Specifications

ManualsBrandsShoreTel ManualsConsumer electronicsIP100

131

132

133

134

135

136

137

138

139

140

Network Requirements and Preparation

9 – 20 ShoreTel, Inc.

Tunneling

Tunneling encapsulates one type of data packet into the packet of another protocol.

Multiple tunneling protocols are used today on the market:

• PPTP (Point-to-Point Tunneling Protocol): PPTP includes compression and

encryption techniques. This protocol was introduced by Microsoft to support

secure dial-up access for its desktop, which corresponds to a large share of the

desktop market.

• L2F (Layer 2 Forwarding): Introduced by Cisco Systems, L2F was primarily used

to tunnel traffic between two Cisco routers. It also allows IPX traffic to tunnel over

an IP WAN.

• L2TP (Layer 2 Tunneling Protocol): L2TP is an extension the PPP (Point-to-Point

Protocol) that merges the best features of L2F and PPTP. L2TP is an emerging IETF

(Internet Engineering Task Force) standard.

• IPSEC: This is a collection of security protocols from the Security Working Group

of the IETF. It provides ESP (Encapsulating Security Payload), AH (Authentication

Header), and IKE (Key Exchange Protocol) support. This protocol, mature but still

technically in a draft format, is currently considered the standard for encryption

and tunneling support in VPNs.

For PPTP, IP VPN tunneling adds another dimension to the tunneling. Before

encapsulation takes place, the packets are encrypted so that the data is unreadable to

outsiders. Once the encapsulated packets reach their destination, the encapsulation

headers are separated, and packets are decrypted and returned to their original format.

The L2TP tunneling protocol does not encrypt before encapsulation. It requires the

IPSEC protocol to take the encapsulated packet and encrypt it before sending it over

the Internet.

Encryption

See “Media Encryption” on page 9-24 for more information about ShoreTel’s

proprietary media encryption methods.

Encryption is the marking, transforming, and reformatting of messages to protect them

from disclosure and maintain confidentiality. The two main considerations with

encryption are the algorithm, such as Triple Pass DES (112 bits), RCA (128 bits), and

Triple DES (168 bits), and the management of the distribution of encryption keys (IKE

and PKI). These more recent keys, which support more than 100 bits, have been a

major driver in the success of IP VPNs. They make it extremely difficult to hack into

enterprise computer systems without an investment of millions of dollars in

equipment.

Encryption starts with a key exchange that must be conducted securely. The IKE

(ISAKMP/Oakley) protocol has been considered the most robust and secure key

exchange protocol in the industry to date. It is also a de facto standard for service

providers and product vendors requiring the highest level of security for their VPN

solutions. PKI (Public Key Infrastructure), new to the key management scene, is

currently thought to be the long-term solution to simplifying the management of VPNs.

The industry is still evaluating and testing PKI, with some initial deployments

beginning to occur.