June 1999

BY IAN MASHITER

The hype and media attention focused on remote access VPNs are currently at a fever pitch. These VPNs work by establishing secure encrypted tunnels across the public Internet. There are two main applications for remote access VPNs — connecting remote branch offices and telecommuters, and connecting mobile workers, otherwise known as "road warriors." Using tunneling protocols like Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP), remote access VPNs are perceived as "free" data connectivity.

Anything that seems free should be examined closely, and Internet tunnel-based VPNs are no exception. The Internet does not provide any form of service quality guarantees, and many applications that run today on private line and frame relay networks simply won’t tolerate the delay and data loss that the Internet presents. According to a report recently published by technology assessment consultants CIMI Corporation, buyers expect VPNs to have specific service quality.

There is also a basic problem with the Internet business model in supporting VPN services. A tunneling service over the Internet does not require support from the ISP to build, and thus cannot be easily billed for. The traffic for these applications is carried with no significant revenue gain by the ISPs, and thus does not generate additional infrastructure revenue that can be applied to augment capacity and improve performance. For VPNs to truly add value, VPN users must pay their share of transport and network costs and, in turn, they must receive specific guarantees of performance to make this payment.

PROVISIONABLE "NETWORK-BASED" VPNS
A network-based IP VPN differs from a remote access VPN in several crucial ways:

� Target Application. These networks are a new and exciting way of implementing intranet and extranet applications, rather than a means to allow a "free way" of gaining remote access to a corporate network.

� Core Technology. Network service providers (NSPs) will provision these services over their own high-speed and secure data infrastructure. The network may be ATM-based or it may utilize the new generation of high-speed core routers. The use of this infrastructure will allow an NSP to offer corporate customers specific service level agreements and subsequently honor these agreements.

� Service Focus. NSPs initially using flat rate tariffing but migrating to usage-based billing will tariff these services. The service revenues generated will allow for reinvestment by the carrier in the new infrastructure.

OPTIONS
Before examining the characteristics and capabilities of the network-based VPN, it is useful to look at the current options corporate MIS managers have when building wide-area networks (WANs). For a long time, the only option for fixed links (as opposed to dial-up modem connections) between corporate sites was leased lines. These lines, initially analog but now mostly digital, were rented to the customer by a carrier. The task of integrating these into a network was purely the responsibility of the corporate user. The carrier simply guaranteed that the line performed to functionality. This is still the predominant method of building a corporate WAN. In the United States, 1998 service revenues equaled $11 million, or about 71 percent of the total expenditures.

Since its inception in the early ’90s, frame relay has become a very popular alternative domestically, and increasingly throughout the rest of the world. Frame relay is an effective Layer 2 transport technology that encapsulates the customer’s data (normally IP or SNA) and transports it by way of virtual circuits between two customer end points. The advantages for corporate users over private line solutions are cost and flexibility. Frame relay offers increased flexibility by allowing users to request more bandwidth or additional virtual circuits without waiting for the physical line to be installed, as is the case with private lines. It should be noted that frame relay circuit requests could take NSPs two to three weeks to fulfill. While a considerable improvement over private lines, this time scale often does not satisfy the dynamic and rapidly changing requirements of today’s businesses. It is this lack of flexibility that is the inherent weakness of frame relay. The technology offers point-to-point connectivity that must be specified up-front and, therefore, is well-suited to networks that have static requirements. Most frame relay networks conform to a "hub and spoke" network topology. A fully-meshed frame relay network is complex and difficult to build.

Building on the success of frame relay services, carriers built out ATM networks with the intention of offering ATM services to corporate customers as an alternative to frame relay. The reasoning was that frame relay is adequate for data, but cannot effectively accommodate real-time applications, such as voice and video. The answer was "ATM." In reality, these services have not been a success, generating small amounts of revenue. Corporate users have found them too complex both to integrate into their corporate network, and to order from their service providers.

NETWORK CONVERGENCE
All of these technologies are transport technologies, meaning that the enterprise has to integrate them into their networks — networks which are predominantly IP-based. Because of its flexibility and ubiquity, it seems clear that IP has emerged as the only natural choice to become the convergence layer between the private and public network. Consequently, the next generation of public services will be IP-based.

Incumbent service providers and next generation telcos will roll out these new provisionable "network-based" IP VPN services during 1999. They will be provisioned over reliable quality of service-enabled core networks, allowing carriers to offer these services backed by service level agreements equivalent to those offered by frame relay and private line services. These new "network-based" IP VPNs will be an attractive option to reduce network cost and complexity for both intranet and extranet applications. Provisionable "network-based" VPNs will offer:

� Any-to-Any Connectivity. NSPs will afford a flexible and easy way of providing "total connectivity" within the enterprise. Users of the network will now be able to access any part of the company’s intranet without the need for consultation with the MIS department. Setting up a data connection will now be as easy as dialing a voice connection. This ease of use will benefit the corporation and make the new "project-driven" organizational ethos easier to implement, and will also benefit the service provider because increased data usage means increased revenues.

� Network Reliability. These networks will be carrying mission-critical data and, therefore, must be at least as reliable as the frame relay and private line networks they will supercede.

� Quality of Service. Almost all IP traffic at the moment conforms to the "best effort" paradigm. If we are to successfully implement different types of applications over these networks, they must be able to differentiate many types of traffic, and give each type the correct transmission characteristics. A good example of this is Voice over IP (VoIP) traffic. This technology can deliver excellent voice quality if the underlying network gives it the right guarantees in terms of minimal and non-variable delay.

� Address Portability. According to AT&T, up to 50 percent of corporate America does not run a unique addressing scheme within the enterprise. Most enterprises can not, or will not accept any wholesale changes in the IP addressing scheme, therefore, any service offered must be able to accommodate this.

The benefits of rolling out these services are quite clear to carriers. It is possible to build these IP-based VPN services over the existing backbone infrastructure, whether it is frame relay, ATM, or IP. Therefore, a NSP can provide a new service while protecting existing investments. The second and major benefit is that the NSPs can provide a new and differentiated service offering since frame relay has now become a commodity often characterized by falling prices.

IP-based VPNs are, as we have seen, a new and exciting service that meets the requirements of enterprise customers. The true significance of these services may be in the fact that once a NSP has been established as the intranet supplier to a corporate customer, the NSP will be in a prime position to add new and innovative IP-based service offerings, including VoIP, to the basic service.

Ian Mashiter is founder, acting CEO and vice president of marketing for Ennovate Networks, Inc. Ennovate is leading the transition from circuit-switched to packet-switched networks by providing carrier-class IP edge switching products that enable network service providers to provision a new class of premium IP services. These services meet the demands of enterprise customers for outsourced voice/data VPNs. For more information, visit Ennovate’s Web site at www.ennovatenetworks.com .