Overview of VPN Technologies
It is difficult to define precisely what constitutes a virtual private network (VPN) because the term means different things to different people. To some people, separation of their traffic on a network is sufficient to call it "private"; others expect encryption when they hear the word "private." The opposite seems clearer: a private network is strictly speaking completely separate from other networks. Of course, with this definition almost any network invented after the telegraph system in 1837 by Samuel Morse would be a virtual network. Today's "private" leased lines, for example, use a shared SONET or Synchronous Digital Hierarchy (SDH) infrastructure, and the physical lines or fibers carry many different "private" networks.
For any practical discussion in the context of MPLS, ATM, Frame Relay, and other VPN technologies, operators currently understand that services delivered over SONET or SDH are regarded as private because separation over these carrier technologies is so efficient that users cannot detect the sharing of core fibers.
VPNs thus exist in many different forms and have been classified in a variety of ways. All of these classifications exist because of different user requirements. VPN technologies can also be used in a nested way, that is, over an existing VPN such as a company intranet where it is possible to further define more detailed VPNs.
The criteria that distinguish VPN technologies from each other include the following:
Today, most MPLS VPN deployments use private infrastructure. The Internet is used within a core only in exceptional cases. Many deployments use Internet-based technologies such as IPsec to connect to a PE from the outside. So while the access to the MPLS VPN core is often Internet based, the core itself is usually built on private infrastructure.
VPN technologies can only be judged in the context they are being used in. There is no overall valid definition of "good" or "bad" VPN services. For a small public organization with few but far away offices, it might be perfectly acceptable to use a simple tunneling technique, such as GRE or IP-in-IP, to be able to interconnect sites over the public Internet. For larger companies, this type of VPN would be harder to manage for scalability reasons; they might prefer MPLS-based VPNs to keep their network simpler and easier to manage. For organizations dealing with secret information, confidentiality would be essential, and they would use some encrypting VPN technology such as IPsec.
Several VPN technologies can be used together in one common solution. This is being done where different technologies address different needs. For example, IPsec VPNs can be used on top of an MPLS VPN. This type of architecture is not necessarily redundant: IPsec might be chosen because there is a need for confidentiality on the data path. Many European countries, for example, by law require encryption of personal data over any public data network, and this is often addressed by using IPsec. However, the organization still requires connectivity between its sites for its IPsec traffic to pass between the offices. This could be addressed over the public Internet, but also over ATM, Frame Relay VPN services, or MPLS. Each of these options has its advantages and disadvantages, but MPLS VPN services have been used often in the past due to consistent service guarantees not available on the public Internet, as well as to often better prices than on other VPN technologies.