What fs a VPN?
`
`Paul Ferguson
`ferguson@cisco.com
`
`Geoff Huston
`gih@telstra.net
`
`April 1998
`Revision 1
`
`Abstract — The term “VPN,”or Virtual Private Network, has become almost as recklessly used in the networking industry as has
`"QoS" (Quality of Service) to describe a broad set of problems and "solutions," when the objectives themselves have not been
`properly articulated. This confusion has resulted in a situation where the popular trade press, industry pundits, and vendors and
`consumers of networking technologies alike, generally use the term “VPN” as an offhand reference for a set of different
`technologies. This paper attempts to provide a common sense definition of a VPN, and an overview ofdifferent approaches to
`building them.
`
`Table of Contents
`
`SNAADAHNA
`
`A CommonSenseDefinition of Virtual Private Networks
`VPN Motivations
`Types of VPN’s
`Non-IP VPN’s
`Quality of Service Considerations
`Conclusions
`Acknowledgments
`References
`
`"The wonderful thing aboutvirtual private networksis that its myriad
`definitions give every companya fair chance to claim thatits existing
`productis actually a VPN. But no matter what definition you choose, the
`networking buzz-phrase doesn't make sense. The idea is to create a private
`network via tunneling and/or encryption over the public Internet. Sure,
`it's a lot cheaper than using your ownframe relay connections, but it
`works aboutas well as sticking cotton in your ears in Times Square and
`pretending nobodyelse is around." [1]
`
`1.
`
`A Common Sense Definition of Virtual Private Networks
`
`As Wired Magazine notes in the quotation above, the myriad definitions of a Virtual Private Network (VPN) are less than helpful in this
`environment. Accordingly, it makes sense to begin this examination of VPN's to seeifit is possible to provide a commonsensedefinition
`of a VPN. Perhaps the simplest method of attempting to arrive at a simple definition for VPN’s is to look at each word in the acronym
`individually, and then subsequently tie each of them together in a simple, commonsense, and meaningful fashion.
`
`Let’s start by examining the word “network.” This is perhaps the least difficult term for us to define and understand, since the commonly
`accepted definition is fairly uncontroversial and generally accepted throughout the industry. A network consists of any numberof devices
`which can communicate through some arbitrary method. Devices of this nature include computers, printers, routers, and so forth, and
`may reside in geographically diverse locations. The methods in which they may communicate are numerous, since there are countless
`
`SAMSUNG 1072
`SAMSUNG 1072
`SAMSUNG v. SMART MOBILE
`SAMSUNGv. SMART MOBILE
`IPR2022-01004
`IPR2022-01004
`
`1
`
`

