VPN vendors reluctantly back Win 2000

When it ships next month, Microsoft Corp.’s Windows 2000 will come with technology for setting up an IP Security-based virtual private network (VPN). The question is: Will established VPN products from other vendors work with Microsoft’s technology?

It appears that the answer will be a grudging “yes.” Many VPN vendors have ardently opposed Microsoft’s implementation, complaining it adds data overhead and slows down transaction processing. But these same companies, such as Check Point Software and Newbridge Networks, acknowledge that they can’t afford to ignore that hundreds of thousands of desktops will probably end up running Microsoft’s new software.

Microsoft’s IPSec “flavour,” jointly developed with Cisco, combines Layer 2 Tunneling Protocol (L2TP) with IPSec encryption in order to support non-IP protocols and authentication mechanisms attractive to companies conducting business-to-business e-commerce. Until fairly recently, it was unclear whether Microsoft would actually be able to squeeze the VPN features into Win 2000.

Now that Microsoft is readying Win 2000 for a Feb. 17 general release, VPN vendors are scrambling to add support for L2TP/IPSec to their offerings.

Newbridge, for instance, will upgrade its TimeStep Permit VPN gateway to support L2TP this year so that it can work with Microsoft clients as well as TimeStep IPSec clients, says Tim Hember, a vice-president at Newbridge.

“But L2TP will be a burden on the customer-it doesn’t scale up very well,” Hember grumbles.

Another VPN competitor, RadGuard, has also been forced to recalculate its strategy in the face of the Microsoft VPN invasion.

“If you’re using IP, we don’t see the reason to use L2TP,” says Iris Tal, RadGuard’s technical support manager. “It only causes overhead for network traffic because it’s ‘double-tunneling.’ But because of Microsoft’s L2TP client software, I’m sure we’ll do the support for it in our product.”

“If Microsoft weren’t delivering this in their operating system, there would be a lot less gnashing of teeth,” notes Mark Elliott, a product line manager at Check Point, which counts 15 million of its own VPN clients on desktops. “But we have to support the Microsoft client because we presume it will be the general enterprise desktop client later in 2000.”

Ashley Laurent, a company in Austin, Tex. that builds IPSec software code for large vendors, including IBM and foreign military organizations, is working on L2TP-based IPSec code under contract for unnamed customers.

The company is doing so somewhat reluctantly. “We won’t recommend L2TP to our customers,” says Jeff Goodwin, Ashley Laurent’s CEO. The company’s analysis of Windows 2000’s VPN technology shows that it is unstable and adds 10 per cent more overhead to data content during transmissions.

Still, Goodwin notes that the IPSec efforts of the IETF and industry groups such as the International Computer Security Association have not yet successfully resolved the technical issues pertaining to building a strong, interoperable IPSec client. He hopes the recent IETF draft “DHCP Configuration of IPSec in Tunnel Mode” and the “XAUTH” authentication proposal eventually will replace Microsoft’s L2TP.

But with VPN vendors embroiled in interoperability battles for years and the problem of the IPSec client unresolved, Microsoft’s entry with its Win 2000 VPN will be a tempting prospect for the user community.

Microsoft customers will need L2TP with IPSec to make use of various password-based authentication protocols, such as Pap, Chap, MSChap and the Extensible Authentication Protocol, says Rob Cully, Microsoft’s lead product manager for Windows networking. He points out that Win 2000 also includes a Radius server for handing off these types of authentication requests.

Microsoft’s VPN technology can also be used to encrypt multicast conference sessions, such as those using NetMeeting.

Not all vendors have been opposed to L2TP, Cully says, pointing out that 3Com, Lucent, Nortel Networks, Altiga Networks and Network Alchemy are in the process of deploying or testing L2TP/ IPSec in their products.

However, Cully says there’s some truth in the criticism that Microsoft’s IPSec raises overhead. And for that reason, Microsoft has included technology in Win 2000 to help companies build encryption accelerators that speed up transaction processing on machines running Microsoft’s new software.

In the next few weeks, nCipher will announce a version of its nFast accelerator for Win 2000, company sources say. Separately, 3Com is shipping a card dubbed Typhoon, and Intel is working on a coprocessor that supports Win 2000 and that will ship later this year.