Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IP mobility vs. session mobility for wireless VPNs

As mobile computing becomes increasingly popular, so does the demand for virtual private network (VPN) access from mobile clients. But because Internet Protocol (IP) VPN solutions are inherently limited when it comes to wireless communication, a session-level VPN presents a powerful and attractive alternative. That said, the biggest challenge is to handle movement between different networks without losing the VPN connection, achieving what's called seamless network roaming. To facilitate such roaming, two new concepts must be explored: IP mobility and session mobility.

The obvious IP-level approach for the construction of a wireless VPN is to implement Internet Protocol Secure (IPSec) support along with mobile IP. The strategy is to provide transparency to the transport layer. Mobile IP effectively hides IP address changes, allowing transport-level connections to survive a network handover. This said, an IP-level approach leaves the responsibility for flow control and session recovery to the transport protocol used, normally TCP. The use of IPSec introduces other problems as well, among which the network address translation (NAT) problem is the most serious.

A session-level solution implements VPN and mobility functions at the session layer, as the name suggests. No attempts are made at keeping transport-level connections alive during network roaming. Instead, the solution relies on recovery mechanisms at the session layer for fast transport connection reestablishment. A schematic overview of where in the protocol stack VPN and roaming functionality is implemented in an IP VPN and session-level VPN, respectively, is shown (see figure).

Session and IP comparison

A wireless VPN must provide at least the same level of security as traditional wireline VPNs. Sensitive data is transmitted over public, insecure networks, which are fully accessible by third parties. Enterprise VPN solutions rely on their security mechanisms to provide privacy, data integrity and authentication. If any of these mechanisms fail, the VPN is vulnerable to attacks.

  • 1