Commercial VPN architectures come in several forms, depending upon the service provider and the services offered. Large service providers have the problem of integrating new services with their legacy infrastructure, and a VPN service offered will reflect this. At the other end of the spectrum, startup providers have very little existing infrastructure and are free to design an IVPN from scratch. Organizations building their own VPN infrastructure can choose to outsource the whole venture or manage it themselves.
Virtual dial-up enables many separate and autonomous protocol domains to share a common access infrastructure, including modems, access servers, and ISDN routers. Protocols such as Generic Router Encapsulation (GRE), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Cisco's Layer 2 Forwarding (L2F) enable tunneling of IP and non-IP link layer protocols (such as HDLC, asynchronous HDLC, or SLIP frames). Using these tunnels, it is possible to insulate protocol and addressing details at the location of the dial-up server and target network from the transport network. This new breed of tunneling protocols allows multiple protocols (such as IP, IPX, and AppleTalk) and unregistered IP addresses (or non-IP addresses) to be tunneled over the Internet. The mechanisms used for virtual dial-up service are intended to coexist with legacy dial-up mechanisms (i.e., an ISP's PoP should be able to simultaneously service ISP clients as well as virtual dial-up clients).
With dial VPNs the service providers provide the remote dial capabilities as part of a VPN service. Subscribers access dial ports by calling a local number to a service provider PoP. Shared dial ports are available to all subscribers to leverage a provider's capital investment. Tunnels provide connections across the public IP network. Subscribers may keep policy control for optimal user authorization and control, along with the security policy server and databases. This function may also be outsourced to the service provider. Dial IP VPNs can be client initiated or NAS initiated.
In a client-initiated dial VPN, a remote client (typically a PC) dials into a local PoP using one of a number of techniques (e.g., dial-up POTS, ISDN, ADSL, etc.), as illustrated in Figure 5.13. The client then requests an encrypted tunnel through to the target intranet to establish a private connection. The secure connection is generally established via IPSec client software running on the PC, in cooperation with a security appliance such as the firewall or router on the corporate intranet access point. Authentication is handled on two levels: the service provider performs basic authentication when a user dials the PoP (e.g., via a RADIUS server on the PoP LAN). This simply establishes the identity of the user. Once the user is authenticated, the dial IP VPN service opens a tunnel to the corporate home gateway, which performs user-level authentication using standard PPP authentication. Since the encrypted tunnel is transparent to the provider, the provider can offer very limited value-added services. Managing client software on a large-scale deployment of mobile user may also impact scalability. For these reasons, many service providers are choosing to implement services where the tunnel is created as part of the service provider network.
Figure 5.13: Dial-up VPN operation.
In Figure 5.13, the NAS is located in the ISP PoP, typically with an integrated rotary modem capability. For dial-up VPN operation users dial into the NAS, using PPP dial-up software, where they are authenticated (initially at the link level via PPP using PAP or CHAP and then possibly on user-level authentication via a RADIUS server on the PoP LAN). A second connection is established through the home gateway via the PoP router or firewall to complete the end-to-end VPN (e.g., by running IPSec at the client).
In NAS-initiated dial VPNs a service provider NAS initiates the tunnel to the corporate router or home gateway. The IETF standard solution to establish secure tunnels between a user and the home gateway is to use the Layer Two Tunneling Protocol (L2TP). Vendors may also offer proprietary solutions (such as Cisco's Layer 2 Forwarding protocol, L2F). The L2TP standard combines L2F with Microsoft's Point-to-Point Tunneling Protocol (PPTP). To the gateway, L2TP tunnels appear as if the dial users are connecting from a local modem. With L2F or L2TP, users may be authenticated using TACACS or RADIUS servers at the corporate gateway. For additional security, data may be encrypted on a connection or application basis. There are many advantages with managed NAS-initiated dial intranet services. No client software is required on user PCs, greatly simplifying user administration. Since the service provider initiates the tunnel, the provider can also potentially offer premium value-added services, such as reserved modem ports, modem availability guarantees, and priority transport. The NAS can also simultaneously provide both Internet and VPN access. This solution is also more scalable and manageable, since all traffic to a specific destination travels over a single tunnel from an NAS.
Dedicated IP tunnels may be created over the Internet using a security appliance such as the firewall or a router supporting IPSec. IPSec is used to create and secure the tunnels, although routers can also create tunnels using a combination of IPsec and Generic Routing Encapsulation (GRE). The tunnel can be used to encapsulate only original packet data (using the original IP address fields for routing) or the whole packet (in which case the original addressing is preserved, and there is the potential for relaying the data). When mapping tunnels onto a physical infrastructure, service providers can provision point-to-point virtual circuits to create IVPNs (e.g., Frame Relay or ATM PVCs). Large service providers (such as telcos or PTTs) use this method to offer IVPNs by leveraging their existing frame or cell-switching infrastructures.