| IP VPNs: THE NEXT WAVE BY
TONY RYBCZYNSKI
IP-based Virtual Private Networks (VPNs) have become one of the hottest industry topics
in the last 12 months. VPNs allow IP-based traffic from multiple customers to travel over
common facilities in a secure fashion. Unlike a circuit- switched environment, in which
users receive dedicated ports and circuits for their network traffic, VPNs operate on the
premise of logically separate networks to segregate end user traffic. Enterprise users
believe VPNs will allow them to leverage the service provider’s wide-area network as
well as their Network Operations Centers, and hence, drive costs lower and simplify their
networking environments.
These expectations are rooted in their positive experiences in other forms of VPNs.
Voice VPNs have been around for years as an alternative to private line voice networks.
Another form of voice VPN is Centrex, which provides an alternative to private PBXs on
customer premises. Data VPNs have been part of X.25 packet network offerings for years and
have evolved to support all forms of adaptation for SNA, point of sale, and LAN traffic.
VPNs may not be for everyone. For example, enterprises can achieve significant
price/performance improvements through network consolidation. In any case, VPNs are an
important new option for enterprise users.
At the business level, competitive pressures combined with limited availability of
skilled resources are forcing more organizations to focus on their own core competencies
while turning to third parties for network outsourcing. Networking costs are becoming
increasingly subject to scrutiny while network managers are being required to demonstrate
positive business case analyses for capital and operating expenditures. On top of this,
the proliferation of new and possibly incompatible technologies has elevated the risks
inherent in private router networking. The specter of a multimillion dollar investment in
a network technology, which is subsequently rendered obsolete, is one that haunts many
network managers. At the network level, IP is becoming the dominant communications
protocol for private networks, constituting over 30 percent of total traffic currently and
the vast majority of traffic growth. The shift from 80 percent of traffic staying on the
LAN towards 80 percent moving outside of the LAN and increasingly to the WAN is
exasperating a network, that is already growing at 30 percent to 50 percent per year. The
challenge is to accommodate this growth while offering performance guarantees to the most
critical traffic.
Service providers recognize the importance of this market as a new revenue opportunity,
and also see considerably higher (positive) margins for VPNs than for the consumer
Internet offerings. Various sources estimate that by the year 2000, the VPN services
market will be in the range of $8 billion (NBI, September 1996). This is why VPN offerings are a high priority for
service providers around the world.
REQUIREMENTS FOR VPNs
Enterprise users are largely concerned with three areas when it
comes to outsourcing their intranets to service providers: security, Service Level
Agreements, and reliability. Traditionally, enterprise users have deployed their private
networks over a mix of private-line circuits, and are now accustomed to completely secure
and guaranteed network performance. Only recently have they accepted frame relay virtual
circuit (VC) networking as a viable alternative to private lines. Hard boundaries must
exist between VPNs to ensure no traffic leakage between circuits.
When outsourcing the network to the service provider, enterprise network managers often
fear losing total control over network performance. In order to alleviate this fear,
service providers must provide the enterprise with some form of performance guarantee, not
only addressing up-time, but latency and throughput as well. Most users will request a
window on their VPN through a customer network or service management offering from the
service provider.The purpose is twofold: to monitor network performance in real- time so
as to avoid network outages as well as to track historical performance relative to agreed
upon levels of service. No VPN service can be successful without a service management
offering.
Reliability is the third area of concern for enterprise users considering VPN services.
As more and more business applications are delivered over IP-based networks, up-times in
the 99.99 percent plus range are required.
Of course the major motivator for using the public network is to provide more
cost-effective connectivity. This includes connectivity:
- Between company sites on an always-on basis.
- To telecommuters and SOHO sites on an as-needed basis (always-on would be nice, but may
be cost prohibitive).
- To road warriors from hotels, airports, and cars.
- To partners and suppliers on a controlled basis (these are referred to as extranets).
- To the public Internet at large.
There’s another, more subtle requirement. The IETF recommends that private
networks use IP addresses of the form 00.000.xx.xxx. As a result, multiple enterprises
have overlapping addresses, implying the use of dedicated routers for each enterprise user
as well as some form of encapsulation for wide- area transport across the shared network.
In addition to the above, many enterprise users would want their VPN to be part of an
integrated VPN from the service provider for all their traffic (e.g., including voice and
legacy data VPN capabilities).
TODAY’S VPN SOLUTIONS
Currently, service providers are providing managed router and VPN
services with CLE routers interconnected by frame relay or ATM, or tunneled over
segregated IP networks and/or the public Internet. These do not generally meet the service
provider’s needs for operational efficiencies, nor the enterprise user’s needs
for service level guarantees. There is a large segment of the VPN market that can best be
served with truly partitionable CO routing integrated with ATM operation as the means of
delivering economic sharing of network resources while meeting user needs for security and
SLAs. This is at the heart of vendor strategies to make VPN offerings much more appealing
to enterprise users.
