Interconnection Between VPNs and the Internet

To implement the interconnection between the VPN and the Internet, the following conditions must be satisfied:

The devices that need to access the Internet have the routes to the Internet.
The Internet has the routes to the devices.
If the devices that need to access the Internet use private addresses, the network address translation (NAT) is required to translate the private addresses into public network addresses.
Similar to the interconnection between non-VPN users and the Internet, security mechanisms such as firewalls must be used.

The interconnection between the VPN and the Internet can be implemented in the following ways:

The PEs of the backbone network differentiate the data streams of the VPN from those of the Internet, and then forward the data to the Internet and the VPN respectively. At the same time, the PEs provide the firewall function between the VPN and the Internet.
The interconnection is realized on a PE through the same interface with VPN access, saving interface resources. Different VPNs can share one public IP address. The realization on the PE, however, is complex and may cause security threats.
- If the CE accesses the PE through a logical link to visit the Internet. The large amount of malicious traffic of Internet attacks may congest the PE-CE link, thereby preventing the transmission of normal VPN packets.
- The PE may suffer from DoS attacks on the Internet regardless of whether the CE accesses the PE through a logical or physical link to visit the Internet.
The interconnection is realized on a CE. The border CEs of the private network differentiate the data streams of the VPN from those of the Internet, and then guide the data streams into two areas: the device in one area accesses the VPN through a border PE; the device in the other area accesses the Internet through an ISP device that does not belong to the VPN. At the same time, the CEs provide the firewall function.

The interconnection is realized on the user side. The realization is simple and secure due to the separation of routes on the public network and private network. An independent interface, however, is required, which consumes interface resources. Moreover, each VPN requires a unique public address.
The interconnection is realized on the Internet gateways, which are carrier devices accessing the Internet. The Internet gateways must support the VPN route management. The Internet gateways can be PE devices that do not provide the access service for VPN users.

Compared with that on a PE, the realization on Internet gateways is more secure, but multiple VPN instances are required, causing heavy burden. Furthermore, Internet gateways need multiple interfaces to access the Internet and hog multiple public IP addresses. Each VPN uses one interface and one public IP address.

Comparison between three schemes is shown as Table 1.

**Table 1** Comparison between three schemes
Scheme	Security	Used Interface	Used Public IP Addresses	NAT	Easiness of Deployment
On a CE	High	Each VPN independently uses an interface and occupies the user interface resources.	Each VPN uses a public IP address.	Performed on the CE.	Easy
On a PE	Low	The PE reserves only one interface for both the VPN access and the Internet access. This scheme does not waste the interface resources.	Multiple VPNs on the PE share a public IP address.	Generally performed on the PE.	Difficult
On an Internet gateway	High	The Internet gateway must reserve an interface for each VPN to access the Internet. This consumes the interface resources of the gateway.	Each VPN uses a public IP address.	Generally performed on the Internet gateway.	Difficult