VPN

What Is a VPN?

A virtual private network (VPN) is a secured communication network created over a public network by an Internet or network service provider. It fulfills the needs of businesses for network flexibility, security, cost efficiency, scalability, and other essential features.

The Background of a VPN

he utilization of IT technologies in modern enterprise operations is increasing rapidly. Enterprises are employing these technologies in various areas such as enterprise resource planning, voice over IP (VoIP), video conferencing, and remote training. Through the adoption of IT solutions, businesses can streamline office tasks and enhance information access efficiency. With the continual evolution of the Internet economy, enterprises are expanding across multiple locations, partnering with a growing number of collaborators, and seeking enhanced office flexibility. Consequently, these enterprises require the establishment of enterprise networks connecting headquarters and branches through carrier networks to facilitate seamless access for employees even outside of office premises.

Initially, telecom carriers relied on leased lines to offer Layer 2 connections to enterprises. However, leased lines present several challenges:

• Lengthy construction periods

• High costs

• Complex management requirements

After the emergence of asynchronous transfer mode (ATM) and frame relay (FR) technologies, telecom carriers began using virtual circuits (VCs) to provide point-to-point (P2P) Layer 2 connections for clients. This allowed clients to establish Layer 3 networks and transmit IP and other data over the P2P Layer 2 connections. Compared with leased lines, VCs are more cost-effective and can be established in a shorter period of time. Moreover, VCs allow users from different private networks to share the same carrier network.

The drawbacks of such traditional private networks are as follows:

• VCs rely on media such as ATM or FR, which means that carriers need to build ATM or FR networks covering all service areas in order to offer VPN services based on these technologies. This can result in significant network construction costs.

• ATM or FR networks cannot provide the speed required by Internet applications.

• The deployment of ATM or FR networks is a complex process. When a new site is added to an existing ATM or FR network, the configurations of all edge nodes that connect to the site need to be modified.

While traditional private networks can help boost enterprise profits, they often fall short in terms of flexibility, security, economy, and scalability. To address these issues, VPNs — simulated private networks carried over IP networks — have been introduced as a substitute for traditional private networks.

VPNs are virtual private communication channels established over public networks by Internet service providers (ISPs) or network service providers (NSPs).

The Characteristics of a VPN

A Virtual Private Network (VPN) possesses two fundamental characteristics:

1. Privacy: VPNs offer a secure and private network environment similar to that of a traditional private network. This ensures that VPN resources are isolated from the underlying transport network resources. Consequently, only authorized VPN users have exclusive access to these resources, guaranteeing the security of the VPN and safeguarding internal information from external threats.

2. Virtuality: Users connected to a VPN communicate with each other over a shared public network that is accessible to non-VPN users as well. Essentially, a VPN functions as a virtual private network, with the public network beneath it known as the VPN backbone network.

By capitalizing on these characteristics, an IP network can be segmented into multiple logically separated networks, offering a versatile solution for various scenarios. For instance, VPNs can facilitate connectivity within an enterprise by linking different departments, or they can be tailored to deliver specialized services like IP telephony VPNs. This flexibility addresses challenges such as IP address scarcity, quality of service (QoS) assurance, and the introduction of innovative value-added services.

Why Do We Need a VPN?

Compared to traditional private networks, VPNs provide users with a range of advantages:

• Improved Security: VPNs establish secure connections between headquarters and remote workers, branches, partners, or suppliers, ensuring confidentiality. This is especially critical for e-commerce and integrating financial networks with communication networks.

• Enhanced Cost Efficiency: By utilizing the public network for data transmission, VPNs enable businesses to connect with remote offices, workers, and partners at a reduced cost.

• Providing Assistance for Mobile Services: VPN users have the flexibility to access the network anytime and anywhere, catering to the increasing demand for mobile services.

• QoS Assurance: A QoS-capable VPN like Multiprotocol Label Switching (MPLS) VPN can offer varying levels of QoS guarantee.

For carriers, VPNs offer the following benefits:

• Improved Operations: VPNs can optimize network resource utilization, leading to increased profits for ISPs.

