VPN acronym roundup
With so many VPN technologies and acronyms floating about, trying to keep up with which protocol does what can be quite a chore. In this tip, we have an acronym roundup and explain briefly how these relate to each other and give some clues to help you figure out which technology right for you.
Layer 2 Forwarding was created by Cisco and submitted to the IETF in '96 (practically pre-historic in Internet-time). Its purpose was to help service providers create Virtual Private Dialup Networks (VPDN).
the result of a joint-effort by Cisco and Microsoft, Layer 2 Tunneling Protocol is responsible for creating and managing tunnels. For encryption, it relies on IPSec. L2TP tunnels can operate in voluntary or compulsory mode, but voluntary are much more common. IPSec over L2TP is generally considered more secure than PPTP because of the architecture and strength of keys. This protocol will eventually replace Cisco's L2F and Microsoft's PPTP.
A Microsoft standard, the Point-to-Point Tunneling Protocol eventually was defined in an informational RFC. Although generally not well regarded, PPTP does have some strengths. Unlike IPSec, it can encrypt and transport non-IP protocols and it is compatible with Network Address Translation. It is also much more widespread because it's included for free in most Windows operating systems. For better or worse, it can integrate authentication with the Windows NT/2000 domains and unlike L2TP, most PPTP tunnels are compulsory. PPTP is frequently used for both remote-access and for connecting remote offices in an intranet.
Point to Point Protocol over Ethernet is a standard that allows the encapsulation and authentication properties of PPP to be used over other layer 2 technologies such as Ethernet. This technology is used almost exclusively by the xDSL providers.
Unlike all the previous examples, IPSec operates at layer 3 instead of layer 2. It is primarily used to encrypt and authenticate traffic using the Encapsulation Security Payload (ESP) but can be used for authentication only with the Authentication Header (AH) protocol. Although very secure, it has some drawbacks. It is incompatible with NAT and it doesn't allow other layer 3 protocols, such as Appletalk or IPX to be encapsulated. (thus the name, IP Sec). A significant advantage of IPSec is strong authentication using smart-cards or Digital Certificates.
- Generic Routing Encapsulation is another layer 3 protocol that is used primarily to encrypt traffic, but it also has the advantage of supporting non-IP protocols.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.