Overview of Provider Provisioned Virtual Private Networks (PPVPN)
Provider Provisioned Virtual Private Networks (PPVPNs) are enterprise-level VPNs mainly used by businesses to allow staff secure remote access to their corporate network. PPVPNs are also used to securely connect physically separate sites and networks with each other across the Internet.
In this way the different sites appear to the users as one fully integrated single network. A company wanting to run a corporate VPN can build and operate its own dedicated VPN. Alternatively, it can lease a PPVPN service from a telecoms provider or an ISP serving the business to business sector.
Provider Provisioned VPNs have the advantage of ease of implementation and operation. The VPN network is usually transparent to users with no separate user authentication required. Depending on the protocols and VPN architecture, once configured, the participating end user host machines on either side of the VPN may not need any special VPN software installed to use a provider-provisioned VPN.
How PPVPNs Work
PPVPNs utilize virtual traffic links across the Internet. known as “tunnels” which are created using protocols such as GRE, MPLS, PPTP, L2TP and Ipsec. These protocols enable private corporate traffic to traverse the public Internet without the connection or the data being compromised.
For remote access VPNs which connect a single user to a corporate network through dial-in, DLS router or wireless LAN, the protocols used will typically be PPTP or L2TP. For VPNs connecting two or more site networks with each other, the protocols will normally be GRE, IPsec or MPLS.
The VPN tunnel is established between the VPN network gateways of each site, referred to as “Provider Edge” and “Customer Edge” devices. VPN tunnels operate at one or two of the OSI-defined Cmmunication Layers.
This is usually either OSI Layer 2 or Layer 3. Layer 2 tunnels use PPTP and L2TP. This is the Frame Layer in which simple Ethernet frames are transported through the VPN. This also allows broadcast packets to pass across the VPN. MPLS VPNs also operate at this Layer.
Examples of Layer 3 tunnels are Generic Route Encapsulation (GRE), employed to encapsulate non-IP traffic for transport via the Internet without encryption. Layer 3 is also used by the IPsec protocol which incorporates both tunneling and encryption functionality.
There are two main possible topologies for setting up a VPN. – Mesh-based, where each set of end devices communicate with each other directly, without any need to pass through a central point. This makes for better routing capabilities, but also means that more tunnels are required.
Hub and spoke-based, where each set of end devices communicate with each other via a central point. This configuration reduces complexity and the number of tunnels, but it also places higher demands on reliability and results in heavier traffic overhead at the central point. It also means a single point of failure is introduced to the system.
The type of topology chosen will depend upon the nature of the networks involved, the number of sites to be linked and their individual connectivity requirements. For an in-depth discussion of the topologies and architectures used by VPNs, see the paper An Analysis of Virtual Private Network Solutions published by The University of New South Wales.
Aspects of VPN Security
VPN security requires user authorization, authentication and data encryption functionalities. VPN tunnels by themselves don’t always provide adequate security. It depends on the specific protocol being used. Some transport protocols contain encryption functionality. Others do not.
Even if it is secured, the data passing through the VPN will still normally only be protected between the two gateway edge devices. This means data traveling between hosts and the gateway edge at each end of the VPN is not protected.
VPN Transport Protocols
Since VPNs operate via the public internet, the transport protocols used are crucial when it comes to data and connection security. The following are the current most commonly encountered protocols used for PPVPNs.
Generic Routing Encapsulation (GRE) GRE is used to encapsulate any protocol into IP. A newer version of GRE known as Enhanced GRE allows for more efficient transmission. GRE is used together with PPTP to create VPN tunnels.
Point-to-Point Tunneling Protocol (PPTP) PPTP is a Layer 2 protocol used for point-to-point connections. Traditionally these were dial-up or ISDN which used the Point-to-Point Protocol (PPP). PPTP was a further development of PPP and uses Microsoft’s proprietary security mechanism CHAP (Challenge Handshake Authentication Protocol) for authentication. PPTP provides a VPN tunnel between a PPTP end client such as PC or laptop and a PPTP-enabled server.
Each device wanting to use PPTP needs to have PPTP client software installed and configured. PPTP in turn uses GRE to encapsulate the PPP frames into IP packets. Note that many packet filtering firewall devices block the PPTP port by default, so they may need reconfiguring to allow PPTP traffic to pass through. Another problem with PPTP is that the protocol has long been proven to be intrinsically insecure.
Generally speaking, you do not want to be using PPTP with a provider provisioned VPN. Layer 2 Tunneling Protocol (L2TP) L2TP is a replacement for PPTP. As with PPTP, L2TP provides communication between an L2TP client and an L2TP-enabled server. It requires L2TP client software to be installed and configured on each system.
However, unlike PPTP, which uses GRE to tunnel data, L2TP has its own tunneling protocol which runs on UDP port 1701. This makes it easier for L2TP to pass unhindered through packet filtering devices than is the case with PPTP. An L2TP tunnel emulates a PPP connection and each L2TP tunnel comprises two channels: a control channel which manages the communication session and the data channel which carries the actual data packets in PPP format. Lost control messages are always re-sent.
However, as with PPTP, other than the initial challenge-based authentication using CHAP at the start of the session, L2TP does not provide any security and so L2TP should not be used by itself for a VPN. One common way of adding security to L2TP is to bundle it with IPsec to provide encryption through the L2TP tunnel.
Internet Protocol Security (IPsec) IPsec is an established and proven set of protocols consisting of three primary components: the Authentication Header (AH), the Encapsulating Security Payload (ESP), and the Internet Key Exchange (IKE) which takes care of data encryption for IPsec. IPsec provides security at the IP packet Layer.
