The Rationale for Tunnels in Routing Environments
Some tunnels are authenticated, some are compressed, and some are even encrypted; some lack all these capabilities and primarily support signaling, transport, and connectivity. The primary goal of the IPSec framework or suite of protocols is the provisioning and setup of authenticated and encrypted tunnels. It is a complex suite because it has to deal with complex tasks.
IPSec is an extension of IPv4 and intrinsically included in IPv6. Tunnels are virtual point-to-point overlay links that consist of only two endpoints; there is nothing in between, just plain nondeterministic best-effort IP delivery. Two endpoints need to be configured. With the exception of Multiprotocol Label Switching (MPLS), tunnels form the foundation of most VPNs.
Virtual private dial-up networks (VPDNs) have different requirements to transport PPP connections securely over Digital Subscriber Line (DSL), Integrated Services Digital Network (ISDN), or Public Switched Telephone Network (PSTN) architectures. Figure 11-1 offers an overview of common tunnel scenarios
The VPNC Concept of VPNs
To grasp the concept of virtual privacy, you have to understand the character of conventional private networks. The opposite of VPNs are good, old circuit-switched dedicated private networks based on a number of dedicated leased lines (DLLs). VPNs commonly are deployed on a shared public infrastructure across "untrusted territory" beyond Open System Inteconnection (OSI) Layer 1 and use point-to-point or point-to-multipoint concepts such as virtual circuits, either switched or permanent, or "cloudlike" any-to-any connectivity, as with MPLS network edge architectures and MPLS Border Gateway Protocol (BGP) VPNs. Several virtual links constitute a virtual network that accomplishes privacy at arbitrary layers of the OSI stack. Although a common misperception, VPNs do not necessarily require encryption and authentication to achieve some level of privacy.
Note that a network of virtual links constitutes a VPN and that a tunnel carries out three basic tasks:[1]
- It provides a virtual link.
- It provides data encryption; that is, it transmits the data in a secret code.
- It provides remote-end authentication; that is, it guarantees who is doing the sending and receiving
The OSI Stack Perspective
In principle, the position of a tunnel or VPN technology relative to the OSI stack defines its degree of transparency, exposure to attacks, probability for compromise, and method for accomplishing secrecy or privacy (see Table 11-1).
| OSI Layer | Example Technology |
|---|---|
| Layer 1 | |
| Layer 2 | ATM/Frame Relay/VLANs/L2TP/Layer 2 over MPLS (pseudo-wires), BGP/MPLS VPNs |
| Layer 3 | IPSec crypto tunnel, BGP/MPLS VPNs |
| Layer 4 | TCP/UDP user-space tunnel |
| > Layer 4 | Application tunnels |
[*] (D)WDM = (dense) wavelength-division multiplexing
[**] TDM = Time-Division Multiplexing
[***] SDH/SONET = Synchronous Digital Hierarchy/Synchronous Optical Network
The data transmission technology has consequences such as in wireless networks. In this particular case, anybody can eavesdrop on a conversation over wireless realms. Fiber or high-security ducts (waveguides) cannot easily be compromised without notice. Sniffing becomes more difficult when large bandwidths are involved. Beyond Layer 3, the degree of hostility considerably increases because of internationally routed and thus reachable official IP addresses and transport layer ports. Below Layer 3, physical access to ATM, Frame Relay, MPLS edge routers, or Ethernet switch access ports is necessary to constitute real threats. Essentially, attacks against telco equipment can target either a link or a network element (SDH, ATM, Frame Relay) and are rarely heard of.
It is highly recommended that you read draft-behringer-mpls-security-06.txt, "Analysis of the Security of the MPLS Architecture" (http://www.ietf.org/internet-drafts/draft-behringer-mpls-security-06.txt), to get an idea about how MPLS VPN security compares to trusted Layer 2 VPNs such as ATM or Frame Relay.
Reasons for considering or deploying tunnels include the following:
- Broadcast and multicast relay requirements
- IPv6 over IPv4 transport (connecting isolated IPv6 realms)
- Transport of private addresses (RFC 1918)
- Transport of non-IP network layer protocols (Internetwork Packet Exchange, IPX)
- Authentication requirements
- Dynamic routing protocols
- Traffic shaping
- Encryption
- Mobile IP applications
- DSL architectures
Internet, Intranet, and Extranet Terminology
Intranet and extranet concepts are understood differently by different people—for example, product manager, analysts, sales people, and engineers—in much the same way that VPNs are understood. For purposes of this discussion, however, an intranet is a trusted realm within a corporate organization that also can be geographically disperse and tied in via a VPN architecture.
Hub-and-spoke or partial-mesh physical or virtual topologies (architectures resulting from administrative considerations) are common, with the majority of the computing power and services located at the hub site (corporate headquarters). Any-to-any connectivity is rarely used in context with tunnel-based topologies because of administrative burden, difficulty of policy enforcement, and lack of scalability. MPLS VPNs are a different story because their design is not based on point-to-point tunnel links but a "point-to-cloud" paradigm. With all these choices, network administrators and architects have flexible and scalable measures to realize routing policies within a VPN, including topological measures, default-route injection, or route filters. Withholding routing information constitutes an excellent security mechanism.
An extranet usually refers to a lower trust level commonly separated via security measures such as firewalls, demilitarized network segments, and proxies from the actual intranet (as well as the Internet).
Extranets are deployed to support the requirements for limited and controlled connectivity to commercial partners, organizations, and other third parties.
If You Enjoyed This Post Please Take a Second To Share It.
You Might Also Like
Stay Connected With Free Updates
 |
 |
 |
|
Subscribe via Email
|
