Search This Blog

Wednesday, November 23, 2005

Careful with your VPNs

The new Eligible Services List says VPNs are eligible. Great! Except that you still can't use VPNs for most uses. The two most common uses of VPNs are not eligible. Take a look:

1) You say VPN to a network engineer, the first thing s/he'll think of is creating a virtual link between two locations by sending encrypted packets across the Internet. Now eligible? Hold on. The definition of Telecommunications in the ESL, from 47USC153(43), is: "the transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received." So a point-to-point VPN is a telecommunications service. The service runs over IP, and the ESL says: "IP-enabled services are...not eligible for funding." So a point-to-point VPN looks ineligible to me.

2) The next use a network professional will think of for a VPN is remote access to network resources. However, remote access is allowed only from eligible locations. So it may be that if someone in School A wants to use a VPN client to connect to a VPN concentrator in School B to access School B's network resources, that would be eligible. Except that I'm sure the SLD would say it's only eligible if the person in School A is making the connection in order to use School B's Internet connection. (Take a look at the new rules for Terminal Server.) So the person from School A would be sending encrypted packets out of School A's Internet connection to School B, where they are unencrypted, sent out over School B's Internet connection, and then the response is received over School A's Internet connection again. I can't imagine a scenario where that architecture makes sense. A^Net^B-Net-B^Net^A (where ^ is an encrypted (VPN) link, - is an unencrypted link).

At a recent conference I did talk to a district that may have hit on an actual allowable use for a VPN. They have a leased fiber WAN set up as a loop throughout town, and some non-district sites are on the loop, so they'd rather their traffic over the WAN were encrypted. I think the equipment they'd need to set up that VPN would be eligible. (If they can get Priority 2 funding, which may be tough given the super-priority of Katrina-affected applicants.)

I voiced my concerns to Phil Gieseler, the eligible services guru at SLD, and I hope he'll come out with a clarification soon.

No comments:

Post a Comment