Alphabet soup

VPN tunneling protocols: What you need to know.

By Denise Pappalardo
Network World, 12/29/97

In 1998 there will be a four-way battle among competing virtual private network (VPN) technologies. But pundits already point to an early favorite, IP Security (IPSec).

Of the four VPN combatants, only IPSec has a good security story. IPSec supports X.509 digital certificate authentication and encryption. It is a Layer 3 protocol that allows each packet to be authenticated.

"IPSec has a lot more security and flexibility compared to the other protocols," says Brendan Hanagan, senior analyst at Forrester Research, Inc., a Cambridge, Mass.-based consulting firm. Its one drawback is it only supports IP traffic, whereas other protocols support IP, IPX and AppleTalk.

But Hanagan says this is not a big issue because IP is the protocol of choice for many users today. "The bottom-line protocol for users is IPSec," Hanagan says.

IPSec has been named the tunneling and security protocol of choice by the Automotive Industry Action Group's (AIAG) Automotive Network Exchange network. This will be the largest industrywide IP-based network, with more than 10,000 users accessing the net when it's completed early next year.

But IPSec is not the only protocol in town. There are three other important tunneling protocols you should have the facts on - whether an Internet service provider or hardware vendor is trying to sell you a managed service or just a firewall.

PPTP: Point-to-Point Tunneling Protocol was developed and backed by Microsoft Corp., 3Com Corp. (including Primary Access Corp. and U.S. Robotics) and ECI Telematics International, Inc. This tunneling protocol supports flow control and multiprotocol tunneling over IP.

L2F: Layer 2 Forwarding protocol, an Internet Engineering Task Force (IETF) draft, also supports multiprotocol tunneling. One key advantage to L2F is that it can create tunnels to multiple locations. L2F, like PPTP, is a vendor-driven specification. Cisco Systems, Inc., Northern Telecom, Inc. and Shiva Corp. are the L2F developers.

PPTP and L2F are very similar in what they do - both let users establish a tunnel between routers, servers and/or clients over the Internet, Hanagan says. "The bottom line is L2F is driven by Cisco, and PPTP is driven by Microsoft," he says.

L2TP: Because PPTP and L2F are not standards, interoperability is an issue with both methods. So if you have yet to make an investment in VPN software or hardware, you might want to look at Layer 2 Tunneling Protocol.

L2TP is an IETF draft specification and actually is a combination of PPTP and L2F. Some industry supporters saw benefits from both PPTP and L2F technologies, so instead of fighting against one another, the groups came together.

L2TP is designed to support the same tunneling, multiprotocol support with the added plus of interoperating with other L2TP products. While interoperability is important to users, Hanagan points out that L2TP does not address security issues.

In fact, one of the drawbacks of all three protocols is their lack of integrated encryption and authentication features.