May 1999

Virtual Private Networks May Push IP Voice Out Of Its Tunnel

BY HOWARD MEYERS

Virtual Private Networks (VPNs) and VoIP solutions have a lot in common. The major benefit of both technologies is their ability to save money on a very large scale, and both are designed to replace existing telecommunications systems with cheaper IP-based communications. VPNs are normally used to replace leased lines, or Remote Access Servers (RAS) and banks of modems for data communications, while VoIP bypasses the PSTN for a subset of a company's long-distance calls.

Consequently, anyone who is wise and adventuresome enough to pursue one of these technologies is probably a good candidate for the other. The two technologies also complement each other nicely, and VPNs can be used to secure VoIP transmissions. But implementing both technologies can be more difficult than just the sum of the parts. Luckily, by understanding the technologies, how they interact, and what to look for, any problems that may arise by implementing them together can easily be avoided.

SECURITY REQUIREMENTS FOR VoIP
Proper security is critical in any VPN implementation, and verifying the strength of the security is equally important. The only security testing that currently exists for VPNs is through the National Institutes of Standards and Technology (NIST) with the FIPS 140-1 validation program. The entire list of validated devices (most of which are not VPNs) is available at csrc.nist.gov/cryptval/140-1/1401val.htm. Soon, the Common Criteria Project, also sponsored by NIST and several other countries, may also serve this purpose.

There are two main security risks for a VoIP network, and the first is control of the system. Without proper security to protect controls, an unauthorized party can access a system and use it for VoIP calls, or to disrupt communications. This can result in improperly used bandwidth, unavailability of the system, and increased costs.

Second, there is a need to protect the VoIP data itself. Consider how damaging it would be if a competitor or other party out to do damage to a company intercepted internal company phone calls. H.323 provides for security through H.235, however, most implementations of H.323 to date are what can be called Phase 1 implementations - used primarily for compatibility, and sometimes for a marketing checkmark. They are not full implementations, and rarely include H.235. It is likely that early implementations that do include H.235 will suffer significant performance penalties, resulting in customers turning off the feature - if the vendor allows them to. VPN vendors have been tackling these issues for several years now, and are in a better position to provide the required security today.

VPN AND VoIP COMPATIBILITY ISSUES
Latency
Latency is probably the number one enemy of VoIP. For voice, latency is really the difference between when a word is spoken and when it is heard. Most of us have heard the long delays associated with satellite calls overseas, as well as the echoes that can be introduced. Luckily, VPNs should have no effect on echoes.

In a typical VoIP implementation, latency is introduced in two areas. The first is network latency, and on the Internet, this can be quite unpredictable. The second source of latency is in the VoIP equipment itself. The process of digitizing the voice, compressing it, transmitting, receiving, decompressing, and returning the data to analog takes a finite amount of time. The latency introduced by the VoIP system is usually quite predictable, and VoIP vendors monitor these numbers closely, trying to reduce them at every turn. If they go above a certain threshold, delays can be heard and the solution starts losing its appeal.

Encryption is a very CPU-intensive task. The process of capturing a packet, encrypting it, re-transmitting it, and then decrypting it on the other end can be very time consuming. This delay will increase the latency of the packet, and thus, of the VoIP solution. Many VPN vendors have implemented solutions using proprietary acceleration hardware to overcome this problem. Therefore, it is possible to get a VPN solution that introduces only a few milliseconds or less of latency. Latency in this range should be negligible when compared to other sources, but any increase above this could contribute to noticeable delays. Be aware that latency will also increase with packet size. Unfortunately, most VPN vendors do not publish latency numbers.

Performance
For any network application, performance is an issue. VPNs received an initial black eye in the network industry for their impact on performance. As a result, some people are still afraid to implement VPNs, but this technology has come a long way just in the last year. The use of proprietary hardware and accelerator cards, along with better designs, has resulted in VPNs that can meet the demands of almost any network. Some VPNs have been known to actually improve network performance in some instances due to compression, efficient protocols, and packet buffering. While customers can not count on a VPN providing improvement, it can minimize any degradation.

