Updates
Latest Tweet
What's New?
Check out for latest innovation, a computer based training video collection
Like this Page
VPNs Illustrated: Tunnels, VPNs, and IPsec Review by Richard Bejtlich
Packet-oriented, detail-rich book on VPNs
VPNs Illustrated is a great book for those wishing to understand network traffic at the packet level. Author Jon C. Snader was inspired by the earlier TCP/IP Illustrated volumes, and tries to reproduce the Tcpdump-style material found in Stevens' classics. The level of detail found in VPNs Illustrated easily outweighs any problems this book might suffer, so I recommend you read it for in-depth knowledge of VPN traffic.
The book is divided into three parts. Of these, I found Part I ("Background") to be of questionable value. The introduction (ch 1) should not have been a chapter, and ch 2 ("TCP/IP Overview") should be replaced by a reference to existing volumes on TCP/IP. The crypto overview (ch 3) could also be replaced by a reference to other books, although as a non-crypto guy I found it a helpful refresher. The last chapter in part 1 finally gets to more subject-specific information, covering PPP, IP-in-IP, PPPoE, GRE, PPTP, L2TP, and MPLS tunnels. I really liked reading the author's criticisms of certain protocols like PPTP and L2TP. He should have included Tcpdump traces of MPLS, since the other protocols featured packet data.
Part II included chapters on VPNs (ch 5), SSL (ch 6), SSH (ch 7), and "lightweight" VPNs (ch 8) like VTun, CIPE, Tinc, and OpenVPN. Some of this material is very deep and probably unnecessary for most readers. The author explains messages exchanged by almost all of these protocols, which is information I've not seen elsewhere. Some may consider these descriptions obscure, while others (probably researchers and developers) will appreciate the analysis.
Part III covers IPSec. Ch 9 ("IPSec") should be part of ch 10 ("IPSec Architecture"). The remaining sections thoroughly address IPSec (11: AH; 12: ESP; 13: IKE; 14: the future of IPSec). I think chapters 10-13 are the best IPSec material I've read. They made more sense than others I've seen, although the complexity of IKE made ch 14 difficult to follow.
Throughout VPNs Illustrated, the author is not shy about sharing criticisms of various protocols. This is extremely valuable. He also repeats sound advice on practices to avoid (like static preshared keys) or measures to consider (defeating replay attacks). Because he illustrates so many protocols, he compares and contrasts them to emphasize key points. He also frequently cites authoritative sources like Schneier and Ferguson.
To achieve a fifth star in a second edition, I would like to see the author incorporate my previous suggestions. I would love to see configuration files for all of his examples in the appendices. He can move existing examples out of the main text to improve readability. Every protocol should have a corresponding network trace analysis, and the traces should be posted on a Web site. I would also like to see a summary of his thoughts on what makes a great VPN protocol, and then his ratings for various implementations.
You won't necessarily be able to implement the VPN software discussed in VPNs Illustrated by simply reading the text. You will gain a great understanding of how they work, or sometimes, don't work!