Planning and Installation Guide Chapter 9: Network Requirements and Preparation
Tunneling encapsulates one type of data packet into the packet of another protocol.
Multiple tunneling protocols are used today on the market:
PPTP (Point-to-Point Tunneling Protocol): PPTP includes compression and
encryption techniques. This protocol was introduced by Microsoft to support
secure dial-up access for its desktop, which corresponds to a large share of the
L2F (Layer 2 Forwarding): Introduced by Cisco Systems, L2F was primarily used
to tunnel traffic between two Cisco routers. It also allows IPX traffic to tunnel over
an IP WAN.
L2TP (Layer 2 Tunneling Protocol): L2TP is an extension the PPP (Point-to-Point
Protocol) that merges the best features of L2F and PPTP. L2TP is an emerging IETF
(Internet Engineering Task Force) standard.
IPSEC: This is a collection of security protocols from the Security Working Group
of the IETF. It provides ESP (Encapsulating Security Payload), AH (Authentication
Header), and IKE (Key Exchange Protocol) support. This protocol, mature but still
technically in a draft format, is currently considered the standard for encryption
and tunneling support in VPNs.
For PPTP, IP VPN tunneling adds another dimension to the tunneling. Before
encapsulation takes place, the packets are encrypted so that the data is unreadable to
outsiders. Once the encapsulated packets reach their destination, the encapsulation
headers are separated, and packets are decrypted and returned to their original format.
The L2TP tunneling protocol does not encrypt before encapsulation. It requires the IPSEC
protocol to take the encapsulated packet and encrypt it before sending it over the Internet.
See Section 9.12 on page 131 for more information about ShoreTel’s proprietary media
Encryption is the marking, transforming, and reformatting of messages to protect them
from disclosure and maintain confidentiality. The two main considerations with encryption
are the algorithm, such as Triple Pass DES (112 bits), RCA (128 bits), and Triple DES (168
bits), and the management of the distribution of encryption keys (IKE and PKI). These
more recent keys, which support more than 100 bits, have been a major driver in the
success of IP VPNs. They make it extremely difficult to hack into enterprise computer
systems without an investment of millions of dollars in equipment.
Encryption starts with a key exchange that must be conducted securely. The IKE (ISAKMP/
Oakley) protocol has been considered the most robust and secure key exchange protocol in
the industry to date. It is also a de facto standard for service providers and product vendors
requiring the highest level of security for their VPN solutions. PKI (Public Key
Infrastructure), new to the key management scene, is currently thought to be the long-term
solution to simplifying the management of VPNs. The industry is still evaluating and
testing PKI, with some initial deployments beginning to occur.
From an IP VPN1 performance perspective, encryption can be a CPU-intensive operation.
As a result, enterprises must evaluate VPN products in two primary areas as they relate to
encryption. The first is whether the maximum throughput decreases substantially when