`

`What is a VPN?
`
`electronic signaling specifications, and data-link, transport, and application layer protocols. For the purposes of simplicity, let’s just agree
`that a “network” is a collection of devices that can communicate in some fashion, and can successfully transmit and receive data
`amongst themselves.
`
`The term “private”is fairly straightforward, andis intricately related to the conceptof “virtualization” insofar as VPN’s are concerned, as
`we'll discuss ina moment.
`In the simplest of definitions, “private” means that communications between two(or more) devicesis, in some
`fashion, secret — that the devices which are not participating in the “private” nature of communications are not privy to the communicated
`content, and that they are indeed completely unaware ofthe private relationship altogether. Accordingly, data privacy and security (data
`integrity) are also important aspects of a VPN which need to taken into consideration when considering any particular VPN
`implementation.
`
`Another means of expressing this definition of "private" is through its antonym, "public." A “public” facility is one which is openly
`accessible, and is managed within the terms and constraints of a common public resource, often via a public administrative entity. By
`contrast, a “private” facility is one where accessis restricted to a defined set of entities, and third parties cannot gain access. Typically,
`the private resource is managed bythe entities who have exclusive right of access. Examples of this type of private network can be
`found in any organizational network which is not connected to the Internet, or to any other external organizational network, for that matter.
`These networksare private due to the fact that there is no external connectivity, and thus no external network communications.
`
`Another important aspect of “privacy” in a VPN is through its technical definition, as describing the privacy of addressing and routing
`system, meaning that the addressing used within a VPN community of interest is separate and discrete from that of the underlying shared
`network, and from that of other VPN communities. The same holds true for the routing system used within the VPN and that of the
`underlying shared network. The routing and addressing scheme within a VPN should, for all intents and purposes, be self-contained, but
`this degenerates into a philosophical discussion on the context of the term “VPN.” Also,
`it is worthwhile to examine the differences
`between the “peer” and “overlay” models of constructing VPN’s — both of which are discussed in more detail in Section 3.1, “Network
`Layer VPN’s.”
`
`‘Virtual’ is a conceptthat is slightly more complicated. The New Hacker's Dictionary (formerly known as the Jargon File) [2] defines
`virtual as —
`
`from the term “virtual image” in optics] 1. Commonalternative to
`virtual /adj./ [via the technical term “virtual memory”, prob.
`{logical}; often used to refer to the artificial objects (like addressable virtual memory larger than physical memory) simulated by
`a computer system as a convenient way to manage access to shared resources. 2. Simulated; performing the functions of
`somethingthatisn’t really there. An imaginative child’s doll may be a virtual playmate. Oppose {real}.
`
`Insofar as VPN’s are concerned, the definition in 2. above is perhaps the most appropriate comparison for virtual networks. The
`“virtualization” aspect is one that is similar to what we briefly described above as “private,” however, the scenario is slightly modified — the
`private communication is now conducted across a network infrastructure that is shared by more than a single organization. Thus, the
`private resource is actually constructed by using the foundation of a logical partitioning of some underlying common shared resource,
`rather than by using a foundation of discrete and dedicated physical circuits and communications services. Accordingly, the “private”
`network has no corresponding “private” physical communications system.
`Instead, the “private” networkis a virtual creation which has
`no physical counterpart. The virtual communications between two (or more) devices is due to the fact that the devices which are not
`participating in the virtual communications are not privy to the content of the data, and that they are also altogether unawareof the
`private relationship between the virtual peers. The shared network infrastructure could, for example, be the global Internet and the
`number of organizations or other users not participating in the virtual network mayliterally number into the thousands, hundreds of
`thousands, or millions.
`
`A VPNcanalso said to be a discrete network [3] —
`
`discrete \dis*crete"\, a.
`
`[L. discretus, p. p. of discernere. See Discreet.] 1. Separate; distinct; disjunct.
`
`The discrete nature of VPN’s allow both privacy andvirtualization. While VPN’s are not completely separate, per se, the distinction is that
`they operate in a discrete fashion across a shared infrastructure, providing exclusive communications environments which do not share
`any points of interconnection.
`
`The combination of these terms produces VPN — a private network , wherethe privacy is introduced by some method ofvirtualization.
`A VPN could be built between two end-systems or between two organizations, between several end-systems within a single organization
`or between multiple organizations across the global Internet, between individual applications, or any combination of the above.
`
`Asan aside, it should be noted that there is really no such thing as a non-virtual network, when considering the underlying common public
`transmission systems andother similar public infrastructure components as the base level of carriage of the network. What separates a VPN
`from a truly “private” network is whether the data transits a shared versus a non-sharedinfrastructure. For instance, an organization could
`
`Ferguson & Huston
`
`April 1998, Revision 1
`2
`
`Page 2
`
`2
`
`

