Talk:Virtual private network

From Wikipedia, the free encyclopedia

You have new messages (last change).
WikiProject on Cryptography This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography in the Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.
WikiReader Cryptography It is intended that this article be included in WikiReader Cryptography, a WikiReader on the topic of cryptography. Help and comments for improving this article would be especially welcome. A tool for coordinating the editing and review of these articles is the daily article box.

To-do list for Virtual private network:

 edit - history - watch - refresh

Talk:Virtual private network/to do

Contents

[edit] clarification

At the early stage, this page was about the technique details of VPN. I thought it should be more readible to general readers, and then I partitioned it into sections and made titles for them. So feel free to improve the structure.

I added "Authentication Mechanism" section, trying to explain "how does VPN work" as 65.213.77.129 concerned. But maybe it still seemed to be confusing. Now I have just made a little bit correction. Chenghui 01:19, 18 December 2005 (UTC)

[edit] Comments

As an introduction, it works fine.


[edit] Better Introduction?

It basically introduces the concept by saying that a VPN is a private network used to communicate over a public network. That's not very clear. It is something that allows people to communicate privately over a public network, but what? The article elaborates fairly clearly, but never comes out and says what a VPN is. Is it a subnetwork? Is it really a network? Maybe it is the use of public network for private data transmission. --BK 65.213.77.129 12:59, 18 October 2005 (UTC)


[edit] "Authentication Mechanism"

I think this section definitely needs rewriting:

Generally, a firewall sits between a remote user's workstation or client and the host network or server.

This statement seems to be incorrect. My understanding is that a firewall generally sits between a private network and the internet. The wikipedia article on firewalls elaborates on this with reference to "zones of trust" (a private network being one, the internet being another).

You are not considering the explanation's context. Off course it would not be precise as a stand-alone sentence but it is being coherent thanks to the "two parts" described in the sections's beginning. --M. B., Jr. 20:06, 4 July 2006 (UTC)

The firewall may pass authentication data to an authentication service in a host network. A known trusted person with privileged access, sometimes only using trusted devices, can be allowed to access resources not available to general users. That's why the user feels that the network is private, even though it is not.

Not sure what to make of this.


"Many VPN client programs can be configured to require that all IP traffic must pass through the tunnel while the VPN is active, for better security." Where does this help security? I can understand blocking routing to a tunneled interface but blocking all non tunneled IP traffic is just going to be a nuisance. If the worry is about confidential files being accessed from the client computer, blocking non tunneled traffic won't help because the files will still be there when the tunnel closes. And it doesn't do anything about non-IP communications. I suspect this configuration option came about by creative marketing of a VPN implementation that couldn't coexist with non tunneled traffic. This whole piece should be removed (or at least change "for better security" to "in a vein attempt at better security") unless there is a demonstrable security concern that is really addressed by this restriction. -- Dan Oetting 17:14 13 April 2006 (UTC)

Perhaps reducing (not removing) the sarcastic remark (1) as well as the inappropriate joke (2) and being more specific would infer a higher quality to this section. Examples:

  1. "sometimes it is not always the case" (besides being redundant: sometimes = not always)
  2. "the internet is the biggest 'jungle'"

--M. B., Jr. 20:06, 4 July 2006 (UTC)

[edit] Introduction

What about this?

Virtual Private Network or VPN is extension of Local Area Network allowing distant nodes achievable via Wide Area Network (ie. Internet) to behave (logically) like they were connected directly to LAN. VPN is often used by companies or organization to make distant workers or agencies seamlessly integrated into same network.


[edit] Etiquette?

I'm not sure what the etiquette is here for doing a complete rewrite of an entire entry. The current article is a mess. I am able and willing to do the rewrite (I'm the director of the VPN Consortium, www.vpnc.org), but some might consider that to be overboard. How does one proceed on a page that needs a major overhaul? (by Paulehoffman)

Essentially, dive in and Wikipedia:Be bold. Please do! — Matt Crypto 13:23, 13 December 2005 (UTC)
I think that almost everything will be better than what is now. countryhacker 19:50, 15 December 2005 (UTC)

[edit] SSL VPN

I would consider changing the exising (bolded) comment. "SSL used either for tunneling the entire network stack, such as in OpenVPN, or for securing what is essentially a web proxy. Although the latter is often called a "SSL VPN" by VPN vendors, it is not really a fully-fledged VPN." There are now true SSL VPN implimentation, I use Terminal Services through one now. The vender of this version is by a company called F5 Networks. This is the info on it. [1] The comment that "it is not really a fully-fledged VPN." is an opinion. VPN is being done over/through SSL.


