ATM and VPN's (fwd)

[Roelof JT Jonkman]

Hello,

> ---------- Forwarded message ----------
> Date: Thu, 9 Mar 2000 14:38:18 -0800
> From: Jeffery Eric Contr 95 CS/SCBA <eric.jeffery at EDWARDS.AF.MIL>
> To: VPN at SECURITYFOCUS.COM
> Subject: ATM and VPN's
>
> Help me out- What's the point of a VPN over ATM?  If you establish a PVC
> that's the same thing, isn't it?
No. it gives you a logically seperate channel over shared physical
infrastructure. It does not prevent you from the following scenario: ISP blah
plugs in his optical splice, and runs it into OC3MON, and sniffs whatever he
pleases. If it were to be encrypted you could care less if ISP blah did this.

> My understanding is that VPN's came about due to the insecurity of IP; ATM
Plain Old Ip doesn't have any form of authentication, neither does ATM, they
only advantage of ATM is that because of it hierachical nature and connection
oriented nature it is substantially harder to spoof and hijack. Since IP is
a connectionless (datagram) protocol it suffers from these types of attacks.
I don't dare to hold my breath on how many holes can be shot in the signalling
code. (Switched Virtual Circuits) As long as you're doing PVC's you're probably
quite safe. But ATM does not have the address range to maintain backbone PVC's,
so invariably you will have to deal with SVC's in large scale deployments.
Besides you want to administrate the beast of PVC tables on a multiswitch,
multi domain network? (Been there done that.)

> doesn't have these weaknesses so again, what's the point of a VPN over ATM?
Hmm well in order to use ATM you have to run IP over it, and unless you're
doing CLIP (Classical IP) you've gained very little security wise. (If you're
doing MPOA, and LANE, they both intermingle higher and lower layers in the
ATM signalling code in order to create and teardown SVC's, in which case
common ip techniques surface their ugly head again.)
ATM is more secure for a few reasons, because of its switching nature, because
of its hierarchical nature and because of its relative obscurity and
complexity people haven't hacked it yet. It is feasible to spoof ATM UNI
signalling though, the address registration (ILMI) is hackable too....

> I can see a VPN through an IP LAN that connects to an ATM WAN and then back
> to an IP LAN; however, that's different than creating a VPN over ATM.
Hmmm, ATM more or less has been demoted to a lower layer protocol than IP,
therefore it essentially buys you some safety at the IP layer, since the lower
layer can provide a few safeguards, however that's it. So IPVPN != ATMVPN

(Besides there is the obnoxious VPN terminology mess, VPN means encrypted
authenticated communication, however some of the telco's advertise they
have VPN's when they really mean to say you have a logically seperate channel,
aka PVC.)

Hope the info helps a little, sort of lose answers to lose questions.

roel

VPN is sponsored by SecurityFocus.COM