`

`What is a VPN?
`
`leaseprivate line circuits from various telecommunications providers and build a private network on the base of these private circuit leases,
`howeverthe circuit switched network owned and operated by the telecommunications companies are actually circuits connected to their
`DACS(Digital Access Cross-Connect Systems) network and subsequently their fiber optics infrastructure, and this infrastructure is shared by
`any number oforganizations through the use of multiplexing technologies. Unless an organization is actually deploying private fiber and
`layered transmission systems, any network is layered with “virtualized” connectivity services in this fashion.
`
`A VPN doesn’t necessarily mean communicationsisolation, but rather the controlled segmentation of communications for communities of
`interest across a sharedinfrastructure.
`
`The common and somewhatformal characterization of the VPN, and perhaps the moststraightforward andstrict definition, is:
`
`A VPNis a communications environmentin which access is controlled to permit peer connections
`only within a defined community of interest, and is constructed though someform ofpartitioning of a
`common underlying communications medium, where
`this underlying communications medium
`provides services to the network on a non-exclusive basis.
`
`A simpler, more approximate, and muchless formal description is:
`
`A VPNis private network constructed within a public network infrastructure, such as the global
`Internet.
`
`It should also be noted that while VPN’s may be constructed to address any numberof specific business needs or technical requirements,
`a comprehensive VPNsolution provides support for dial-in access, multiple remote sites connected by leased lines (or other dedicated
`means), the ability of the VPN service provider to “host” various services for the VPN customers(e.g., web hosting), and the ability to
`support notjust intra-, but also inter-VPN connectivity, including connectivity to the global Internet.
`
`2.
`
`VPN Motivations
`
`There are several motivations for building VPN’s, but a commonthreadin eachis that they all share the requirementto “virtualize” some
`portion of an organization’s communications — in other words, make some portion (or perhapsall) of the communications essentially
`“invisible” to external observers, while taking advantage of the efficiencies of a common communicationsinfrastructure.
`
`the
`The base motivation for VPN's lies in the economics of communications. Communications systems today typically exhibit
`characteristic of a high fixed-cost component, and smaller variable cost components whichvary with the transport capacity, or bandwidth,
`of the system. Within this economic environment, it is generally financially attractive to bundle a numberof discrete communications
`services onto a commonhigh capacity communications platform, allowing the high fixed-cost components associated with the platform to
`be amortized over a larger numberof clients. Accordingly, a collection of virtual networks implemented on a single commonphysical
`communications plant is cheaper to operate than the equivalent collection of smaller physically discrete communications plants, each
`servicing a single networkclient.
`
`So, if aggregation of communications requirements leads to a more cost-effective communications infrastructure, why not poolall these
`services into a single public communications system? Whyis therestill the requirement to undertake some form ofpartitioning within
`this commonsystemthat results in these “virtual private’ networks?
`
`In response to this, the second motivation for VPN’s is that of communications privacy, where the characteristics and integrity of
`communications services within one closed environment is isolated from all other environments which share the common underlying
`plant. The level of privacy depends greatly on the risk assessment performed by the subscriber organization — if the requirement for
`privacy is low, then the simple abstraction of discretion and network obscurity may serve the purpose. However,if the requirement for
`privacy is high, then there is a corresponding requirement for strong security of access and potentially strong security applied to data
`passed over the commonnetwork.
`
`This paper can’t do justice to the concept of VPN’s without some historical perspective, so we need to take a quick look at why VPN’s are
`an evolving paradigm, and whythey will continue to be an issue of confusion, contention, and disagreement. This is important, since you
`will indeed discover that opinions on VPN solutions are quite varied, and everyone seems to be deeply religious on how they should be
`approached.
`
`Historically, one of the precursors to the VPN was the Public Data Network (PDN), and the current familiar instance of the PDN is the
`global Internet. The Internet creates a ubiquitous connectivity paradigm, where the network permits any connected network entity to
`exchange data with any other connected entity. The parallels with the global Public Switched Telephone Network (PSTN) are, of course,
`all too obvious — wherea similar paradigm of ubiquitous public access is the predominate characteristic of the network.
`
`Ferguson & Huston
`
`April 1998, Revision 1
`3
`
`Page 3
`
`3
`
`