IPsec is a network-level protocol which can be incorporated into servers, clients and other devices for example in a router, a dedicated VPN concentrator or a firewall. All Windows versions since 2000/XP and Mac OSX 10.3+ and most mobile operating systems come with native support for both L2TP and IPsec. IPsec secures every IP packet regardless of whether it is a TCP, UDP or other type of packet. IPsec is generally considered the most secure and efficient VPN transport protocol, but it does also have some limitations.
The Authentication Header (AH) AH provides user authentication as well as integrity protection for packet headers and data. However, AH does not perform any packet encryption. For this reason, AH and ESP tended to be bundled together. Since authentication capabilities were added to ESP, AH has become less significant and some IPsec systems no longer include it.
However, AH is still a useful feature because it provides for backwards compatibility with devices and software that still rely on it. It’s important to note that AH has two modes: transport and tunnel. In tunnel mode, AH creates a new IP header for each data packet. In transport mode, which is generally used for host-to-host direct connections (for example PC-to-server or server-to-server), AH does not alter the original IP header nor does it create a new IP header. This means that if you are using a gateway-to-gateway or host-to-gateway VPN, then you have to ensure your devices are set up to reconfigure the source or destination IP addresses for the packets to point to the gateway IP addresses. Otherwise the packets will not reach their destination.
Encapsulating Security Payload (ESP) Initially, ESP only provided encryption for the packet data with integrity protection taken care of by the AH protocol. In the later versions of IPsec, ESP can now perform encryption, integrity protection or encryption and integrity protection together. As with AH, ESP has both transport and tunnel modes. For most VPNs, tunnel mode is used. In this case ESP adds a new IP header for each packet containing the endpoint addresses of the tunnel.
Potential Problems with IPsec
Using IPsec with NAT (Network Address Translation) gateways can be problematic. AH should only be used in tunnel mode if the traffic is to traverse NAT gateways as AH transport mode is not NAT-compatible. Another problem is that AH authenticates the entire IPsec packet, including the IP header, whereas NATs need to be able to modify IP addresses of packets.
As a result, IPsec authentication in tunnel mode may not work with certain application protocol traffic such as FTP, SIP / VOIP or IRC which relies on embedded IP addresses to function correctly. One workaround for this is to perform the NAT functionality before IPsec is applied. This can be done by using an IPsec gateway that also performs NAT.
Another alternative is to apply UDP encapsulation of the ESP packets by adding a UDP header to each packet, which provides an IP address and UDP port that can be used by NAT. IPsec is especially useful for the final outer ends where encryption is explicitly desired when connecting to user PCs and laptops. IPsec is also the only protocol which offers secure VPN access for remote login hosts. The National Institute of Standards and Technology (NIST) has published a detailed Guide to Ipsec VPNs which is worth reading if you are seriously considering implementing an IPsec-based VPN.
Multiprotocol Label Switching (MPLS)
Up to the early 2000s, IPsec was the default VPN service provider protocol offered to businesses by telecoms and ISPs. But since then MPLS has started to become more popular. MPLS is often described as fitting between OSI Layers 2 and 3. This is because MPLS understands both IP routing at Layer 3 as well as Layer 2 packet-switching functionality. MPLS, as the “Multiprotocol” name implies, can carry packets from a diverse range of different network protocols. MPLS is now offered by many service provider networks, as well as being deployed for their own Internet backbones.
MPLS forwards packets at Layer 2 (the switching layer). The need for IP routing at this stage is avoided because each packet is labeled on entry into the service provider’s network by the incoming or “ingress” Label Edge Router or LER. All the subsequent MPLS participating Label Switching Routers (LSRs) perform packet forwarding according to these labels only, without any reference to the address in the IP header.
Finally, the outgoing or “egress” LER router removes the MPLS label and forwards the IP packet on to its final destination. MPLS VPNs are sometimes referred to by service providers as a Virtual Private LAN Service (VPLS) or Virtual Private Routed Network (VPRN). MPLS offers a number of advantages over IPsec.
First, rather than relying on a series of router table lookups along the way for each packet, MPLS uses its own predetermined paths called Label-Switched Paths to select the optimum route in advance for all the packets. This greatly speeds up data transfer.
MPLS also has excellent Quality of Service (QoS) capability. MPLS supports the definition of multiple service levels by using its own Label Switching Protocol (LSP) routes to meet specific service level agreements based on traffic characteristics, latency, packet loss, and downtime issues. For example, a network could define three service levels – one for VOIP traffic, one for time-sensitive traffic, and another for standard data traffic. The EETimes has published an in-depth article on the implementation of MPLS-based PPVPN solutions.
So Which Protocol Is Best for a PPVPN?
IPsec tends to be favored by small businesses for VPNs at OSI layer 3 and in particular for remote access hosts. In these cases, either IPsec with L2TP or IPsec with GRE will be the preferred protocols. PPTP has the advantage of being easy to implement as it’s available as a built-in with MS-Windows and many other systems.
However, because of the security drawbacks, using PPTP is not advisable for a secure VPN. Bear in mind IPsec and GRE do not support QoS functionality by themselves. IPSec is less frequently encountered among medium and large-scale enterprises because of the complexity of their network connectivity requirements.
For mobile users and remote access logins MPLS is not an option. MPLS stops at the “customer edge” or CE device (usually a router). MPLS is best suited for deployment for site-to-site VPNs between the router edges of network sites and for larger enterprises, and particularly for networks with higher traffic volumes and traffic of different types which benefit from QoS segregation. If you’re looking for a suitable MPLS VPN provider, check out the List of UK and Global MPLS VPN Commercial Service Providers maintained by The Network Union.