What Is a VPN
Overview of VPN
With the development of network economy, enterprises become more widely dispersed, enterprise partners keep increasing, and employees become more mobile. An enterprise, therefore, needs to connect its headquarters and branches with the help of carrier's networks to form an enterprise network. Therefore, mobile staff can conveniently access the enterprise network outside the enterprise.
A Virtual Private Network (VPN) is a virtual private network set up over public networks by Internet Service Providers (ISPs) and Network Service Providers (NSPs) to meet enterprises' requirements for network flexibility, security, economy, and scalability.
How Does a VPN Work
VPN Tunnel
VPN uses various tunneling technologies to encapsulate VPN packets in tunnels and transparently transmits the packets through dedicated channels established on VPN backbone networks. The packets, therefore, are transparently transmitted in the tunnel. A tunneling technology uses a protocol to encapsulate packets of another protocol. Packets of an encapsulation protocol can also be encapsulated or transmitted by another protocol.
Implementation Modes of VPN
As an upper-layer service, VPN is more complex than P2P applications. Establishment of network connections between users, including construction of the internal topology of a VPN, route calculation, and management of users joining in or leaving the site, is necessary for implementing VPN. The VPN architecture contains the following parts:
- VPN tunnels: includes establishment and management of tunnels.
- VPN management:
- VPN configuration management.
- VPN member management.
- VPN attribute management: manages attributes of multiple VPNs on PE devices and differentiates VPN address spaces.
- Automatic VPN configuration: establishes one-to-one relationship between VPN internal links in L2VPNs after information about the peer links is received on the local link.
- VPN signaling protocol: VPN resources are exchanged and shared between CE devices on a VPN: For an L2VPN, information about data links needs to be exchanged. For an L3VPN, routing information needs to be exchanged. For a VPDN, information about a single data link needs to be exchanged. VPN members are discovered in some applications.
Considering the three parts of the VPN architecture, VPN can be implemented in the following three modes.
Tunnel + VPN Management
In this mode, the VPN architecture comprises of the following parts:
- Establishment of VPN tunnels
- VPN management: includes the deployment of network management, accounting, and QoS.
Traditional IP VPNs such as IPsec VPNs and GRE VPNs use this mode.
Tunnel + VPN Management + VPN Signaling Protocol
In this mode, the VPN architecture comprises of the following parts:
- Establishment of VPN tunnels
- VPN management: includes VPN configuration management, VPN member management, VPN attribute management, and automatic VPN configuration.
- VPN signaling protocol: VPN resources are exchanged and shared between CE devices on a VPN.
This mode is adopted by Martini VLL, PWE3, VPDNs, and Martini VPLS.
Instantiation
In instantiation mode, each VPN is instantiated at Layer 2 and Layer 3, and a private forwarding information instance is established for the VPN. Besides tunnel management, a VPN in this mode performs member discovery, member management, and automatic VPN configuration.
This mode is adopted by L3VPNs and Kompella L2VPNs, including Kompella VPLS and Kompella VLL.
VPN Implementation Keys
Operability
VPN is typically used to provide services for different departments of an enterprise through public networks. An increasing number of VPN users require operable VPN services, so that they do not need to spend too much time and unexpected resources on network maintenance. In this case, a dedicated carrier is required to undertake the task. Therefore, when designing a VPN, consider the operability first.
Manageability
VPN requires that network management of an enterprise can be seamlessly extended from LANs to public networks, even to networks of clients and partners. Besides assigning some nonessential network management tasks to the SP, the enterprise needs also fulfill many network management tasks. Therefore, a complete VPN management system is necessary.
VPN management mainly includes security management, device management, configuration management, access control list (ACL) management, and QoS management.
VPN management brings the following benefits:
- Lower network risks: After an enterprise intranet is extended to a public network, VPN encounters new security and monitoring challenges. VPN management can guarantee integrity of internal data resources when branches, clients, and partners of the enterprise access intranet resources through VPN.
- Better scalability: VPN management quickly responds to the increasing number of clients and partners, including the upgrade of network hardware and software, network quality guarantee, and security policy maintenance.
- Lower costs: VPN management controls O&M costs without compromising service scalability.