Unfortunately, assessing the speed of a VPN is a difficult task, and it is not one the customer should undertake. VPNs are complicated solutions designed around typical network traffic. Most tests, however, do not use or simulate typical network traffic. Some of the best labs in the United States and top network service providers improperly test VPN performance. Without fully understanding network behavior and VPNs, it is impossible to configure a proper test.

The next problem is that there are no industry standards for measuring VPN throughput. The old saying about "lies, damn lies, and statistics" could have been written about VPN performance numbers. Most VPN vendors quote "encrypted throughput," but some only quote "throughput," which can be the result of turning off encryption and just using authentication. This will dramatically improve any performance numbers - but there is nothing realistic about the data. It is also important to understand what type of encryption was used in the testing. Many vendors will test throughput using 40- or 56-bit DES, even though most security experts recommend a minimum of 128-bit encryption today. Those who quote speeds using algorithms such as IDEA or triple-DES may pay a performance penalty in those tests, but they have tested their VPNs in a configuration that can actually be used.

It is advisable to quiz any vendor on how they got their performance numbers. What type of encryption was used? What was the content of the packets? Some packets are highly compressible, increasing performance, while others are not. What was the size of the packets? Large packets can yield better performance due to less overhead, but large packets can also result in more packet fragmenting, degrading performance. Where is encryption performed? Performance will be better if encryption is done at the network, not the application layer. Is the measurement for half-duplex or full-duplex operation? This affects performance by a factor of 2. And finally, what is the latency introduced? Once customers understand the data, they can reach their own conclusions on whether the data will apply to their particular implementation.

Dropped Packets
Dropped packets and receiving packets out of order are other significant problems for VoIP. VPNs can further aggravate this if their performance is inadequate, becoming a bottleneck in the network. If not addressed, this problem can result in the voice breaking up. If the VPN causes packet collisions to increase, this problem will be aggravated. Some VPNs use large packet buffers that can actually reduce this problem.

TCP/IP
Some VPNs can only protect TCP/IP. However, many VoIP applications use protocols other than TCP, such as UDP over IP. While most VPNs will support this, customers should make sure their vendor supports the protocol that their VoIP solution utilizes.

CHOOSING THE CORRECT VPN
VPNs can be implemented in a number of different ways, and some VPNs are software-only implementations. For a VoIP implementation, this is not an advisable solution. Throughput and latency issues are usually at their worst in such implementations. Likewise, some VPNs are implemented together with another network device, typically a firewall. These also tend to introduce large performance problems as one computer is asked to perform too many CPU-intensive tasks.

Many vendors have implemented VPN solutions in hardware, which typically yield the best performance and should be used in a VoIP environment. These solutions use software-only versions for remote computer access back into the network, which is quite acceptable, but they use hardware at the gateway - where performance is critical.

A final type of VPN is available from network service providers. These are actually not VPNs at all, in that they provide little to no security for data. These are really semi-private IP networks utilizing all of the applications, equipment, and protocols used on the Internet, but with guaranteed availability, bandwidth, and latency. While they do not have access to the Internet, customers are still sharing the network with thousands of others, including competitors. Because of their advantages, these networks are excellent for use in a VoIP implementation, but use of a "real" VPN is still necessary to get the appropriate level of security.

CONCLUSION
Unfortunately, most VPNs today are not interoperable, and standards in this area are still evolving. While many vendors claim interoperability, this has not been a major design goal. Typically, this means that the units can be forced to interoperate, but getting there is an ugly process. While interoperability is currently not a realistic goal, all is not lost.

