IP Virtual Dialup Networks
BY PAUL MALLINDER
Internet Service Providers (ISPs) and traditional carriers are beginning to offer
Virtual Private Dialup Networks (VPDNs), providing many of the same advantages that
Virtual Private Voice Networks have offered for years. Embedding a "private
network" within "public facilities" permits enterprises to gain economies
of scale and achieve lower telecommunications costs than fixed access networks. At the
same time, carriers can increase their return on investment on their existing access and
core infrastructures by providing national or global dialup access to the enterprise
network. For the ISPs, VPDNs create additional revenue streams with higher valued services
than their traditional flat rate tariff dialup IP service.
By setting up secure VPDNs over the Internet or other public networks, enterprises can
gain substantial savings for their companies. Network and IS managers are looking to use
VPDNs as an economical way to connect their telecommuters or users in remote offices. The
essence of a VPDN is to provision a secure connection between a remote dial user and the
enterprise network. It is secure in the sense that the remote dial user is authenticated
and authorized to access the requested enterprise network. In addition, the enterprise may
require the VPDN connection to be encrypted, especially if the VPDN service is provisioned
over the Internet.
TRADITIONAL IP DIALUP
Traditional IP dialup service is currently offered by both ISPs and carriers. The service
allows the user to access both the Internet and the enterprise network. Traditional IP
dialup can be characterized by access control, security, and accounting of the service.
Security involves authentication of the user to identify if the actual user is registered
within the service. Authentication is carried out within the ISP or carrier environment
before the user gains access to the enterprise. Access control involves identifying what
the actual authenticated user is allowed to do within the service, for example, what IP
destination addresses is the user allowed to connect to. Access control is carried out by
the ISP or the carrier prior to connection to the enterprise. Lastly, accounting is also
carried out by the ISP or carrier for billing the individual user or the enterprise for
the service delivered.
Traditional IP dialup can further be characterized in terms of how the dialup protocol
is handled. A dialup IP user will typically use Point-to-Point Protocol (PPP) or, to a
much less extent, Serial Line IP (SLIP) or other protocols. Authentication through dialup
PPP requires the PPP to be terminated within the ISP or carrier Network Access Server
(NAS) which often includes a Remote Authentication Dial In User Service (RADIUS) solution
as well as support for smart cards and one-time passwords.
IP VPDN service will be offered by both ISPs and carriers. While access to an IP VPDN has
many similarities to the traditional IP dial service, the VPDN service is distinctive in
that it limits both ingress and egress to defined "on net" locations. The
service allows authorized users to access the enterprise network, while rejecting attempts
from unauthorized users. In addition, the VPDN will generally limit users to predefined
locations or applications, which simplifies network administration and lowers network
costs and wasted resources. The IP VPDN can also be characterized by access control,
security, and accounting of the service.
Security involves authentication of the user to identify if the actual user is
registered within the actual enterprise. Authentication is carried out within the
enterprise, although the ISP or carrier may carry out a partial authentication of the user
to determine the actual enterprise to which a connection needs to be established. There
are two ways for the ISP or carrier to determine the actual Home Server (HS) location,
either by the DNIS/ANI (Dialed Number In Service/Automatic Number Identification) if
available, or by the user name delivered through the PPP. Access control involves
identifying what the actual authenticated user is allowed to do within the enterprise.
Access control is carried out by the enterprise. Lastly, accounting is also carried out by
both the ISP or carrier and the enterprise. The ISP or carrier require accounting for
billing the enterprise, while the enterprise may carry out billing for user call back or
The IP VPDN service can further be characterized in terms of how the dialup protocol is
handled. Authentication through dialup PPP requires the PPP to be terminated within the
enterprise HS, which often includes a RADIUS solution as well as support for smart cards
and one-time passwords.
VPDNs ACROSS MULTIPLE CARRIERS OR ISPs
In the case of adding another level of complexity to the provisioning of a VPDN service
across multiple carriers or ISPs, the issue for the intermediate ISP or carrier can be
characterized in terms of security and accounting. Each intermediate ISP or carrier may
need to carry out a partial authentication of the user to determine not only the actual
enterprise HS to which a connection needs to be established, but also if the user is
allowed to traverse the intermediate network. Typically, this will be achieved by the user
name delivered through the originating PPP, but may also be handled through the DNIS/ANI
being delivered from the originating ISP or carrier to the intermediate or terminating ISP
or carrier. Accounting may also be carried out by the intermediate ISP or carrier. The
intermediate ISP or carrier may then deliver billing to the originating ISP or carrier.