Forgive me if I'm misunderstanding, but the product you mention appears to work as a web proxy as described above. See the data sheet on it. [2]: "F5’s FirePass® SSL VPN appliance provides secure access to corporate applications and data using a standard web browser." This is a method of wrapping traffic through HTTPS using a proxy, which may have the same effect as a VPN, but is not an actual virtual private network - just a secure means of accessing network content. To qualify as an actual VPN, it would need to encrypt the actual network traffic itself, such as PPP-over-SSL. This is possible, but not the same thing advertised by many network appliance vendors, like the one above.
--Jordan W 22:59, 4 May 2006 (UTC)

[edit] "tunneling" vs. "port forwarding"

Is "tunneling" really synonymous with "port forwarding?" Port forwarding would seem to imply TCP or UDP. Lower-level protocols, e.g. Ethernet and IP, can also be tunneled, and as far as I know, neither of those protocols has the "port" notion. The port forwarding article seems to be about TCP/UDP, although it never explicitly says that. —Fleminra 22:06, 24 March 2006 (UTC)

You are correct to doubt. Tunneling is the encapsulation of one sort of protocol traffic within another. The result is necessarily gibberish (and lots of errors) to the outer protocol stack. Port forwarding involves no such 'tampering' with content. If the tampering is cryptographic, intended to be gibberish to any listener save the intended (with the proper keys and such) then the tunneling might be termed a VPN. Actually, there is much additional scaffolding required (eg, key exchange, authentication, integrity checking, ...), see the RFCs concerned with IPSec. Though they are more complex than absolutely required as they include network-to-network VPN operation, as well as end-to-end VPN methods.
No logical connection, but often travel together in practice. ww 09:05, 26 March 2006 (UTC)
FWIW, port forwarding as implemented by OpenSSH would seem to qualify as tunneling, but of course port forwarding as implemented in the Linux kernel (iptables) would not. So port forwarding may be one application of tunneling, or in other words, tunneling is just one implementation choice for port forwarding. Anyway, I just thought I'd mention it here before changing the article (currently reads "Tunneling, also known as port forwarding …").
For the sake of argument, it seems to me that not all tunneling involves lots of errors. AFAIK, most VPN techniques work on the IP/TCP/UDP level, where there is no presumed payload protocol (in this sense, all encapsulation — TCP over IP, IP over Ethernet — involves gibberish w.r.t. the outer protocol). Only the subversive IP-over-DNS, IP-over-ICMP, etc. would be generating traffic that is likely to violate some RFC. —Fleminra 20:09, 27 March 2006 (UTC)
My mistake in the wording re errors. What I had in mind is that, having originated with some other protocol, an attempt by a different protocol to make sense of the content will generate errors, If the content is merely data, the different protocol won't actually look at the data, so no errors. I agree that the bald equating of tunneling with port forwarding is off base, seriously and misleadingly.
As for the example cited about port forwarding being a sort of tunneling, this raises a somewhat important linguistic point. When a term is used sufficiently often, differently than it once had been, meanings shift. When a new term -- originating in technical work where precision is vital (and achievable) -- is so treated, what should we do? I think that clarity of concept should be the overriding concern, not the general pattern of linuistic drift so evident in English and perhaps all languages. The glottochronology folks claim there is drift in the meaning of even the most common, non-technical words.
In this instance, I would suggest that the example is one of a port-forwarded tunneling protocol, not mere port-forwarding. ww 20:30, 29 September 2006 (UTC)
Actually, I'm not sure I agree with the basic definition of "tunneling" in the article. I would say that tunneling is protocol encapsulation where the encapsulated protocol is not a lower level protocol (OSI) than the encapsulating protocol. E.g.:
Not tunneling: IP over Ethernet; TCP over IP; UDP over IP; DNS over UDP
Tunneling: Ethernet over IP; Ethernet over UDP; Ethernet over TCP; TCP over UDP; IP over DNS
And that encryption, private vs. public, corporate vs. non-corporate are not broadly relevant. —Fleminra 20:29, 27 March 2006 (UTC)
I'd agree with the distinction you make re tunneling not being a lower level protocol carried on a higher one. Perhaps carrying would an appropriate term for this in disctinction to tunneling? I'd suggest you be bold and include this refinement in the article. ww 20:30, 29 September 2006 (UTC)

