The OSI Stack Perspective

In principle, the position of a tunnel or VPN technology relative to the OSI stack defines its degree of transparency, exposure to attacks, probability for compromise, and method for accomplishing secrecy or privacy (see Table 11-1).

Table 11-1. VPN Approaches in the OSI Layer Context

OSI Layer

Example Technology

Layer 1

Dedicated physical circuits (copper, dark/lit fiber), (D)WDM[*], multiplexing (TDM)[**], SDH/SONET[***] circuits

Layer 2

ATM/Frame Relay/VLANs/L2TP/Layer 2 over MPLS (pseudo-wires), BGP/MPLS VPNs

Layer 3

IPSec crypto tunnel, BGP/MPLS VPNs

Layer 4

TCP/UDP user-space tunnel

> Layer 4

Application tunnels

[*] (D)WDM = (dense) wavelength-division multiplexing

[**] TDM = Time-Division Multiplexing

[***] SDH/SONET = Synchronous Digital Hierarchy/Synchronous Optical Network

The data transmission technology has consequences such as in wireless networks. In this particular case, anybody can eavesdrop on a conversation over wireless realms. Fiber or high-security ducts (waveguides) cannot easily be compromised without notice. Sniffing becomes more difficult when large bandwidths are involved. Beyond Layer 3, the degree of hostility considerably increases because of internationally routed and thus reachable official IP addresses and transport layer ports. Below Layer 3, physical access to ATM, Frame Relay, MPLS edge routers, or Ethernet switch access ports is necessary to constitute real threats. Essentially, attacks against telco equipment can target either a link or a network element (SDH, ATM, Frame Relay) and are rarely heard of.

It is highly recommended that you read draft-behringer-mpls-security-06.txt, "Analysis of the Security of the MPLS Architecture" (, to get an idea about how MPLS VPN security compares to trusted Layer 2 VPNs such as ATM or Frame Relay.

Reasons for considering or deploying tunnels include the following:

  • Broadcast and multicast relay requirements

  • IPv6 over IPv4 transport (connecting isolated IPv6 realms)

  • Transport of private addresses (RFC 1918)

  • Transport of non-IP network layer protocols (Internetwork Packet Exchange, IPX)

  • Authentication requirements

  • Dynamic routing protocols

  • Traffic shaping

  • Encryption

  • Mobile IP applications

  • DSL architectures

  • VPN/VPDN deployments