While users are attracted to VPNs based on the ubiquity and cost structures of the
Internet, the reality is that most VPNs aren’t actually running over the public
Internet. The reason is simple: The performance of the Internet fails to live up to
business-grade standards when compared to private router networks. This is by no means
saying that the Internet is a poor business tool to communicate to many parties
"off-net." The Internet revolution is real and the opportunities, looking
forward, are immense. From a user perspective, if the price performance is right, it
doesn’t matter if the VPN is delivered over router- or switch-based environments
— so long as users’ requirements are met.
Early market offerings are based on one of three approaches:
- A managed intranet service with CLE/CPE (customer located equipment) routers that tunnel
over a segregated IP network (i.e., not over the public Internet). IP tunneling protocols,
such as L2F, provide security, including the concept of encapsulating private addresses
onto a public- address space.
- A managed router service with CLE routers interconnected by frame relay or ATM. In this
case, security and address encapsulation is performed through VC tunneling.
- An Internet-based VPN. This model has very attractive economics but, due to the sporadic
reliability of the Internet, is only a viable solution in exceptional conditions like
remote sites or perhaps extranets where connectivity is the overriding factor.
Within the constraints identified, these schemes can work if a relatively small number
of sites is involved. However, as the number of sites increases by an order of magnitude,
scalability becomes a primary issue. There are two scalability issues to resolve in
managed router services:
- The number of tunnels or VCs that need to be configured in the network.
- The number of routing adjacencies or router neighbor relationships.
Since building a very large, flat router network creates far too many router peering
sessions, a routing hierarchy is required to achieve route aggregation. Introducing a
routing hierarchy in VPNs requires the deployment of CO routers on a per-customer basis,
thus leading to a large number of CO routers.
The method for tunneling impacts the ability of the service provider to provide
performance guarantees. With IP tunneling, all traffic from multiple users is aggregated
onto a single IP backbone. This limits the service provider’s ability to offer
differentiated services (this means more than just bandwidth guarantees) as well as their
ability to monitor, troubleshoot, and generate reports on a per-customer basis. With VC
tunneling, both frame relay and ATM class of service support enhance the service
provider’s ability to deliver on performance guarantees.
A fourth option is emerging, which is based on new CO switch architectures that allow
multiple VPNs (supporting overlapping address) to be routed on a single switch. These can
be interconnected via IP or VC tunnels, though VC tunnels have the advantages identified
above. Such an architecture provides a high degree of scalability and meets the enterprise
user’s needs for security via VC tunneling, SLA guarantees via VC class of service
support, and reliability via CO-grade switching.
SO WHAT’S THE BOTTOM LINE?
Enterprises deploying VPN solutions should expect to achieve
secure communication at an improved price/performance ratio compared to private router
networks. In addition, by virtue of the outsourcing arrangement, the service provider now
assumes all the risks associated with identifying, investing in, and implementing the best
VPN technology. Thus, provisioning sufficient capacity to meet the most bursty end user
traffic patterns now falls on the shoulders of the service provider.
Not all VPN service provider offerings will be equivalent. Key service differentiators
include:
- Breadth of the VPN offer:
The carrier’s
ability to offer end-to-end net-working, including the ability of the carrier to manage
customer located equipment and to deploy points of presence on the customer’s
premises.
- Depth of the VPN offering:
The carrier’s
willingness to support mail, conferencing, Web hosting, and directory services.
- Extent of the VPN service:
Geographic coverage
and support of "off-net" traffic (e.g., from telecommuters and road warriors).
- Levels of performance:
Offered together with the
nature of guarantees and management tools offered.
So, the bottom line — as is often the case — is this: Educated buying can
solve real problems and reap big benefits.
Note: The author would like to thank Ted Gagnon of Nortel’s Carrier Data Networks
Division for assistance in putting together this article.
Tony Rybczinski is director of strategic technologies and marketing for Nortel’s
(Northern Telecom’s) newly formed Enterprise Data Networks business unit. Enterprise
Data Networks will focus on delivering high-performance data networks globally. The
business unit will broaden customer choice by offering new alternatives to increasingly
complex data network infrastructures through direct and indirect sales channels. By
expanding Nortel’s already broad portfolio of open standards-based products and
technologies, Enterprise Data Networks will specifically target opportunities in
high-performance data networking. For more information, visit the company’s Web site
at www.nortel.com E-mail questions
or comments to the author at tony.rybczynski@nortel.com.
|
TMCnet LOGIN
Webinars