- Better reliability: VPNs are set up over public networks. Compared with traditional WANs using leased lines, controllability of the VPNs is lower. VPN management must guarantee the reliable and stable operation of a VPN.
Security
VPNs are constructed over public networks. Implementation of VPN is simple, convenient, and flexible. However, network risks arise at the same time.
- On a traditional IP VPN, an enterprise must guarantee that VPN data is not intercepted or modified by attackers and prevent unauthorized users from accessing internal resources or private information of the enterprise. Extranet VPNs encounter even more serious risks.
The following solutions can improve the VPN security:
- Tunneling and encryption: The tunneling protocol can implement multi-protocol encapsulation, enhance the VPN application flexibility, and provide P2P logical channels over connectionless IP networks. When users require more secured data transmission, encrypted tunnels can be applied to protect data privacy and prevent data from being intercepted and modified.
- Data verification: On an insecure network such as a public network where a VPN is constructed, packets may be illegally intercepted and modified. As a result, the receiver receives incorrect packets. Once data verification is enabled, the receiver can recognize such a modification, ensuring data integrity.
- User authentication: Through user authentication, a VPN can allow legal users to access enterprise resources and prohibit access of unauthorized users. es can authenticate users, authorize users with different levels, and generate access records through Authentication, Authorization, and Accounting (AAA). User authentication greatly improves the security of access VPNs and extranet VPNs.
- Firewalls and attack detection: Firewalls are used to filter packets and prevent illegal access. Attack detection is used to judge the validity of packets by analyzing the packets, apply security policies in real time, disconnect illegal sessions, and record illegal access.
- MPLS VPNs are created based on the labels of forwarding tables and packets on network side. If an MPLS network is not connected to the Internet, internal resource security of the MPLS network is guaranteed. Therefore, MPLS VPNs can ensure the VPN security to some extent.
If MPLS VPN users want to access the Internet, a channel with a firewall can be created to provide a secure connection for the VPN. MPLS VPN is easy to manage because only one security policy is applied in the whole VPN.
VPN QoS
VPN must effectively utilize the WAN resources and provide reliable bandwidth for important data. Uncertainty of WAN traffic degrades the bandwidth utilization. Large traffic bursts may lead to network congestion and cause bottlenecks on a network. As a result, timeliness-sensitive data is not transmitted in time; when traffic volume is light, a great amount of network bandwidth is wasted.
Leveraging traffic prediction and traffic control, VPN QoS can allocate bandwidth based on priorities, implementing bandwidth management. In this case, data of various types can be transmitted in a proper sequence, reducing the network congestion risk.
Classification of VPN
As network technologies develop, the VPN technology is widely applied and many new VPN technologies have emerged. VPNs can be divided into different types.
Classification Based on Networking Models
According to networking models, VPNs are classified into the following types:
- Virtual Private Dial Network (VPDN)
A VPDN provides access services for enterprises, small-scale ISPs, and mobile personnel through access networks and the dialing function of public networks. With the help of the VPN features such as private IP addresses, users can access VPDNs through Public Switched Telephone Networks (PSTNs) and Integrated Services Digital Networks (ISDNs). VPDNs feature low investment, short construction period, and low operation cost. Generally, VPDNs adopt P2P connections. VPDNs are implemented through the tunneling protocols such as the Layer 2 Tunneling Protocol (L2TP) and the Point-to-Point Tunneling Protocol (PPTP).
Compared with VPNs of other types, VPDNs provide more flexible authentication mechanisms and accounting schemes, and feature higher security. In addition, VPDNs support dynamic address assignment. VPDNs adopt Layer 2 tunnels and support multiple Layer 3 protocols.
- Virtual Private Routing Network (VPRN)
A VPRN connects the headquarters, branches, and remote offices through virtual devices. Different from VPNs of other types, packets are forwarded at the network layer in VPRNs. Each VPN node on the public network sets up a private routing forwarding table for each VPN, which contains information about reachability of the network layer. Data traffic between VPN nodes and that between VPN nodes and user sites is transmitted based on the private routing forwarding tables.
VPRNs can be implemented using traditional VPN protocols such as the Internet Protocol Security extensions (IPSec) and the Generic Routing Encapsulation (GRE) protocol or using Multi-Protocol Label Switching (MPLS).
