TMCnet - World's Largest Communications and Technology Community




Feature Article
August 2000


Provisioned VPNs Versus Internet Consortium VPNs


As corporations use the Internet for more and more applications, their dependency on the Internet also increases. When corporations depend on a network for continued viability, their demand for service level guarantees also increases. These trends have led to a surge in interest in Virtual Private Networks (VPNs). However, not all VPNs are created equal. Smaller ISPs provide local access services in defined geographical regions. Corporations therefore may receive end-to-end service from multiple suppliers in much the same way that X.25 and frame relay consortiums have been operating for many years. This current method for linking multi-site corporations over the Internet with some level of security via encrypted tunnels can be called an "Internet consortium VPN." In contrast, large-scale carriers or network service providers differentiate themselves from consortiums, and other large carriers, by offering corporations multi-site connectivity across a single backbone infrastructure. On this single managed backbone, the carrier "provisions" the corporation's VPN and can offer highly predictable performance and consistent quality. The question is, which model will dominate next-generation IP corporate networks of the future -- Provisioned VPNs or Internet consortium VPNs?

Corporations with distributed locations -- with high needs for strict security and strict network performance and predictability -- continue to lease bandwidth and build and operate their own routed or switched private networks. Yet at the same time, the market for outsourcing the corporate network to a network service provider -- and creating a VPN-- is growing fast. In terms of direct control over access, security, and deterministic performance, building your own private network or outsourcing a VPN architecture can yield quite different results. When we look closely at VPNs, there are two major approaches. The first approach is to use ISPs for Internet access local to the branch office and encrypt IP conversation pairs from corporate location to location. The second approach is to use a single carrier that can offer multi-site connectivity across a single backbone infrastructure that is not used for general Internet traffic.

Recently, VPN has come to mean Internet-based communication, via encrypted tunnels, but in reality, this is not the only form of VPN. Using a single carrier and pre-defining locations to be connected, with agreed to and engineered bandwidth and performance, is called a "provisioned VPN." Internet-based VPNs have certain compelling advantages over provisioned VPNs, but also have significant disadvantages. Internet-based VPNs use encryption to create a form of "closed user group" security for the enterprise across a public shared packet network, whereas provisioned VPNs tend to use Layer 2 virtual circuits to create closed user groups. Internet VPNs, with encryption, can have acceptable security, but have unpredictable performance. Provisioned VPNs can have very excellent performance and security, but are dependent on a single vendor to offer reach and breadth of service offerings.

To form an Internet VPN, corporations typically use multiple ISPs that collectively provide greater reach and local connectivity options no single carrier can offer, and typically also at lower cost, at least in the U.S. Local ISPs can sometimes offer more intimate support and responsiveness, but may not have the level of experience or staff depth to fully address business quality service levels. It is also true, by definition, that using multiple suppliers creates a larger workload on the central network manager or the CIO responsible for rolling out network-based applications. The biggest problem with using multiple suppliers, however, is the inability to define and meet consistent end-to-end bandwidth or performance objectives.

For a historical analogy, consider the consortium model. For many years, X.25 and frame relay service providers have established NNIs (Network to Network Interface) to expand their coverage and jointly offer connectivity to customers. Typically, there is no end-to-end visibility, so when network troubles arise, troubleshooting and trouble isolation are more difficult and time consuming. In the Internet, these network-to-network interfaces are called "peering points" and can be either public Network Access Points (NAPs) with dozens of providers or private peering points between as few as two service providers. These private peering points are, in effect, IP NNIs.

There is general confusion -- typically created by IP service providers -- in distinguishing between the Internet and provisioned networking. VoIP vendors may seriously add to this confusion when they assert they are offering "voice over the Internet." Usually, when you examine their architecture and see where the traffic is flowing, the VoIP traffic never traverses the general Internet. The VoIP traffic is parsed out of the rest of the traffic and flows over dedicated connections serving only one class of service, VoIP, and is handed from one ISP to the next via private NNIs-- not through public peering points.

Provisioned VPNs, typically built on OSI layer 2 virtual circuits such as frame relay and ATM, are provisioned by service providers based on customer orders. Virtual circuits, based on pre-determined locations, create closed user groups and work well to "carve out" a VPN in a public shared network by limiting access and usage to the provisioned VPN community. Pricing for virtual circuits is usually associated with bandwidth commitments, such as frame relay Committed Information Rate (CIR), so service providers can control or engineer their backbones. This approach is really based on a leased-line replacement model. Frame relay "virtual" circuits are purchased between locations where previously "real" circuits would have been required. A mature frame relay provider has the experience to know what level of over-booking (selling the same bandwidth to several customers) they can engineer and still offer tight service level agreements (SLAs). In this controlled environment, availability, security, and performance can be well defined, implemented, and reported.

Will Internet VPNs replace both leased lines and leased line replacement offerings, or will provisioned VPNs overtake Internet VPNs? The reality is that they both have their place and will be used in combination. The provisioned VPN, however, is the only viable way to replace leased lines carrying mission-critical and time-sensitive applications. Internet VPNs will grow more attractive as IP QoS mechanisms are deployed, but it will take many years for IP DiffServ (IETF IP Differentiated Services) to be implemented and widely available. Even so, most proposed IP QoS architectures are based on prioritization of traffic flows. Priority-based networks only provide relative performance and are not based on absolute performance mechanisms such as guaranteed bandwidth. Without guaranteed bandwidth -- when and where needed -- available instantaneous real-time flows, such as VoIP, will suffer quality degradation when contention exists. Prioritization gives you a higher probability that your traffic will get through, but cannot guarantee it. Multi Protocol Label Switching (MPLS) is also receiving a great deal of attention as an IP-VPN architecture that can support QoS. MPLS is used in the core of a carrier network to remove scaling and addressing issues associated with large numbers of virtual circuits and is also based on customer orders. Therefore, MPLS, in practice, is used in a provisioned application and, today, should be considered part of the provisioned VPN model and not part of the Internet VPN model.

