Much of the public discussion surrounding
V P Ns thus far has ce nte red around tunneling.
Tunneling,however is merely one compo-
nent of a complete and robust Dial VPN
service architecture.In addition to the
tunneling techniques supported within
the service,any description of a Dial VPN
service must contain a description of how
the service handles security,as well as net-
work management and administration.
Tunneling
Dial VPNs are built upon the notion of
efficiently and securely tunneling data from
one point to another.With tunneling,the
remote access server wraps the user data
(payload) inside IP packets,which are routed
through the carrier's network,or even across
multiplenetworksin the caseofthe Internet,
to the tunnel endpoint where the tunneled
packet is unwrapped and forwarded in its
original form.Tunneling is used by corpo-
rations shifting their remote access traffic
from switched,long distance,and regional
carriers toISPs and the Internet.Tunneling
uses point-to-point session protocols to
replace switched connections,linking data
addresses over a routed network.This
replaces the linkage of telephone numbers
over a switched telephone network.
Tunneling allows authori zed mobile wo rke r s,
and perhaps authorized customers,to reach
your enterprise network anytime and from
anywhere.In tandem with authentication
te c h n i q u e s, tunneling also preve nts unautho-
ri zed access to your corporate network.
There have been a number of proposals
made to the Internet Engineering Task
Force (IETF) as to how this tunneling should
be performed.These include Point-to-Point
Tunneling Pro tocol ( P P T P ),Layer 2
Fo rwa rding (L2F),Layer 2 Tunneling Protocol
(L2TP),Virtual Tunneling Protocol (VTP),and
Mobile IP.Supported by different groups of
networking vendors,these proposed stan-
dards specify how remote devices can
access corporate networks and the Internet
in a simple and secure manner.Figure 1
depicts a packet format used for tunneling
data.
Tunneling technology is useful for a number
of reasons.First,an IP tunnel can accom-
modate nearly any type of payload.A user
with a desktop or portable computer can
dial into the VPN to access their corporate IP,
Internet Packet Exchange (IPX), or AppleTalk
network in a transparent fashion.Second,
tunnels can accommodate many users
simultaneously or many different types of
payload simultaneously.This is done using
encapsulation types such as Generic
Routing Encapsulation (GRE) as defined
by IETF RFC 1701.Third,IP tunnels must be
used to reach corporations,which do not
advertise their IP network addresses over
the Internet.Fourth,tunneling allows the
recipient to filter out or report on individual,
tunneled connections.
Dial VPNs
Figure 1 Typical Layout of a Tunneled Packet
Table 1 Comparing Layer 3 and Layer 2 Tunneling
Flag
Sync
Framing
L2
Header
IP
Header
GRE
Header
Payload
Cyc l i ca l
Re d u n d a n cy
Ch e c k
Flag
Pros Cons
Layer 3 Tunneling
Scalability Limited vendor participation
Security Complex to develop
Reliability
Layer 2 Tunneling
Simplicity Standards still evolving
End-to-end compression/encryption Questions on scalability
Bi-directional tunnel initiation Questions on reliability (PPP timers,etc.)
Limited to PPP payload types
Questions on security
6 White Paper Understanding and Implementing Dial VPN Services
(197 strony)
(76 strony)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Komentarze do niniejszej Instrukcji