[VPN] Service Provider based IPSec VPN services

Chris Carlson carlsonmail at yahoo.com
Wed Sep 4 11:41:44 EDT 2002


Hi Siddhartha,

All good questions!  I ran the security products group
at a number of ISPs (as well as security consulting
for enterprises) so I can help you here.


> 1. Can I provide the service over the same link on
> which I am providing internet services to the
> customer?

Yes, you can depending on what vendor's VPN equipment
you use.  Most VPN devices support "split-tunneling"
which means that they can encrypt data that is
destined for other locations on the VPN, but allow
unencrypted traffic to the general Internet.

While some consider split-tunnelling to be a security
threat (attackers from the Internet might infect
internal machines and "ride" the VPN back to the
headquarters or other locations), there is often a
networking/business driver that forces
split-tunneling: all traffic destined for the Internet
doesn't have to be backhauled through the VPN to the
HQ location to go out to the Internet, which relieves
congestion on the HQ's links.


> 2. I am aiming at installing no specialized VPN
> equipment at the client location.

Good thought, since it's often difficult to maintain
equipment at customer locations that you don't
directly control.  Plus it gets really expensive to
roll out a dedicated VPN device for each customer. 
BUT, this creates a new set of issues, i.e. how do you
effectively do network-based VPNs with some of the
issues you highlight below.

Also, be aware that most every Internet connection
requires a router (to terminate the T-1/E-1, DSL,
Frame, etc.) and most routers nowadays have some type
of IPSec-VPN software available.  So it is possible to
offer a managed CPE-based VPN with an extra VPN
device, just manage the VPN configurations on the
customer router!


> 3. The IP addressing of the client network is
> obviously not under my control.

Correct.  With not many public IP addresses available,
this means the the customer will be doing NAT at their
border router.  And oftentimes, either the VPN devices
is also doing NAT or the VPN devices is inside the NAT
device.

And it's very difficult to terminate VPN sessions
outside the NAT device because then you have to create
a whole set of NAT mappings to access internal
resources, a huge pain I urge you to NOT undertake!

If you wish to support IPSec VPNs in the service
provider network, you need to do IPSec and NAT
services on the same device, and there's only few
system that can do this with multiple customers on one
device: CoSine, Lucent Spring Tide, Nortel Shasta,
NetScreen has a virtual router option, but these guys
are very expensive.  And it's very expensive to put
dedicated VPN devices in your POP just to do
network-based IPSec VPNs.

Which leads us to...


> Do you think, given these constraints, I can deploy
> IPSec VPN? Or do you think in such a case, MPLS is
> the best solution?

Ta-da!  Most service providers are looking at MPLS to
do network-based (unencrypted) VPNs.  No specialized
equipment is necessary at the customer premise, their
existing network infrastructure can support MPLS-VPNs
usually with a code update, the MPLS implemenetation
of most vendors (notably Cisco VRF and Redback
contexts) supports overlapping private IP address
spaces and can do NAT.  The Cisco VRF feature can even
map a Layer 2 VRF to an IPSec tunnel.


If you have more detailed information on what you're
trying to do, I can be more specific.

Also, I'm available for consulting, too, with
reasonable rates!  :-)

Good luck to you!

Chris


> TIA,
> 
> Siddhartha
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com



More information about the VPN mailing list