VPNs. The Next Generation?
BY IAN MASHITER
The hype and media attention focused on remote access VPNs are currently at a fever
pitch. These VPNs work by establishing secure encrypted tunnels across the public
Internet. There are two main applications for remote access VPNs connecting remote
branch offices and telecommuters, and connecting mobile workers, otherwise known as
"road warriors." Using tunneling protocols like Layer 2 Tunneling Protocol
(L2TP) or Point-to-Point Tunneling Protocol (PPTP), remote access VPNs are perceived as
"free" data connectivity.
Anything that seems free should be examined closely, and Internet tunnel-based VPNs are
no exception. The Internet does not provide any form of service quality guarantees, and
many applications that run today on private line and frame relay networks simply
wont tolerate the delay and data loss that the Internet presents. According to a
report recently published by technology assessment consultants CIMI Corporation, buyers
expect VPNs to have specific service quality.
There is also a basic problem with the Internet business model in supporting VPN
services. A tunneling service over the Internet does not require support from the ISP to
build, and thus cannot be easily billed for. The traffic for these applications is carried
with no significant revenue gain by the ISPs, and thus does not generate additional
infrastructure revenue that can be applied to augment capacity and improve performance.
For VPNs to truly add value, VPN users must pay their share of transport and network costs
and, in turn, they must receive specific guarantees of performance to make this payment.
PROVISIONABLE "NETWORK-BASED" VPNS
A network-based IP VPN differs from a remote access VPN in several crucial ways:
Application. These networks are a new and exciting way of implementing intranet and
extranet applications, rather than a means to allow a "free way" of
gaining remote access to a corporate network.
Technology. Network service providers (NSPs) will provision these services over their
own high-speed and secure data infrastructure. The network may be ATM-based or it may
utilize the new generation of high-speed core routers. The use of this infrastructure will
allow an NSP to offer corporate customers specific service level agreements and
subsequently honor these agreements.
Focus. NSPs initially using flat rate tariffing but migrating to usage-based billing
will tariff these services. The service revenues generated will allow for reinvestment by
the carrier in the new infrastructure.
Before examining the characteristics and capabilities of the network-based VPN, it is
useful to look at the current options corporate MIS managers have when building wide-area
networks (WANs). For a long time, the only option for fixed links (as opposed to dial-up
modem connections) between corporate sites was leased lines. These lines, initially analog
but now mostly digital, were rented to the customer by a carrier. The task of integrating
these into a network was purely the responsibility of the corporate user. The carrier
simply guaranteed that the line performed to functionality. This is still the predominant
method of building a corporate WAN. In the United States, 1998 service revenues equaled
$11 million, or about 71 percent of the total expenditures.
Since its inception in the early 90s, frame relay has become a very popular
alternative domestically, and increasingly throughout the rest of the world. Frame relay
is an effective Layer 2 transport technology that encapsulates the customers data
(normally IP or SNA) and transports it by way of virtual circuits between two customer end
points. The advantages for corporate users over private line solutions are cost and
flexibility. Frame relay offers increased flexibility by allowing users to request more
bandwidth or additional virtual circuits without waiting for the physical line to be
installed, as is the case with private lines. It should be noted that frame relay circuit
requests could take NSPs two to three weeks to fulfill. While a considerable improvement
over private lines, this time scale often does not satisfy the dynamic and rapidly
changing requirements of todays businesses. It is this lack of flexibility that is
the inherent weakness of frame relay. The technology offers point-to-point connectivity
that must be specified up-front and, therefore, is well-suited to networks that have
static requirements. Most frame relay networks conform to a "hub and spoke"
network topology. A fully-meshed frame relay network is complex and difficult to build.
Building on the success of frame relay services, carriers built out ATM networks with
the intention of offering ATM services to corporate customers as an alternative to frame
relay. The reasoning was that frame relay is adequate for data, but cannot effectively
accommodate real-time applications, such as voice and video. The answer was
"ATM." In reality, these services have not been a success, generating small
amounts of revenue. Corporate users have found them too complex both to integrate into
their corporate network, and to order from their service providers.
All of these technologies are transport technologies, meaning that the enterprise has to
integrate them into their networks networks which are predominantly IP-based.
Because of its flexibility and ubiquity, it seems clear that IP has emerged as the only
natural choice to become the convergence layer between the private and public network.
Consequently, the next generation of public services will be IP-based.
Incumbent service providers and next generation telcos will roll out these new
provisionable "network-based" IP VPN services during 1999. They will be
provisioned over reliable quality of service-enabled core networks, allowing carriers to
offer these services backed by service level agreements equivalent to those offered by
frame relay and private line services. These new "network-based" IP VPNs will be
an attractive option to reduce network cost and complexity for both intranet and extranet
applications. Provisionable "network-based" VPNs will offer:
Connectivity. NSPs will afford a flexible and easy way of providing "total
connectivity" within the enterprise. Users of the network will now be able to access
any part of the companys intranet without the need for consultation with the MIS
department. Setting up a data connection will now be as easy as dialing a voice
connection. This ease of use will benefit the corporation and make the new
"project-driven" organizational ethos easier to implement, and will also benefit
the service provider because increased data usage means increased revenues.
Reliability. These networks will be carrying mission-critical data and, therefore,
must be at least as reliable as the frame relay and private line networks they will
of Service. Almost all IP traffic at the moment conforms to the "best
effort" paradigm. If we are to successfully implement different types of applications
over these networks, they must be able to differentiate many types of traffic, and give
each type the correct transmission characteristics. A good example of this is Voice over
IP (VoIP) traffic. This technology can deliver excellent voice quality if the underlying
network gives it the right guarantees in terms of minimal and non-variable delay.
Portability. According to AT&T, up to 50 percent of corporate America does not run
a unique addressing scheme within the enterprise. Most enterprises can not, or will not
accept any wholesale changes in the IP addressing scheme, therefore, any service offered
must be able to accommodate this.
The benefits of rolling out these services are quite clear to carriers. It is possible
to build these IP-based VPN services over the existing backbone infrastructure, whether it
is frame relay, ATM, or IP. Therefore, a NSP can provide a new service while protecting
existing investments. The second and major benefit is that the NSPs can provide a new and
differentiated service offering since frame relay has now become a commodity often
characterized by falling prices.
IP-based VPNs are, as we have seen, a new and exciting service that meets the
requirements of enterprise customers. The true significance of these services may be in
the fact that once a NSP has been established as the intranet supplier to a corporate
customer, the NSP will be in a prime position to add new and innovative IP-based service
offerings, including VoIP, to the basic service.
Ian Mashiter is founder, acting CEO and vice president of marketing for Ennovate
Networks, Inc. Ennovate is leading the transition from circuit-switched to packet-switched
networks by providing carrier-class IP edge switching products that enable network service
providers to provision a new class of premium IP services. These services meet the demands
of enterprise customers for outsourced voice/data VPNs. For more information, visit
Ennovates Web site at www.ennovatenetworks.com