| From a security standpoint, Layer 2 tunneling
protocols are insufficient to be VPN solutions on their own. None of these
protocols provide the data encryption, authentication or integrity functions
that are critical to maintaining VPN privacy.
The L2TP specification disclaims any data security functions and refers
IP data security to IPSec, but no serious security provisions or references
are made for the other Layer 2 protocols. In addition, none of these protocols
provide a mechanism for key management, which limits their scalability.
PPTP and L2F are vendor-specific, proprietary protocols, so interoperability
is limited to products from supporting vendors.
In contrast, L2TP is a multivendor effort, so interoperability is not
as much of a problem. It's important to note that when utilizing tunneling
protocols besides IP, users will have to rely on vendor-specific data security
features.
On the upside, PPTP, L2F and L2TP can transport multiple protocols.
They also function both in LAN-to-LAN and dial-up-to-LAN tunneling modes,
allowing them to cover the applications most desired for VPN.
|
IP only
The goal of the IPSec protocol suite is to provide secure tunneled transport
of IP data only. Essentially, it takes private IP packets, performs data
security functions such as encryption, authentication and integrity, then
wraps these secured packets in other IP packets for transport across the
Net. Key management functions also will be a part of the IPSec protocol
suite.
The IETF has issued five request for comments - RFC 1825 through 1829.
An interesting note is that if IPv6 succeeds in replacing IPv4, IPSec will
be the automatic Internet VPN standard since it is integrated into the
IPv6 specifications.
Like the Layer 2 VPN protocols, IPSec works as a LAN-to-LAN and dial-up-to-LAN
solution. It is designed to support multiple encryption protocols, a feature
that allows users to choose a desired amount of data privacy. Obviously,
IPSec will only be of value to companies that want to tunnel IP exclusively
since it doesn't support other data protocols.
Henthorn is senior technical product manager at Lucent's InterNetworking Systems in Pleasanton, Calif. He can be reached by
phone at (925) 737-2156 or via the Internet at alex@livingston.com.
|