• Adaptable Configuration: Carriers can easily add or remove VPN users through software configuration without requiring hardware modifications.

• Support Multiple Services: Service Providers (SPs) can extend beyond basic VPN interconnection services to offer advanced solutions such as network outsourcing, service outsourcing, and customized services.

VPN technology allows enterprises to concentrate less on network operations and maintenance and more on achieving their business objectives. This aspect has significantly boosted the popularity of VPNs among companies. By leveraging a single network for various services like best-effort IP forwarding, VPN, traffic engineering, and differentiated services (DiffServ), carriers can reduce network construction, maintenance, and operational costs.

In essence, VPNs are known for their security, reliability, ease of management, and scalability. Users can access VPN services from anywhere with an internet connection, regardless of their location.

How Does a VPN Work?

Fundamentals

VPNs are built upon the concept of tunneling, utilizing a variety of tunneling technologies to encapsulate VPN packets. This allows for the seamless transmission of these packets over dedicated data transmission channels within the VPN backbone network.

VPN technology is notably more intricate than P2P technology, necessitating the deployment of network connections between users. This encompasses network topology planning, route calculation, as well as the management of user joining and leaving processes. The VPN architecture consists of the following key components:

1. VPN Tunnel: Encompassing both the establishment and management of tunnels.

2. VPN Management: Involving the automatic configuration of VPNs and the management of VPN configurations, members, and attributes. Automatic VPN configuration establishes a one-to-one relationship between VPN internal links in an L2VPN upon receiving information regarding peer links. VPN attribute management oversees the differentiation of VPN address spaces by managing attributes of multiple VPNs on Provider Edge (PE) devices.

3. VPN Signaling Protocol: Facilitates the exchange and sharing of VPN resources among Customer Edge (CE) devices within a VPN. This protocol is responsible for information exchange related to data links in L2VPNs, routing information in L3VPNs, and single data link details in VPDNs. In certain scenarios, the signaling protocol is also utilized for VPN member discovery.

Implementation Modes

Different modes can be utilized for implementing a VPN:

1. VPN Tunnel + VPN Management: This mode includes the establishment of a VPN tunnel and the management of the VPN. It involves deploying policies related to VPN management, accounting, and Quality of Service (QoS). Common implementations using this mode are traditional IP VPNs like IPsec VPNs and GRE VPNs.

2. Tunneling + VPN Management + VPN Signaling Protocol: In this mode, the VPN architecture encompasses the establishment of a VPN tunnel, VPN management involving automatic configuration and management of VPN configurations, members, and attributes, as well as a VPN signaling protocol for exchanging and sharing VPN resources between Customer Edge (CE) devices on a VPN. VPNs such as Martini VLL, PWE3, Martini VPLS, and VPDN follow this implementation mode.

3. Instantiation: Instantiation mode involves instantiating all VPNs at both Layer 2 and Layer 3, creating instances of private forwarding information for them. Along with tunnel management, an instantiated VPN also entails member discovery, member management, and automatic configuration. VPNs utilizing this mode include traditional L3VPNs, EVPN L2VPNs, EVPN L3VPNs, and Kompella L2VPNs (including Kompella VPLS and Kompella VLL).

Process of Work

The fundamental operation process of a VPN is as outlined below:

CE1 initiates the transmission of a user packet to PE1. Upon reception, PE1 sends the packet either in encrypted form or as is, following the guidelines defined by the network administrator. In the event that encryption is required, PE1 encrypts the complete data packet (comprising the source and destination IP addresses), adds a data signature, and encases it within a fresh header (embedding tunnel label and security details). If encryption is unnecessary, PE1 merely encapsulates the data packet within a new header (including tunnel label data). PE1 forwards the encapsulated data packet to the distant device PE2 via the public network tunnel. Upon arrival, PE2 inspects the data packet's destination IP address. If it detects that the packet's destination is itself, PE2 de-encapsulates the packet. In the case of an encrypted packet, PE2 decrypts it post validation of the digital signature, then forwards it to CE2. If the packet is unencrypted, PE2 directly routes it to CE2.