to be IP, and encapsulation can include encryption for more security. There has been a lot written about VPNs in this and other technical publications, but with the confusion over the meaning of the term, much of what is written seems guided by vendors' marketing plans rather than by concise reporting. It would be nice if that changed.

Disclaimer: Harvard does not need marketing plans (any new ones, anyway), and the above are my own observations.

Bradner is a consultant with Harvard University's Office of Information Technology. You can reach him at sob@harvard.edu