Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
iPhone 5 rumor rollup for the week ending Feb. 10
Forget Public Cloud or Private Cloud, It's All About Hyper-Hybrid
Apple passes HP as largest tech company
How to get the IRS' attention: Forge nearly $8 million in tax returns, steal identities
Much of Western U.S. is a 3G wasteland, says FCC
How the Phoenix Suns basketball team takes on social media attacks
Microsoft details Windows 8 for ARM devices
Resume Makeover: How an Information Security Professional Can Target CSO Jobs
Blogger exposes major Google Wallet security flaw
Web app lets enterprise set security, sharing for Google Apps users
Cloudscaling to offer OpenStack private cloud platform
Macs take on the enterprise
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
/

Security protocols establish safe VPNs

Related linksToday's breaking news
Send to a friendFeedback

By Neil Henry
Network World, 7/6/98

Virtual private networks (VPN), already popular with many network managers, are gathering momentum, thanks to the finalization of some key standards.

One is IP Security (IPSec), the Layer 3 protocol suite that creates a standard platform for implementing security in VPNs. Another key standard is Layer 2 Tunneling Protocol (L2TP). L2TP is a critical component in enabling VPNs because unlike IPSec, it is able to deliver legacy protocols such as IPX and SNA in VPN tunnels.

Together L2TP and IPSec provide solid, secure tunneling. They are complementary and will give users the best of both worlds in their evolving VPN implementations.

Into the tunnel
Tunneling is the ability to create circuit-like connections across a packet-oriented WAN topology. It is the core technical concept behind VPNs.

Unlike a packet-oriented protocol such as IP, which might send packets across a variety of routes before they reach their common destination, a tunnel represents a dedicated virtual circuit between two endpoints. But because it works across a shared-network infrastructure, tunneling gives enterprises a cost-effective middle ground between packet and leased-line communications.

To create the virtual circuit, a special tunneling protocol must encapsulate each source network packet into a new packet that contains the connection management intelligence necessary to set up, tear down and manage the tunnel.

That's how the prestandard protocols - Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F) work. It's also how L2TP, which was derived from these earlier protocols, works.

L2TP encapsulates application data, LAN protocol datagram and point-to-point framing information inside a packet that also contains a delivery header, an IP header and a Generic Routing Encapsulation (GRE) header.

The delivery header holds framing information for the medium across which the tunnel will be established, say an IP or frame relay network. The IP header contains IP source and destination addresses and other important data. The GRE holds extensions, such as call signaling, which add connection intelligence.

To form a tunnel, L2TP employs two basic functions, a client-like line-server function (called LAC, for L2TP Access Concentrator) and a server-side network server function (LNS).

In a scenario in which L2TP resides in the access concentrator at a carrier's point of presence, the LAC function typically will initiate a tunnel when a remote user activates a PPP connection to an ISP.

After initial authentication takes place, the LAC accepts the call and adds the various headers to the PPP payload. The LAC establishes a tunnel to the LNS termination device at the edge of the corporate network. This device could be a remote access server, a specialized VPN switch or a conventional router.

With the tunnel established, an enterprise-oriented security name service, such as ACE/ Server from Security Dynamics, Inc. or the security and naming service built in to Windows NT, authenticates the identities of the user and endpoint.

The LNS accepts the tunnel, then establishes a virtual interface for the PPP payload. Incoming frames are stripped of the L2TP header information and processed as if they were normal PPP frames. Typically, a local corporate IP address is then assigned to the session.

Taking control
Vital to optimizing tunnel performance are various L2TP control messages, which run in parallel with the session's payload packets.

During setup, control messages consist largely of exchanges of Start-Control-Connection-Request-and-Reply messages, along with secure call and Caller ID-type values (known as ANI/DNI) to establish user profiles and session destinations. Once the session is under way, the control messages include various problem- detection messages and even a "keep-alive" function to differentiate between tunnel outages and tunnel inactivity.

Control messages may also be used for optional flow/congestion control. This is an important differentiator between L2TP and its earlier incarnations, L2F and PPTP, which did not provide congestion control. L2TP, now moving toward full adoption by the Internet Engineering Task Force, appears a sure choice for the industry's tunneling protocol standard.

As for security, L2TP defines IPSec as the primary data security and encryption method. IPSec changes the structure of the IP protocol in two important ways: It adds an authentication header and encrypts the payload, which includes the L2TP packet and all other data, such as SNA or IPX, encapsulated within it. But IPSec is designed to handle only IP protocols. Unlike L2TP, it can't encapsulate IPX, SNA or other non-IP protocols.

L2TP offers other benefits. Through its ANI/DNI service selection capabilities, L2TP lets ISPs offer differentiated VPN service levels. And unlike PPTP or IPSec, L2TP is capable of running over carrier-trunk protocols such as frame relay and Synchronous Optical Network (SONET). This ability offers carriers and enterprise network managers advantages of network consolidation and cost savings that even go beyond conventional VPN benefits.

Henry is product-line manager of security and VPNs at 3Com Corp. He can be reached at Neil_Henry@3com.com.

Related Links

What they never told you about VPNs:
Network World, 4/6/98

Saving with VPNs: Memorial Hospital Alliance and Mede America prove virtual private networks can help slash costs in health care and other industries.
Network World, 5/18/98.

Building VPNs as solid as Fort Knox
Network World, 3/9/98

Reversing a trend with VPNs Network World, 2/16/98

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.