`

`What is a VPN?
`
`The public data network has noinherentpolicy of traffic segregation, and any modification to this network policy of permitting ubiquitous
`connectivity is the responsibility of the connecting entity to define and enforce. The network environment is constructed using a single
`addressing scheme and a commonrouting hierarchy, which allows the switching elements of the network to determine the location ofall
`connectedentities. All of these connected entities also share access to a commoninfrastructure of circuits and switching.
`
`However, the modelof ubiquity in the “Internet PDN” does not match all potential requirements, especially the need for data privacy. For
`organizations who wishto usethis public network for private purposes within a closed set of participants (for example, connecting a set of
`geographically separated offices), the Internet is not always a palatable possibility. There are a numberof factors behind this mismatch,
`including issues of quality of service (QoS), availability and reliability, use of public addressing schemes, use of public protocols, site
`security, and data privacy & integrity (the possibility of traffic interception). Additionally, a corporate network application may desire more
`stringent levels of performance management thanis available within the public Internet, or indeed may wish to define a management
`regime whichdiffers from that of the underlying Internet PDN.
`
`It is worthwhile at this point to briefly examine the importance of Service Level Agreements (SLA’s) in regards to the deployment of
`VPN’s. SLA’s are negotiated contracts between VPN providers and their subscribers, which contain the service criteria to which the
`subscriber expects specific services to be delivered. The SLA is arguably the only binding tool at the subscriber’s disposal with which to
`ensure that the VPN provider delivers the service(s) to the level and quality as agreed, andit is in the best interest of the subscribers to
`monitor the criteria outlined in the SLA for compliance. However, Service Level Agreements present some challenging technical issues
`both for the provider and the subscriber. For the subscriber, the challenge is to devise and operate service measurement tools which can
`provide a reasonable indication as to what extent the SLA is being honored bythe provider. Also, it should be noted that a subscriber
`may use a SLAto bind one or more providers to a contractual service level, but if the subscribers VPN spans multiple provider's
`domains, the SLA must also encompasstheissue of provider interconnection and the end-to-end service performance. Forthe provider,
`the challenge lies in honoring multiple SLA’s from a numberof service providers.
`In the case of an Internet PDN provider, the common
`modeofbest effort service levels, is not conducive to meeting SLA’s, given the unpredictable nature of the host’s resource allocation
`mechanisms.
`In such environments, the provider either has to ensure that the network is very generously engineered in terms of the ratio
`of subscriber access capacity to internal switching capacity, or the provider can deploy service differentiation structures to ensure that
`minimum resourcelevels are allocated to each SLA subscriber.
`It must be noted that the former course of action does tend to reduce the
`benefit of aggregation of traffic, which in turn does have an ultimate cost implication, while the latter course of action does have
`implications in terms of operational management complexity and scalability of the network.
`
`The alternative to using the Internet as a VPN todayis to lease circuits, or similar dedicated communications services, from the public
`network operators (the local telephone company in most cases), and create a completely private network.
`It is a layering convention
`whichallowsusto label this as "completely private,” as these dedicated communications services are (at the lower layers of the protocol
`stack) again instances of virtual private communications systems constructed atop a commontransmission bearer system. Of course,
`this is not without precedent, and it must be noted that the majority of the early efforts in data networking, and many of the current data
`networking architectures, do not assume a deployment model of ubiquitous public access.
`
`As an aside, it should be noted that this is quite odd, when you consider that the inherent value of an architecture where ubiquitous public
`access over a chaotic collection of closed private networks had been conclusively demonstrated in the telephony marketplace since the start of
`the 20th century. While the data communications industry appears to be moving at a considerable technological pace, the level of experiential
`learning, and consequentlevelof true progress asdistinct from simple motion,still leaves much to be desired!
`
`Instead of a public infrastructure deployment, the deployment model used has been that of a closed (or private) network environment
`wherethe infrastructure, addressing scheme, management, and services were dedicated to a closed set of subscribers. This model
`matched that of a closed corporate environment, where the network was dedicated to serve a single corporate entity as the sole client.
`This precursor to the VPN can becalled the private data network, and wasphysically constructed using dedicated local office wiring and
`dedicated leased circuits (or private virtual circuits from an underlying switching fabric such as X.25) to connect geographically diverse
`sites.
`
`However, this alternative does have an associated cost, in that the client now has to manage the networkandall it’s associated elements,
`invest capital in network switching infrastructure, hire trained staff, and assume complete responsibility for the provisioning and on-going
`maintenance of the network service. Such a dedicated use of transport services, equipment, and staff is often difficult to justify for many
`small-to-medium sized organizations, and while the functionality of a private network system is required, the expressed desire is to
`reduce the cost of the service through the use of shared transport services, equipment, and management. There are a numberof
`scenarios which can address this need, ranging from outsourcing the managementof the switching elements of the network (managed
`network services), to outsourcing the capital equipment components (leased network services), to outsourcing of the management,
`equipment, and transport elements to a service provider altogether.
`
`Ferguson & Huston
`
`April 1998, Revision 1
`4
`
`Page 4
`
`4
`
`