HOW TUNNELS WORK
VPDNs use a technique called "tunneling," which is the encapsulation of data
from one protocol into the protocol stream of another. Tunnels are by topology "point
to point" virtual connections between a network ingress point and a network egress
point. At the ingress point, data is encapsulated while at the egress point data is
de-encapsulated into the original source format. In terms of physical platforms, an
ingress point is typically a NAS, and the egress point is typically an HS.
There are many diverse vendor specific protocols to establish, maintain, refresh and
tear down tunnels. Digital Equipment Corp. adopted the AltaVista Tunnel that handles both
IP tunneling and public key, private key encryption and authentication. Microsoft, Ascend,
ECI Telematics, 3Com, and U.S. Robotics formed the Point-to-Point Tunneling Forum to allow
remote access over the Internet to Windows NT servers. Cisco developed and implemented the
Layer Two Forwarding protocol (L2F) for tunnel handling. As the paths diverged, the need
for a standard protocol which would be transparent to the network media has become
Tunnels do not obviate the need for firewalls. Rather, VPDNs are viewed as a complement
to those dedicated hardware and software gateways, which restrict access to corporate
resources based on a rules base. A firewall's rules base could reject or limit a user's
access to applications and data on the basis of the domain name. The tunnel end point
within the enterprise will be typically behind the firewall rather than in front.
VPDNs OVER IP INFRASTRUCTURE
When a remote user places a call through a PSTN modem or an ISDN terminal adapter (TA) to
an ISP or carrier POP, the NAS determines the particular VPDN based on the DNIS. The ISP
or carrier NAS dynamically assigns either a TA or modem based on the DNIS and filter
within the ISDN setup (the filter will identify analog channel or digital channel) to
accept the call. Before assigning the TA or modem resource the NAS ensures that the
requested call is within the Service Level Agreement. If the CSR has not been reached for
the particular VPDN, then a TA or modem resource is dynamically assigned from the
particular VPDN Service Pool. If the CSR for the particular VPDN has reached its maximum
value, then the NAS will attempt to assign a modem or TA resource as defined by the ESR
for the particular VPDN. If the ESR for the particular VPDN is at maximum, then the NAS
will not accept the call.
On acceptance of the call by the NAS, the user now initiates a PPP connection. The ISP
or carrier NAS has determined the HS based on the DNIS. The NAS attempts to establish a
tunnel connection with the HS through a connection oriented packet based protocol. The HS
accepts the tunnel request and the dial PPP client protocol is terminated within the HS
located at the enterprise. Authentication, authorization, and accounting are carried out
within the enterprise's home LAN (normally behind the firewall) using a RADIUS-based
authentication product. The HS conforms to RADIUS accounting and RADIUS authentication.
The dial PPP (asynchronous or synchronous) is encapsulated within the tunnel using RFC
1598, which is then carried over IP to the HS. Each tunnel is established with a unique ID
at each end of the connection to ensure tunnel security from other enterprise traffic. In
setting up the tunnel, the NAS encodes the NLPID (Network Layer Protocol Identifier) into
the first bytes of the tunnel Request Packet. The HS accepts the calls and de-encapsulates
the data packets which contain standard PPP PDUs (Protocol Data Units) and terminates the
In order to establish VPDNs over a Frame Relay infrastructure, the NAS would interpret
the incoming client PPP stream and encapsulate in conformance with RFC 1598 before placing
it onto the specified frame relay DLCI associated with the VPDN. The HS is again
responsible for termination of the user PPP stream.
Implementing the Layer 2 Tunneling Protocol (L2TP) described for VPDN provisioning will
provide a common tunnel format which allows service provider interoperability among IP
tunnels from different vendors.
This strategy will enable the service provider to provision VPDN services within their
existing networks and also to provision such services through third-party networks for
tunnel traversing. The L2TP protocol will allow the service provider to carry out partial
authentication of the user to identify the home domain the user belongs to and provide
billing to the enterprise based on service usage. Furthermore, L2TP will give an
intermediate ISP or carrier the ability to handle traversing tunnels and collect
accounting information for billing the tunnel originator.
Paul Mallinder is director of product marketing at ECI Telematics, an international
provider of integrated wide-area network solutions for the requirements of public and
private networks' data and voice communications. Certified to ISO9001 standards, the
company designs, manufactures, and markets a complete line of network solutions for
mission-critical intelligent networks where quality of service, high performance, and
reliability are of prime importance to the network provider and operator. ECI Telematics
is a wholly owned subsidiary of ECI Telecom Ltd., a global provider of digital
telecommunications and data transmission systems. For more information, visit the
company's Web site at www.telematics.com.