During the last ten years, many different VPN concepts have evolved. You may have noticed that I always added "network frames" in brackets when I spoke of tunneling IP packets. This became necessary, because in principle, tunneling can be done on almost all layers of the OSI model.
The General Routing Encapsulation (GRE) provides a standard for tunneling data, which was defined in 1994 in Request for Comments (RFCs) 1701 and 1702. Perhaps, because this definition is not a protocol definition, but more or less a standard proposal on how to tunnel data, this implementation has found its way into many devices and become the basis for other protocols.
The concept of GRE is pretty simple. A protocol header and a delivery header are added to the original packet and its payload is encapsulated in the new packet. No encryption is done. The advantage of this model are almost obvious—the simplicity offers many possibilities, the transparency enables administrators and routers to look inside the packets and pass decisions based on the type of payload sent. By doing so, special applications can be privileged.
There are many implementations for GRE tunneling software under Linux; only kernel support is necessary, which is fulfilled by most modern distributions.
Encapsulating packages on the OSI Layer 2 has a significant advantage: the tunnel is able to transfer non-IP protocols. IP is a standard used widely in the Internet and in Ethernet networks. However, there are different standards too. Netware Systems, for example, uses the Internetwork Packet Exchange (IPX) protocol to communicate. VPN technologies residing in Layer 2 can theoretically tunnel any kind of packet. In most cases, a virtual Point-to-Point Protocol (PPP) device is established which is used to connect to the other tunnel endpoint. (A PPP device is normally used for modem or DSL connections.)
Four well-known Layer 2 VPN technologies, which are defined by RFCs, use encryption methods and provide user authentication:
The Point to Point Tunneling Protocol (PPTP), which was developed with the help of Microsoft, is an expansion of the PPP and is integrated in all newer Microsoft Operating Systems. PPTP uses GRE for encapsulation and can tunnel IP, IPX, and other packages over the Internet. The main disadvantage is the restriction that there can only be one tunnel at a time between communication partners.
The Layer 2 Forwarding (L2F) was developed almost at the same time by companies like Cisco and others and offers more possibilities than PPTP, especially regarding tunneling of network frames and multiple simultaneous tunnels.
The Layer 2 Tunneling Protocol (L2TP) is accepted as an industry standard and is being used widely by Cisco and other manufacturers. Its success is based on the fact that it combines the advantages of L2F and PPTP without suffering from their disadvantages. Even though it provides no own security mechanisms, it can be combined with technologies offering such mechanisms like IPsec (see the section Protocols Implemented on OSI Layer 3).
Other distinguishing factors between the mentioned systems and protocols are:
These features will be discussed in later chapters.
IPsec is probably the most wide-spread tunneling technology. In fact, it is rather a set of protocols, standards, and mechanisms than a single technology. The wide range of definitions, specifications, and protocols are already the main disadvantages about IPsec. It is a complex technology with many different implementations and many security loopholes. IPsec was a compromise accepted by a commission and therefore is something like a least common denominator agreed upon. This means that IPsec can be used in many different setups and environments, ensuring compatibility, but almost no aspect of it offers the best possible solution.
IPsec was developed as an Internet Security Standard on Layer 3, and has been standardized by the Internet Engineering Task Force (IETF) since 1995. IPsec can be used to encapsulate any traffic of application layers, but no traffic of lower network layers. Neither network frames, IPX packets, nor broadcast messages can be transferred, and network address translation is only possible with restrictions.
Nevertheless, IPsec can use a variety of encryption mechanisms, authentication protocols, and other security associations. IPsec software exists for almost every platform, and compatibility with the implementation of other manufacturers is secured in most cases even though there are significant problems resulting from proprietary extensions.
The main advantage of IPsec is the fact that it is being used everywhere. An administrator can choose from an abundant number of hardware devices and software implementations to provide his or her networks with a secure tunnel.
Basically there are two relevant methods that IPsec uses:
Tunnel Mode: The tunnel mode works like the examples listed above; the whole IP packets are encapsulated in a new packet and sent to the other tunnel endpoint, where the VPN software unpacks them and forwards them to the recipient. In this way the IP addresses of sender and recipient, and all other metadata are protected as well.
Transport Mode: In transport mode, only the payload of the data section is encrypted and encapsulated. By doing so, the overhead is significantly smaller than in tunnel mode, but an attacker can easily read the metadata and find out who is communicating with whom. However, the data is encrypted and therefore protected, which makes IPsec a real "private" VPN solution.
IPsec's security model is probably the most complex of all existing VPN solutions and will be discussed in brief in the next chapter.
It is also possible to establish VPN tunnels only on the application layer. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) solutions follow this approach. The user can access the VPN network of a company through a browser connection between his or her client and the VPN server in the enterprise. A connection is simply started by logging into an HTTPS-secured website with a browser. Meanwhile, there are several promising products available, like SSL-Explorer from http://3sp.com/showSslExplorer.do, and products like these offer great flexibility combined with strong security and easy setup. Using the secure connection the browser offers, users can connect network drives and access services in the remote network. Security is achieved by encrypting traffic using SSL/TLS mechanisms, which have proven to be very reliable and are permanently improved and tested.
OpenVPN is a newer and an outstanding VPN solution. It implements Layer 2 or Layer 3 connections, uses the industry standard SSL/TLS for encryption, and combines almost all features of the mentioned VPN solutions. Its main disadvantage is the fact that there are still few hardware manufacturers integrating it in their solutions.