`

`What is a VPN?
`
`In the simple example illustrated in [Figure 1], Network “A” sites have established a VPN (depicted by the red lines) across the service
`provider’s backbone network, where Network “B” is completely unawareof it’s existence. Both Network “A” and Network “B” can
`harmoniously coexist on the same backboneinfrastructure.
`
`a
`
`Service Provider
`
`Backbone Router
`
`Network A
`
`Network B — VPN A
`
`Figure 1
`
`This is, in fact, the most common type of VPN — onein which there are geographically diverse subnetworks which belong to a common
`administrative domain, interconnected by a shared infrastructure outside of their administrative control (such as the global Internet or a
`single service provider backbone). The principle motivation in establishing a VPN of this type is that perhaps the majority of
`communications between devices within the VPN community maybe sensitive in nature (again, a decision on the level of privacy required
`rests solely on a risk analysis performed by the administrators of the VPN), yet the total value of the communications system does not
`justify the investmentin a fully private communications system which usesdiscrete transmission elements.
`
`Onarelated note, the level of privacy a VPN may enjoy dependsgreatly on the technology used to construct the VPN. For example,if
`the communications between each VPN subnetwork (or between each VPN host) is securely encrypted as it transits the common
`communicationsinfrastructure, then it can said that the privacy aspect of the VPNis relatively high.
`
`In fact, the granularity of a VPN implementation can be broken downfurther to a single end-to-end, one-to-one connectivity scenario.
`Examples of these types of one-to-one VPN’s aresingle dial-up users establishing a VPN connection to a secure application, such as an
`online banking service, or a single user establishing a secure, encrypted session between a desktop and server application, such as a
`purchasing transaction conducted on the World Wide Web. This is type of one-to-one VPN is becoming more and moreprevalent as
`secure electronic commerce applications become more mature and further deployedin the Internet.
`
`It is interesting to note that the conceptof virtualization in networking has also been considered in regard to deploying both research and
`production services on a commoninfrastructure. The challenge in the research and education community is one wherethere is a need to
`satisfy both network research and production requirements. VPN’s have also been considered as a method to segregate traffic in a
`network such that research and production traffic behave as “ships in the night,” oblivious to one another’s existence, to the point that
`major events (e.g. major failures, instability) within one community of interest are completely transparent the other. This concept is
`further documented in MORPHnhet[4].
`
`It should also be noted that VPN’s may be constructed to span more than one host communications network, so that the “state” of the
`VPN may be supported on one or more VPN provider networks. This is perhaps at its most robust when all the providers explicitly
`
`Ferguson & Huston
`
`April 1998, Revision 1
`5
`
`Page 5
`
`5
`
`