- Virtual Leased Line (VLL)
Leveraging IP networks to emulate leased lines, VLL provides asymmetric and low-cost Digital Data Network (DDN) services. For users on the two ends of a virtual leased line, the virtual line is similar to a traditional leased line.
VLL is typically used at the access and aggregation layers, and is divided into the following types:
- Circuit Cross-Connect (CCC)
- Static Virtual Circuit (SVC)
- Martini VLL
- Kompella VLL
As an end-to-end technology that bears Layer 2 services, Pseudo-Wire Emulation Edge-to-Edge (PWE3) is an extension of Martini VLL.
VLL is suitable for VPNs of star topology, while VPRN is suitable for fully connected VPNs
- Virtual Private LAN Service (VPLS)
VPLS connects LANs through a virtual private network segment. VPLS is an extension of LANs over IP public networks.
VPLS is also called Transparent LAN Service (TLS). Different from common L2VPN P2P services, VPLS enables SPs to provide Ethernet network-based multi-point services through MPLS backbone networks.
Compared with VPLS networks, VPRNs and VLL networks can also provide LAN services, but still have the following traditional Ethernet technology limitations:
- Broadcast storm of frames with unknown destination MAC addresses cannot be avoided.
- The expansion of the Spanning Tree Protocol (STP) is limited.
- VLAN address spaces are limited.
VPLS is therefore introduced to solve those problems. Instead of running STP, VPLS backbone networks use full-mesh connections and split horizon to eliminate loops. For unicast or multicast frames with unknown destination MAC addresses, VPLS discards, processes the frames on the local node, or broadcasts the frames. Therefore, VPLS can expand the VLAN range to a country or even the whole world. 802.1q-in-802.1q (QinQ) VPLS is not limited by VLAN address spaces; therefore, QinQ VPLS can easily be expanded in a broad area geographically.
Classification Based on Applications
According to different applications, VPNs are divided into the following types:
- Intranet VPN
Intranet VPNs connect all the branches of an enterprise through public networks. Intranet VPNs are the extension or substitute for traditional private networks or other enterprise networks.
Leveraging intranet VPNs, headquarters, branches, offices, and mobile personnel of an enterprise compose an intranet through public networks. VPNs can also be applied to constructing intranets of banks and governments.
Chain business such as chain stores, storage and logistics companies, and gas stations are typical examples of intranet VPNs.
- Extranet VPN
Extranet VPNs extend enterprise networks to suppliers, partners, and clients leveraging VPNs. VPNs are established between different enterprises with common benefits through public networks, so that some resources can be shared among different VPN users.
On a network of traditional leased lines, constructing an extranet requires network management and maintenance, access control, and even installation of compatible network devices at the user side. Although an extranet can be established in dialing mode, different extranet users must be configured respectively. The configurations are not simplified. An extranet in dialing mode requires high construction and maintenance costs due to wide distribution of partners and customers. Therefore, most enterprises do not use extranets, which leads to complicated business processes between the enterprises and lower business efficiency of the enterprises.
Extranet VPNs are therefore introduced. Similar to intranet VPNs in terms of technology implementation, extranet VPNs are easy to construct and manage. Currently, enterprises typically use VPNs to construct extranets. To guarantee QoS, external communication of an enterprise is generally not realized through the Internet because data transmission between enterprises is sensitive, and the security of extranets is stronger than that of the Internet. The access rights of an extranet VPN can be configured and managed by each extranet user through firewalls or other methods.
- Access VPN
Through access VPNs, personnel on business trip, Small Office Home Office (SOHO), and remote offices can access the internal servers of enterprises through cheap dialing media and set up private network connections with enterprise intranets and extranets. Access VPNs are also called VPDNs.
Access VPNs are divided into client-initiated and NAS-initiated VPNs.
Classification Based on Layers
According to different layers on which VPNs are implemented, VPNs are divided into the following types:
- L3VPN
Layer 3 VPNs (L3VPNs) are also called VPRNs. The BGP/MPLS VPN, BGP/MPLS VPN with IPsec or GRE tunnels, IPsec VPN, and GRE VPN belong to L3VPNs. Typically, the BGP/MPLS VPN is applied at the forwarding layer of the core network, while the IPsec VPN and GRE VPN are applied at the access layer.
