1.1. Purpose

This book focuses on the technology behind tunneling and virtual private networks (VPNs). The explosive growth of the Internet and the buildout of the underlying infrastructure have led many enterprises to replace their private networks based on leased lines with far cheaper solutions based on the public Internet. Although the cost savings are substantial, using the Internet to carry sensitive information presents serious privacy and security problems. One way of addressing these problems is to create private, virtual networks within the Internet structure. These virtual networks are created by using tunneling, authentication, and encryption to provide a virtual leased line between enterprise networks. Because the traffic flow is encrypted and authenticated, it cannot be read or tampered with by third parties, and thus the virtual network recreates the privacy and security of a leased line.

The book is intended for software engineers, systems/sales engineers, system administrators, and others who want an in-depth understanding of tunneling and VPN technology. The text provides the background necessary for readers to understand existing VPN implementations, to create their own implementations, and to read the field's advanced literature in an informed way. The text also teaches readers how to read and interpret various network traces, such as those produced by tcpdump, as a way of understanding and troubleshooting VPN and network behavior. Finally, the text can be used as a handbook for those seeking information about the functioning of the protocols that we discuss or the message formats that they use.

Our intent is not to restate the relevant RFCs (Request for Comments) or provide an abstract discussion of tunnels and VPNs, but rather to explore how tunnels and VPNs actually function, by observing their behavior "on the wire." This is accomplished by examining network traces that expose the behavior and packet content of the protocols used in building tunnels and VPNs. This is, of course, the same approach used in Rich Stevens' wonderful TCP/IP Illustrated, Volume 1 [Stevens 1994].