1. Home
  2. Networking
  3. Integrated cisco and unix network architectures

The OSI Stack Perspective

In principle, the position of a tunnel or VPN technology relative to the OSI stack defines its degree of transparency, exposure to attacks, probability for compromise, and method for accomplishing secrecy or privacy (see Table 11-1).

Table 11-1. VPN Approaches in the OSI Layer Context

OSI Layer

Example Technology

Layer 1

Dedicated physical circuits (copper, dark/lit fiber), (D)WDM[*], multiplexing (TDM)[**], SDH/SONET[***] circuits

Layer 2

ATM/Frame Relay/VLANs/L2TP/Layer 2 over MPLS (pseudo-wires), BGP/MPLS VPNs

Layer 3

IPSec crypto tunnel, BGP/MPLS VPNs

Layer 4

TCP/UDP user-space tunnel

> Layer 4

Application tunnels


[*] (D)WDM = (dense) wavelength-division multiplexing

[**] TDM = Time-Division Multiplexing

[***] SDH/SONET = Synchronous Digital Hierarchy/Synchronous Optical Network

The data transmission technology has consequences such as in wireless networks. In this particular case, anybody can eavesdrop on a conversation over wireless realms. Fiber or high-security ducts (waveguides) cannot easily be compromised without notice. Sniffing becomes more difficult when large bandwidths are involved. Beyond Layer 3, the degree of hostility considerably increases because of internationally routed and thus reachable official IP addresses and transport layer ports. Below Layer 3, physical access to ATM, Frame Relay, MPLS edge routers, or Ethernet switch access ports is necessary to constitute real threats. Essentially, attacks against telco equipment can target either a link or a network element (SDH, ATM, Frame Relay) and are rarely heard of.

It is highly recommended that you read draft-behringer-mpls-security-06.txt, "Analysis of the Security of the MPLS Architecture" (http://www.ietf.org/internet-drafts/draft-behringer-mpls-security-06.txt), to get an idea about how MPLS VPN security compares to trusted Layer 2 VPNs such as ATM or Frame Relay.

Reasons for considering or deploying tunnels include the following:

  • Broadcast and multicast relay requirements

  • IPv6 over IPv4 transport (connecting isolated IPv6 realms)

  • Transport of private addresses (RFC 1918)

  • Transport of non-IP network layer protocols (Internetwork Packet Exchange, IPX)

  • Authentication requirements

  • Dynamic routing protocols

  • Traffic shaping

  • Encryption

  • Mobile IP applications

  • DSL architectures

  • VPN/VPDN deployments



    		Command Syntax Conventions
    		Chapter 1. Operating System Issues and Features-The Big Picture
    		Chapter 2. User-Space Routing Software
    		Chapter 3. Kernel Requirements for a Full-Featured Lab
    		Chapter 4. Gateway WAN/Metro Interfaces
    		Chapter 5. Ethernet and VLANs
    		Chapter 6. The Analyzer Toolbox, DHCP, and CDP
    		Chapter 7. The UNIX Routing and ARP Tables
    		Chapter 8. Static Routing Concepts
    		Chapter 9. Dynamic Routing Protocols-Interior Gateway Protocols
    		Chapter 10. ISP Connectivity with BGPv4-An Exterior Gateway Path-Vector Routing Protocol for Interdomain Routing
    		Chapter 11. VPN Technologies, Tunnel Interfaces, and Architectures
    		The Rationale for Tunnels in Routing Environments
    		The VPNC Concept of VPNs
    		The OSI Stack Perspective
    		Internet, Intranet, and Extranet Terminology
    		IP-IP Tunnel
    		Generic Router Encapsulation (GRE) Tunnel
    		Special Multicast and IPv6 Tunneling (RFC 2473, RFC 3053)
    		Cisco L2F (Layer 2 Forwarding)
    		PPTP (Point-to-Point Tunnel Protocol)
    		L2TP (Layer 2 Tunnel Protocol)
    		Mobile IP
    		User-Space Tunneling
    		IPSec Foundation
    		General Tunnel and Specific IPSec Caveats
    		Advice About IPSec Lab Scenarios
    		Road-Warrior Scenarios (Road Warrior-to-OpenBSD/FreeBSD Gateway with IKE)
    		Dynamic Routing Protocols over Point-to-Point Tunnels-Transparent Infrastructure VPN
    		Summary
    		Recommended Reading
    		Endnotes
    		Chapter 12. Designing for High Availability
    		Chapter 13. Policy Routing, Bandwidth Management, and QoS
    		Chapter 14. Multicast Architectures
    		Chapter 15. Network Address Translation
    		Appendix A. UNIX Kernel Configuration Files
    		Appendix B. The FreeBSD Netgraph Facility