[edit] Mentioning CIPE with Tinc and their vulnerabilities

This famous article by Peter Gutmann (search Google for <gutmann cipe>) http://diswww.mit.edu/bloom-picayune/crypto/14238

should be at least mentioned by the article. It talks about CIPE, vtun and tinc; of the three, CIPE is the most widespread for what I've heard and understood; however, the page only mentions tinc; it should instead also mention CIPE and note about their without talking of its possible vulnerabilities, some are also acknowleged by the tinc authors themselves:

http://www.tinc-vpn.org/security

I was expecially astonished in finding no specific entry about CIPE in Wikipedia (and no, I've not the time or the knowledge to write it, sorry). Blaisorblade 23:56, 19 April 2006 (UTC)

It's now a red link, so someone may notice. I've not the time to create the article either. ww 20:32, 29 September 2006 (UTC)

[edit] Concerning WASTE

After reading over the WASTE Wiki, and official site I disagree that it should be in the See Also section. It appears to act similiar to IRC rather then a VPN Program. It talks about being a way for peers to exchange text and downloads, but doesn't actually talk about creating a P2P VPN.

Cr0w 15:00, 23 May 2006 (UTC)

[edit] RE: Concerning WASTE

I agree with cr0w on this. WASTE does not seem to actually create a network connection with another computer, it acts more as a peer-to-peer file-sharing/messaging app. Jstone123 13:18, 24 May 2006 (UTC)

[edit] clear opacity: meaning concealment successful!

The current authentication section, both paragraphs, have tortured syntax, confused if not entirely opaque meaning and fail to meet any reasonable standard for WP even for such an inherently twisty topic (for the Average Reader) as VPNs. I'm part of the choir here, and if one objects that the Average Reader shouldn't be expected to follow this (akin to some matehmatics articles, for instance), the argument fails since I can't make much sense of this. I find my speculation as to what might have been menat to be most of what I take from reading this, especially the 1st para.

Additionally, as the first seciton of an article, it fails entirely to help build a structure in the reader's mind which can help with succeeding more complex material. Altogether, I suggest that this section be dumped entirely. Or, whoever claims to understand it, rewrite it with clarity uppermost in mind.

I'll try to come back here in a few days to see what's happened, and if there's been little improvement, will attempt a major rewrite. Or, at least, I'll try to remember to do so. ww 13:25, 25 May 2006 (UTC)

[edit] Layer 2/3

Shouldn't there be a section about layer 2 vs. layer 3 VPNs? What do others think on this? Relevant?Danielcohn 18:20, 8 June 2006 (UTC)

[edit] Hamachi: snakeoil crypto checklist test to be passed

Until it can be demonstrated that Hamachi is secure by the criteria of http://www.schneier.com/crypto-gram-9902.html#snakeoil I'll take out the link to Hamachi as it suggests that it is up to the same security standards as regular VPNs.

[edit] VPN connections

It seems that the main article is missing some crucial points:

1) VPN does not relate only to remote users accessing a network but also provides connection between two routers (gateway-to-gateway connection) or two users;

2) VPN can also be established between two VPN-firewalls;

--Rygar81 22:39, 16 July 2006 (UTC)

[edit] Subjective statements in Characteristics in application

The "Characteristics in application" part of the article says:

A well-designed VPN can provide great benefits for an organization. It can:

  • Extend geographic connectivity.
  • Improve security where data lines have not been ciphered.
  • Reduce operational costs versus traditional WAN.
  • Reduce transit time and transportation costs for remote users.
  • Simplify network topology in certain scenarios.
  • Provide global networking opportunities.
  • Provide telecommuter support.
  • Provide broadband networking compatibility.
  • Provide faster ROI (return on investment) than traditional carrier leased/owned WAN lines.
  • Show a good economy of scale.
  • Scale well, when used with a public key infrastructure.

