Virtual Private Networks: Internet Protocol (IP) Based

Abstract

AbstractThis chapter begins with some motivational discussion on why enterprises use the Internet to improve productivity, generate new revenues, and be more competitive. We highlight some important security considerations that render the basic public Internet unacceptable for conducting sensitive transactions, such as e‐commerce. Our discussion then summarizes the technologies, namely connection‐oriented label switching and separate connectionless forwarding tables, that are used to partition a shared public network into multiple virtual private networks (VPNs). The chapter then presents a taxonomy of the types of VPNs being standardized in the Internet Engineering Task Force (IETF), differentiated primarily by whether the VPN functionality is implemented on the customer‐edge (CE), or on the provider‐edge (PE) devices. We then summarize CE‐based VPNs either (a) overlaid on a frame relay or an asynchronous transfer mode network or (b) implemented over the Internet using the IP security (IPsec) standards. The text then describes the principal PE‐based approaches, which involve either (a) a separate routing instance for each VPN or (b) a shared, aggregated routing instance for all VPNs that logically maintains separation through configuration. Finally, the chapter concludes with a discussion about design considerations for use of VPNs and an example of an extranet VPN deployment using the CE‐based IPsec approach.