I believe it was the ATM Forum--these things tend to get shrouded in history and counter-claims--that first started marketing a method to take physically discontinuous systems and make them appear to the higher protocols as one network: Virtual networking was born. Many an ATM marketer was quick to point out that "this is a private virtual network, since there is no such thing as promiscuous mode in ATM" (check out the National Laboratory for Applied Network Research's Web site at www.nlanr.net/ NA/Oc3mon), and that "ATM switches simply cannot be hacked." Fortunately for them, P.T. Barnum was right.

Dedicated networking costs are driving us to look hard at virtual networking. We envision our network sharing wide-area resources--yet it is our network, rather than everyone's network. Of course, if you say it that way, the regional Bell operating companies will be pounding at your door with all sorts of frame relay offerings (do I hear Barnum laughing again?). We want our virtual networks on any media and in any geographic region; this business opportunity has led to a number of creative solutions from networking engineers covering all disciplines. Every engineering group has taken technology with which it is familiar and has molded it to fit virtual networking.

Tunneling Links Perhaps the link-layer engineering group has been the most aggressive. The Point-to-Point Protocol (PPP) has become the Internet's ubiquitous link layer. From ancient 2400-bps dial-up to OC-3 Sonet, PPP delivers open connectivity among vendors. What better technology for Microsoft to extend? By running PPP as the inner protocol with the Generic Routing Encapsulation (GRE) protocol (RFCs 1701 and 1702), Microsoft created the Point-to-Point Tunneling Protocol (PPTP). A skilled software development group can then weld-in other PPP options, like the Compression Control Protocol (CCP) to implement encryption and compression.

PPTP is best viewed as a tactical tool. Its security is good, but not great. It does not offer protection from substitution attacks or playback attacks, nor does it provide perfect forward secrecy (in other words, protection against reading recorded sessions when provided with session initialization passwords). The network planner's greatest concern with PPTP is its limited usage: remote connections to a single point. PPTP does not support multiple connections nor does it easily support network-to-network connections.

The Level 2 Tunneling Protocol (L2TP) also guides PPP over an IP network, but is a simpler incarnation of GRE than PPTP. Whereas PPTP came out of the client/server-LAN-Microsoft experience, L2TP came out of the router-ISP-engineering community. PPTP uses your Remote Access Services (RAS) back home for authentication; L2TP uses the Remote Authentication Dial-In User Service (RADIUS) authentication at the Intern et service provider (ISP). L2TP i s similar to PPTP in that it targets the remote-access community. But L2TP hasn't attempted to do its own privacy, looking instead toward IP Security (IPsec) for that. L2TP has many of the same limitations as PPTP, such as support of only one tunnel, no perfect forward secrecy and no clear mechanism for renegotiation if connectivity to the L2TP server is lost.

Tunneling Networks It's interesting to note the difference an OSI level can make. Once we get out of the link layer, we leave the networking engineers behind. I have found the community working on network tunnels heavily populated by security professionals. Some may not consider this a good thing, since security people tend to be very deliberate in their work and take considerably more time to develop a protocol than do networking people. But we are talking virtual private networks here--doing the security right is critical.

The focus of IPsec, the main network tunneling effort, has been to develop a security protocol for connecting two s ystems or two networks. The remote user is considered a special case of two networks. As the IPsec workgroup nears completion of the data framing and key management protocols, it's turning its attention to the management of the tunnels, or VPNs.

In the automotive industry, visual appeal has had more impact on sales than under-the-hood technology. There's always a lot of attention paid to the "look and feel" of the car. In recent years, the consumer has been more concerned with total cost of ownership over how it looks. As educated networkologists, we, too, need to look beyond the appearance of the VPN to what really matters--truly secure, flexibly defined, virtual networks have become our paramount concern. VPNs need to extend beyond our comfortable security walls into our partners' networks, and only the IPsec team has had its collective nose to this mark.

If your needs are simple--for example, remote access for Windows95 RAS clients--PPTP may be good enough. Perhaps you wan t to totally outsource your remote access to your ISP and you trust that network. Then L2TP is for you, and it might be very secure once the ISP integrates IPsec. However, if you are tired of the clamoring from your worldwide branch offices, remote users and business partners, then an IPsec-based VPN is the only serious contender for your scarce dollars.

Robert Moskowitz is a software systems specialist at Chrysler Corp., Detroit, Mich., and a member of the Internet Architecture Board (IAB). He can be reached at rgm@htt-consult.com.