The statements I selected in bold text are examples of subjective judgments from my point of view. Should this phrases come with citations? Should them be deleted?

[[User:Negrulio|Negrulio]] 19:34, 25 September 2006 (UTC)
N, Not every WP statement requires citation. In this case, each of the points are self-evident (if partially redundant) and so needn't be revised. Perhaps the missing bit is a more complete explanation why these points are essentially self-evident? ww 04:25, 26 September 2006 (UTC)
I agree that "Not every WP statement requires citation". Nevertheless, some of this phrases would need links to concepts such as "economy of scale". I will also add that the phrase "Reduce operational costs versus traditional WAN" still doesn't make sense to me. --Negrulio 17:28, 26 September 2006 (UTC)
N, Contrast the costs and personnel required to manage leased lines and special (one-off or small user community amortization) software with using a VPN over an existing network which (for others' reasons) goes 'everywhere'. The latter is cheaper and easier, though all VPN implmentations require considerable caution in selection and operation lest they fail silently but spectacularly. In contrast, leased lines are have some (not enough, of course) physical security. ww 17:33, 26 September 2006 (UTC)

[edit] Redundancy in Authentication

This article incurs in redundancy when explaining what Authentication is in VPN security dialogs, doesn't it? This matter is already explained in the Authentication wiki article. --[[User:Negrulio|Negrulio]] 19:48, 25 September 2006 (UTC)

N, Again, I'd counsel caution. The object here is not maimum parsimony of phrase, but rather intelligibility for the reader. In this case, we must avoid the assumption that the reader is a crypto or security expert (since many readers, of a general encyclopedia will not be) and so keep an eye on intelligibility foremost. I don;t think much need be changed here. ww 04:28, 26 September 2006 (UTC)
I think the intelligibility for the reader is achieved by linking the [perhaps new (for the reader)] conecpt with its appropiate article, not by duplicating parts of the [perhaps new] conecept's article in this section.
If every article were to follow the rule you have proposed, WP would end with many different versions of the same concepts --Negrulio 17:22, 26 September 2006 (UTC)
N, It is indeed true that WP can arranged as you suggest. But htis requires the Gentle Reader to flit from hither to yon and assemble an understanding of a subject by welding together those assorted and separated accounts. This is an uncommon talent, especially for technical material like this, and so this structure will be an impediment to the Gentle Reader's understanding.
I have objected, on just these grounds, to such approaches in several other subject areas ranging from hisotyr (Attack on Pearl Harbor) to cryptography to information theory to diabetes mellitus. We are writing an encyclopedia here, and the effort will be pointless if what we end up with raises unnecessary (and high) barriers for our Gentle Readers -- most of whom must be expected to be non-experts in technical fields. Else why would they be reading an article on a technical subject in a general encyclopedia?
Your objeciton, that there might be several accounts of the same topic if WP adopts a policy of duplicating content in various articles is well taken. But I would observe that it is the duty of editors here to defang that slay that particular monster (hydra-headed though it be) as part of their responsibilities here. To their Readers, recall.
Optimization is a very tempting goal, but I am very strongly convinced that -- with humans involved -- it's unattainable. Sanger is trying to optimize article quality (ie, authoritativeness) in an improved version of WP (or a return to the ideals of Nupedia) and I think he will fail for the same reasons your suggested approach is untenable. ww 17:46, 26 September 2006 (UTC)

[edit] VPDN

Could add link to VPDN or put short info here Zephyr103 07:12, 12 December 2006 (UTC)

Retrieved from "http://en.wikipedia.org../../../v/i/r/Talk%7EVirtual_private_network_bfaf.html"