An end-to-end virtual private network (VPN) session provides complete privacy and data integrity for enterprise users who access the enterprise network from outside the intranet. However, because packets are encrypted end-to-end from the client to the enterprise VPN gateway, it is not possible for network service providers (NSPs) to provide value-added services to these enterprise VPN users, because such services require visibility into packet headers and application data. A network-based VPN allows a user VPN session to be terminated at an IP service switch (IPSS) within the NSP's network. Another VPN session from the IPSS to the enterprise VPN gateway is used to carry traffic from the IPSS to the enterprise. Because packet headers and application data are visible in the clear at the IPSS, the NSP can provide value-added services. In this paper we discuss a new VPN mechanism — which we call adaptive VPN — that enables enterprises to selectively trade off end-to-end security for value-added services that can be outsourced to an NSP. Adaptive VPN makes it possible for traffic from a specific user to be carried on an end-to-end VPN session and/or a network-based VPN session, based on the network access identifier (NAI) of the user and the application that is being accessed. We also describe the implementation of adaptive VPN in Lucent's VPN security products.
[1]
Jari Arkko,et al.
The Network Access Identifier
,
2005,
RFC.
[2]
Mun Choon Chan,et al.
TCP/IP Performance over 3G Wireless Links with Rate and Delay Variation
,
2005,
Wirel. Networks.
[3]
Derrell Piper,et al.
The Internet IP Security Domain of Interpretation for ISAKMP
,
1998,
RFC.
[4]
Dan Harkins,et al.
The Internet Key Exchange (IKE)
,
1998,
RFC.
[5]
Stephen T. Kent,et al.
IP Authentication Header
,
1995,
RFC.
[6]
W. Douglas Maughan,et al.
Internet Security Association and Key Management Protocol (ISAKMP)
,
1998,
RFC.
[7]
Allan C. Rubens,et al.
Remote Authentication Dial In User Service (RADIUS)
,
1997,
RFC.
[8]
Paul Ferguson,et al.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
,
1998,
RFC.
[9]
Hugo Krawczyk,et al.
A Security Architecture for the Internet Protocol
,
1999,
IBM Syst. J..
[10]
Van Jacobson,et al.
Compressing TCP/IP Headers for Low-Speed Serial Links
,
1990,
RFC.
[11]
Bruce Perlmutter,et al.
Virtual Private Networking: A View From the Trenches
,
1999
.
[12]
Paul Francis,et al.
The IP Network Address Translator (NAT)
,
1994,
RFC.