Customers should select a vendor who will upgrade their systems as part of the normal maintenance contracts, as standards evolve and interoperability becomes easier. For today, users should make sure they choose a VPN that can connect to both protected and unprotected sites automatically. This will allow their VoIP implementation to connect securely to all nodes in the network that can be controlled, and to connect without benefit of VPN security to those sites outside the network that can not be controlled.

Howard Myers is the business development manager for Fortress Technologies, Inc. Fortress is a leading supplier of VPN products designed for speed, ease of use, and security. The company has partnered with Clarent Corporation to provide an optimal solution for the combination of VoIP and VPNs. For additional information, visit Fortress' Web site at www.fortresstech.com.

BY LAWRENCE GASMAN

The market for VPN software clients has evaporated, according to a recent market research report from Communications Industry Researchers, Inc. (CIR). The report analyzes main VPN technology trends, market drivers, and applications, and profiles the leading vendors and service providers operating in this space. It also offers ten-year forecasts of the markets for VPN hardware, software, and services.

The report notes that Microsoft (whose VPN client is bundled with Windows 95, 98, and NT), and Cisco (which offers clients priced between $5 and $8 per user), have driven out the profit for VPN software client packages. The days of the $250 VPN client are over, and in fact, the report concludes that the forces shaping the VPN business have less to do with new technology and protocols than with marketing and management issues. As far as the former is concerned, CIR expects the market for VPN equipment to be dominated by companies that can supply a complete end-to-end solution.

Those companies include Cisco, Lucent/Ascend, 3Com, and Nortel, vendors that have already locked down the critical service provider sales channel. For service providers, VPNs offer a unique opportunity to create value in the form of a customized solution for large end users. This is important at a time when bandwidth is becoming a commodity, and most ISPs are losing money. CIR believes that end users will look to service providers to do much of the implementation of VPNs, which are still far from being plug and play.

THE RELIABILITY ISSUE
IP networks are still not quite as reliable as leased line or even frame relay services, and successful implementation of large-scale VPNs involves some other tricky issues: Security, certification and authentication, interoperability, network management, and (in some cases anyway) availability. Difficulties with implementation are especially acute when a VPN serves several firms, and database integration and sophisticated security systems are required.

Failing to address these points significantly limits the benefits of a VPN. But, according to the report, while VPNs are usually considered money-savers for the companies that use them, they also potentially benefit users by enabling new applications that would not be possible through other means. In particular, they enable small remote locations (including teleworkers) to share sophisticated applications across a network, without the need and expense of a nailed-up connection (leased line or permanent virtual circuit).

ADDING VOICE
Today, almost all VPN applications are data-oriented, but CIR believes that a large minority of VPN users will also want to put voice on their networks in the next few years. Special issues face the voice VPN. For example, software-based VPNs may introduce latency, and voice quality could become degraded. This is especially important in an IP environment, where some continue to question the quality of voice in any case. Above all, the ability of VPNs to carry voice will depend on their support of an end-to-end quality of service (QoS) protocol. CIR believes that the most likely candidates for such a protocol are DiffServ and MPLS.

Initially, VPN users will bring voice on to their VPNs in emergencies, when their main voice networks are overloaded or out of service. But if the cost of packet bandwidth on the VPN falls below that of the current typical circuit-switched infrastructure used by voice, then wholesale migration of voice to VPNs will occur. The report states that such a migration will not happen for some time, however. At present, there is more talk about voice on VPNs than action. It is being hyped by vendors and service providers who hope it will attract corporate customers to the VPN concept in general. Players in the current VPN marketplace must talk about offering support for voice in order to win mindshare, but they are far less likely in the short term to win orders for VPNs that actually support voice.

Lawrence Gasman is president of CIR. CIR is an independent marketing research firm serving the needs of the telecommunications and data networking markets. CIR's new report is called Virtual Private Networks: Market Opportunities and Implications for Service Providers and their Suppliers. Further details on this report can be obtained on the CIR Web site at www.cir-inc.com, or from Robert Nolan at [email protected] or 617-923-7611.