- L2VPN
As network technologies develop, carrier's networks become increasingly complex. New technologies are required to integrate traditional switching networks such as ATM and FR networks with IP or MPLS networks. Layer 2 VPN (L2VPN) is therefore introduced.
L2VPNs include the preceding described VLL and VPLS networks. VLL is suitable for large-scale enterprises that are connected through Wide Area Networks (WANs), while VPLS is suitable for small-scale enterprises that are connected through Metropolitan Area Networks (MANs). VPLS cannot avoid broadcast storm. In addition, on a VPLS network, Provider Edge (PE) devices need to learn MAC addresses of private network devices, bringing high protocol and storage costs.
L2VPNs use only Layer 2 links of SP networks, providing the condition for deploying multiple Layer 3 protocols. L3VPNs also support multiple protocols; however, there are more limitations than the L2VPN case.
- VPDN
Strictly, VPDNs also belong to L2VPNs, but the network structure and protocol design of VPDNs are quite different from those of other L2VPNs. On a VPDN, IP packets are first encapsulated using L2TP, and then encapsulated using UDP.
Table 1-1 lists the difference between a L2VPN and a L3VPN.
Item |
L2VPN |
L3VPN |
|---|---|---|
Security |
High |
Low |
Support for Layer 3 protocols |
Relatively flexible |
Limited |
Network user impact on the backbone network |
Little |
Great |
Compatibility with traditional WANs |
Good |
Pool |
Route management |
Users manage their own routes. |
SPs manage the routes. |
Networking application |
Mainly at the access and aggregation layers |
Mainly at the core layer |
Classification Based on Operation Modes
According to different operation modes, VPNs are divided into the following types:
- Customer Premises Equipment-based VPN (CPE-based VPN) controlled by users
In CPE-based VPN mode, users construct, manage, and maintain VPNs. A VPN tunneling protocol such as IPsec, GRE, L2TP, or PPTP must be configured on user devices.
In this mode, Customer Edge (CE) devices initiate VPN connection requests, and VPN can be implemented without any special support of carriers.
The CPE-based VPN brings complex configuration and poor service scalability, and is mainly used at the access layer.
Traditional VPNs based on public IP networks (IP VPNs) belong to CPE-based VPNs. CPE-based VPNs set up VPN security tunnels between private devices to transmit private data of users. The Internet is a typical public IP network. Constructing VPNs based on the Internet is economical; however, QoS cannot be guaranteed. When planning an IP VPN, an enterprise should consider the public IP network to be selected.
- Network-based VPN controlled by ISPs
In network-based VPN mode, ISPs construct, manage, and maintain VPNs. The ISPs also allow users to manage and control services to some extent. VPN—related functions and features are mainly implemented on devices at the network side. Only network interconnection is required on devices at the user side, and no special VPN functions are required.
This mode reduces the user investment, improves the service flexibility and scalability, and brings more incomes to carriers.
VPNs based on MPLS, namely, MPLS VPNs belong to network-based VPNs. MPLS VPN becomes the major IP VPN technology and is widely used in telecom carriers' networks and enterprise networks due to its advantages in flexibility, scalability, and QoS. MPLS VPN is typically applied to the aggregation layer of the backbone core network, and is an important technology used to connect branches of VIP customers and isolate 3G and NGN services. MPLS VPN is also important to MANs. If MPLS VPN is deployed on a MAN, IP MAN values and profits of carriers are improved.
On an MPLS VPN, user sites can use T1, FR, ATM VCs, and Digital Subscriber Lines (DSLs) to access the MPLS VPN backbone network, and no additional configuration is required on user devices.
Table 1-2 lists the difference between a CPE-based VPN and a network-based VPN.
Item |
CPE-based VPN |
Network-based VPN |
|---|---|---|
Service scalability |
Poor |
Good |
Customer investment |
High |
Low |
Support for tunnels on user devices |
A CPE-based requires the support for tunnels on user devices. |
A Network-based VPN does not require the support for tunnels on user devices. |
Performance requirement |
Most features and functions are realized on CE devices. Therefore, high requirements are imposed for CE devices. |
Most features and functions are realized on PE devices. Therefore, high requirements are imposed for PE devices. |
Seamless integration of CPE-based VPNs with network-based VPNs can provide users with more reliable, secure, and abundant VPN services.