The following text is copyright 1998 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

How do you spell VPN?

By Scott Bradner

What do you mean when you talk about "Virtual Private Networks" (VPNs)? Although its hardly a new phenomena in this technical world, VPNs are a case where it seems that for every 3 people talking about them there are 4 or more understandings about what exactly they are talking about.

In talking to people about VPNs and reading the trade press I've found the following VPN concepts.

A set of frame relay or ATM connections between sites, isolated from other users of the same frame relay or ATM infrastructure by the use of virtual circuits. This type of VPN replaces other types of point-to-point leased lines.

IP-based tunnels between sites run over an IP infrastructure constructed for the purpose and which is separate from the Internet.

IP-based tunnels between sites run over the public Internet infrastructure.

IP-based tunnels from a dial-up Internet service provider's remote-access concentrators back to a corporate firewall with the logic and control provided by the ISP.

IP-based tunnels between a remote user computer to a corporate firewall with the logic and control split between the user's computer and the firewall.

IP-based tunnels between a client program running on a user's computer and a server at the same or different sites..

IP-based tunnels between an Internet-based provider of specific services, a pager company for example, and a firewall or on-site server.

One additional level of confusion is that an IP-based tunnel may or may not be encrypted and may carry protocols other than IP, SNA for example.

There is a distinct difference between the first of the above definitions and the rest. ATM or frame relay-based VPN services are basically normal telephony services. They are minor improvements over the long-established private line services. In these types of VPNs the purchaser is responsible for providing all management and other functions above the level-2 connectivity. The buyer can use the connections for anything they want to from PBX interconnections and video conferences to data networks.

IP is specifically involved in all of the other definitions but aside from that common feature they are very different. In some cases the VPN is a specific service of an ISP and in others merely something that looks like a normal IP connection over a network.

IP-based tunneling also provides an opportunity for additional confusion. IP-tunneling is done by encapsulating a data packet within a normal IP packet for forwarding over an IP-based network. The encapsulated packet does not need to be IP and encapsulation can include encryption for additional security. IP-based tunneling provides a virtual wire between two points through an IP network .

This divergence in the basic understanding of what VPNs are means that talking about VPNs often produces more confusion than information.

There has been a lot written about VPNs in this and other technical publications but with the confusion over the meaning of the term much of what is written seems guided by vendor's marketing plans than by concise reporting. It would be nice if that changed.

Disclaimer: Harvard does not need marketing plans (any new ones anyway) and the above are my own observations.