`

`What is a VPN?
`
`support the resultant distributed VPN environment, but other solutions which do not necessarily involve knowledge of the overlay VPN are
`occasionally deployed with mixed results.
`
`3.
`
`Types of VPN’s
`
`The confusion factor comesinto play in the most basic discussions regarding VPN’s. This is principally due to the fact that there are
`actually several different types of VPN’s, and depending on the functional requirements, several different methods of constructing each
`type of VPN is available. The process of selection should include consideration of what problem is being solved, risk analysis of the
`security provided by a particular implementation, issues of scale in growing the size of the VPN, and the complexity involved in both
`implementing the VPN, as well as ongoing maintenance and troubleshooting.
`
`To simplify the description of the different types of VPN’s, they have beenprincipally broken downin this paper into categories which
`reside in the different layers of the TCP/IP protocol suite [Figure 2].
`
`TCP/IP
`Protocol Model
`
`Application
`
`Link Layer
`
`Network
`
`3.1
`
`Network Layer VPN’s
`
`Figure 2
`
`The network layer in the TCP/IP protocol suite consists of the IP routing system — how reachability information is conveyed from one
`point in the network to another. There are a few methodsto construct VPN’s within the network layer — each are examined below. A brief
`overview of non-IP VPN’sis provided in Section 4.0.
`
`It is perhaps noteworthy at this point to provide a brief overview of the differences in the “peer” and “overlay” VPN models. Simply put,
`the “peer” VPN modelis one in which the network layer forwarding path computation is done on a hop-by-hop basis, where each nodein
`the intermediate data transit path is a peer with a next-hop node. Traditional routed networks are examplesof “peer” models, where each
`router in the network path is a peer with their next-hop adjacencies. Alternatively, the “overlay” VPN modelis one in which the network
`layer forwarding path is not done on a hop-by-hop basis, but rather, the intermediate link layer network is used as a “cut-through” to
`another edge node on the other side of a large cloud. Examples of “overlay” VPN models are ATM, Frame Relay, and tunneling
`implementations.
`
`Having drawn these simple distinctions between the peer and overlay models, it should be noted that the overlay model introduces some
`serious scaling concerns in cases where large numbers of egress peers are required. This is due to the fact that the numberof
`adjacenciesincreasein direct relationship with the numberof peers — the amount of computational and performance overhead required to
`maintain routing state, adjacency information, and other detailed packet forwarding and routing information for each peer becomes a
`liability in very large networks.
`If each egress nodein a cut-through network become peers, in an effort to make all egress nodes one
`“Layer 3” hop away from one another,this limits the scalability of the VPN overlay model quite remarkably.
`
`For example, as the simple diagram [Figure 3] illustrates, the routers surrounding the interior switched infrastructure represent egress
`peers, since the switches in the core interior could be configured such that all egress nodes are one “Layer 3” hop away from one
`another, creating what is commonly known as a “cut-through.” This is the foundation of an overlay VPN model. Alternatively,
`if the
`
`Ferguson & Huston
`
`April 1998, Revision 1
`6
`
`Page 6
`
`6
`
`

`

`What is a VPN?
`
`switchesin the interior were replaced with routers, then the routers positioned at the edge of the cloud now become peers with their next
`hop router nodes, not other egress nodes. This is the foundation of the peer VPN model.
`
`eo Router (Egress Point)
`
`Cy
`
`Switch (Cut-Through)
`
`Figure 3
`
`3.1.1__Controlled Route Leakin
`
`“Controlled route leaking’ (or route filtering) is a method which could also be called “privacy through obscurity,” since it consists of nothing
`morethan controlling route propagation to the point that only certain networks receive routes for other networks which are within their
`own community of interest. This model can be considered a “peer” model, since a router within a VPN site establishes a routing
`relationship with a router within the VPN provider's network, instead of an edge-to-edge routing peering relationship with routers in other
`sites of that VPN. While the common underlying Internet generally carries the routes for all networks connected to it, this architecture
`assumesthat only a subset of such networks form a VPN.. The routes associated with this set of networksarefiltered such that they are
`not announced to any other set of connected networks, and that all other non-VPN routes are not announced to the networksof the VPN.
`For example, in [Figure 1] above,if the service provider (SP) routers "leaked" routing information received from one site in Network "A" to
`only other sites in Network "A", then sites not in Network "A" (e.g., sites in Network "B") would have no explicit knowledge of any other
`networks which whereattached to the service provider's infrastructure
`[Figure 4]. Given this lack of explicit knowledge of reachability to
`any location other than other members of the same VPN, privacy of services is implemented by the inability of any of the VPN hosts to
`respond to packets which contain source addresses from outside the VPN community ofinterest.
`
`Ferguson & Huston
`
`April 1998, Revision 1
`7
`
`Page 7
`
`7
`
`

