Adaptive VPN: Tradeoff between security levels and value-added services in virtual private networks

An end-to-end virtual private network (VPN) session provides complete privacy and data integrity for enterprise users who access the enterprise network from outside the intranet. However, because packets are encrypted end-to-end from the client to the enterprise VPN gateway, it is not possible for network service providers (NSPs) to provide value-added services to these enterprise VPN users, because such services require visibility into packet headers and application data. A network-based VPN allows a user VPN session to be terminated at an IP service switch (IPSS) within the NSP's network. Another VPN session from the IPSS to the enterprise VPN gateway is used to carry traffic from the IPSS to the enterprise. Because packet headers and application data are visible in the clear at the IPSS, the NSP can provide value-added services. In this paper we discuss a new VPN mechanism — which we call adaptive VPN — that enables enterprises to selectively trade off end-to-end security for value-added services that can be outsourced to an NSP. Adaptive VPN makes it possible for traffic from a specific user to be carried on an end-to-end VPN session and/or a network-based VPN session, based on the network access identifier (NAI) of the user and the application that is being accessed. We also describe the implementation of adaptive VPN in Lucent's VPN security products.