Network Layer VPN’s

The network layer in the TCP/IP protocol suite consists of the IP routing system – how reachability information is conveyed from one

point in the network to another.  There are a few methods to construct VPN's within the network layer – each are examined below.  A brief

overview of non-IP VPN's is provided in Section 4.0.

It is perhaps noteworthy at this point to provide a brief overview of the differences in the "peer" and "overlay" VPN models.  Simply put,

the "peer" VPN model is one in which the network layer forwarding path computation is done on a hop-by-hop basis, where each node in

the intermediate data transit path is a peer with a next-hop node.  Traditional routed networks are examples of "peer" models, where each

router in the network path is a peer with their next-hop adjacencies.  Alternatively, the "overlay" VPN model is one in which the network

layer forwarding path is not done on a hop-by-hop basis, but rather, the intermediate link layer network is used as a "cut-through" to

another edge node on the other side of a large cloud.  Examples of "overlay" VPN models are ATM, Frame Relay, and tunneling

implementations.

Having drawn these simple distinctions between the peer and overlay models, it should be noted that the overlay model introduces some

serious scaling concerns in cases where large numbers of egress peers are required.  This is due to the fact that the number of

adjacencies increase in direct relationship with the number of peers – the amount of computational and performance overhead required to

maintain routing state, adjacency information, and other detailed packet forwarding and routing information for each peer becomes a

liability in very large networks.  If each egress node in a cut-through network become peers, in an effort to make all egress nodes one

"Layer 3" hop away from one another, this limits the scalability of the VPN overlay model quite remarkably