`

`Route Filter to Al
`Permit: A2, A3, A4
`
`Route Filter to A2
`
`Permit: Al, A3, A4
`Router Filter to A3
`
`Permit: A1, A2, A4 Route Filter to A4
`
`What is a VPN?
`
`Permit: A1, A2, A3
`
`ye
`
`Service Provider
`Backbone Router
`
`Network A
`
`Network B
`
`——==
`
`VPN A
`
`Figure 4
`
`This use of partial routing information is prone to many forms of misconfiguration. One potential problem with route leaking is thatit is
`extremely difficult,
`if not impossible, to prohibit the subscriber networks from pointing default to the upstream next-hop routerfor traffic
`destined for networks outside of their community of interest. From within the VPN subscriber’s context, this may be a reasonable action,
`in that “default” for the VPN is reachability to all other members of the same VPN, and pointing a default route to the local egress pathis,
`within a local context, a reasonable move. Thus,
`it is no surprise that this is a common occurrence in VPN’s where the customer
`configures and manages the CPE (customer premise equipment) routers.
`If the service provider manages the configuration of the CPE
`routers, then this is rarely a problem. Otherwise, it may be wise on the part of the service provider to placetraffic filters on first-hop
`router to prohibit all traffic destined for networks outside of the VPN communityofinterest.
`
`It should also be noted that this environment implicitly assumes a commonrouting core. This, in turn, implies that each VPN must use
`addresses which do not clash with those of any other VPN on the same commoninfrastructure, and cannot announcearbitrary private
`addressesinto the VPN. There is also another, perhaps less obvious, side effect of this form of VPN structure — it is not possible for two
`VPN’s to have a single point of interconnection, nor is it possible for a VPN to operate a single point of interconnection to the public
`Internet in such an environment. A so-called "gateway" whereall externaltraffic is passed through a control point which can both enforce
`some form of access policy and record a log of external transactions. The commonrouting core uses a single routing paradigm, based
`solely on destination address.
`
`As an aside, it should also be noted that this requirement highlights one of the dichotomies of VPN architectures. VPN's must assume that
`they operate in a mutually hostile environment, where any vulnerability which exposes the private environment to access by externalthird
`parties may be exploited in a hostile fashion. However, VPN's rarely are truly isolated communications environments, andtypically all VPN's do
`have some form of external interface allowing controlled reachability to other VPN’s and to the broader public data network. The tradeoff
`between secure privacy and the needfor external access is a constant feature of VPN's.
`
`To implementinter-VPN connectivity requires the network to route externally originated packets to the VPNinterconnection point, and if
`they are admitted into the VPN at the interconnection point, the same packet may be passed back across the network to the ultimate VPN
`destination address. Without the use of Network Address Translation (NAT) technologies at the interconnection point of ingress into the
`VPN, this kind of communications structure is insupportable within this architecture [Figure 5].
`
`Ferguson & Huston
`
`April 1998, Revision 1
`8
`
`Page 8
`
`8
`
`

`

`What is a VPN?
`
`
`VPN-internal traffic
`
`VPN External
`
`
`traffic path via
`
`
`NAT firewall F
`
`
`
`
`A2, A3, A4, F
`
`
`
`
`VPN internal and address-
`translated external traffic
`
`Figure 5
`
`In general, the technique of supporting private communitie