No CIO will move time-sensitive revenue applications to an Internet VPN when his or her job depends on making end users happy. The CIO will architect the corporate computing model to meet the corporation's business objectives and will architect the corporate network to meet the user-specific performance objectives for the applications users require. Cost savings are not a compelling reason to pull mission-critical, time-sensitive applications from leased lines to Internet VPNs. However, cost savings and guaranteed end-to-end performance with measured and reported SLAs can be important enough to pull mission-critical and time-sensitive applications to provisioned VPNs.

Internet VPNs will dominate for traveling users, because of the ubiquitous connectivity offered by the Internet. Internet VPNs will also likely succeed for distributed locations that do not require any real-time applications. On the other hand, provisioned VPNs will beat out Internet VPNs whenever users require real-time applications or frequent access to centrally located corporate computing facilities. Provisioned VPNs can also provide combined intranet and Internet access. With intelligent customer premises equipment (CPE) that can control the allocation of bandwidth by IP traffic flow, the provisioned VPN can offer both guaranteed performance and the Internet's ubiquitous connectivity. 

Kent Lowell was a co-founder of QWES.com, which was recently acquired by Natural MicroSystems, and he currently serves as director of IP services management. Natural MicroSystems designs, develops, and supplies network-quality hardware and software components and provides design and customization services. For more information, visit the company's Web site at www.nmss.com.

[ return to the August 2000 table of contents ]

IP Telephony -- Extending The Enterprise


There is no shortage of solutions aimed at the telecommuter market. But most fall short when it comes to telephony features. Can IP telephony finally deliver on the promise of the remote virtual office? The answer is a resounding: "Yes!"

The recent deployment of IP local exchange products coupled with low-bandwidth, high-quality voice compression creates a solid foundation for extending business telephone service to telecommuters at home or on the road. The efficiencies of IP packet technology coupled with G.723.1 voice compression at 6.4 Kbps provide enough bandwidth for road warriors and SOHO workers to have a complete "virtual office" over a standard 56 Kbps Internet modem connection back to the office. Your current location is your office. When someone calls your extension at work, your IP phone rings wherever you are.

To ensure adequate QoS, telecommuters require a managed, private IP network. While many people consider the use of IP telephony to be limited to the Internet, private IP telephony networks are rapidly emerging. Consider the differences between IP telephony over private networks versus the Internet:

  • IP Telephony over Private Networks (Calls made over private WANs using IP telephony protocols): Since the network is private, service is reliable because the network owner can control how resources are allocated to various applications, such as telephony services. Today, billions of dollars are being spent to create these private IP telephony networks that will soon span the globe.
  • IP Telephony over the Internet (Calls made over the public Internet using IP telephony protocols): The Internet is a public, largely unmanaged network that offers no reliable service guarantee. Calls placed over the Internet can be low in quality, but given the low price, some find this solution attractive. A major use of voice over the Internet is for international long-distance calls.

Once the private IP network is in place, software in the form of an IP local exchange is required to provide the PBX voice features that are demanded by today's telecommuters. Why should telecommuters settle for less feature functionality than their co-workers back at the office? Basically, an IP local exchange is a carrier-class product that resides in the service provider network, providing PBX-like telephony service to multiple business and telecommuter customers. Call agent software runs on mirrored, redundant UNIX servers to ensure maximum availability of the call processing function, while JAVA-based administrative software allows system managers to configure and maintain all voice services from a browser anywhere on the network. End-user voice services are delivered via IP-Ethernet phones or analog telephones (via Ethernet-to-analog adapters). Typically, enterprise customers rent the service from the service provider and the service provider is responsible for administering and maintaining the service.

A packet connection is required from the IP local exchange to the telecommuter. Choices range from a standard dial-up modem connection all the way up to a T1 line. CATV, xDSL, and wireless connections are also completely acceptable. In a managed network, QoS issues are resolved by prioritizing the voice bits ahead of the "data" bits via software algorithms.

Today, the telecommuter has three choices for an IP phone: A standard "POTS" phone, a PC "soft" phone, and an IP-Ethernet telephone. All three have their advantages and disadvantages.

  • A POTS phone is a standard, off-the-shelf analog telephone. Its advantages are availability and low price. But POTS phone users suffer greatly because POTS phones do not have the convenient buttons for call features and voice mail that most business users are accustomed to. Also, to actually use phone features on a POTS phone, a complicated system of numeric entry must be used. In addition, the low-price advantage of a POTS phone is offset by the requirement for a relatively expensive Ethernet-to-analog adapter to interface the POTS phone to the IP network.
  • A "soft" phone is software that runs on the user's PC. Most "soft" phones graphically resemble a business telephone set. One advantage is low price, but most users today are still reluctant to give up their traditional telephone set. Also, since a "soft" phone relies on the PC sound card, many users experience volume level problems after configuring the "soft" phone and then switching back to other PC applications that also use the sound card.
  • An IP-Ethernet phone looks and works just like a traditional multi-line business display phone, but it plugs into an Ethernet RJ-45 wall jack instead of the traditional RJ-11 analog telephone jack. The IP-Ethernet phone has all the call feature buttons that are enjoyed by business users. Currently, IP-Ethernet phones are priced similar to traditional PBX phones ($300 and up), but emerging "IP phone on a chip" technologies promise dramatically lower prices in the not-too-distant future. What the world needs is a $100 off-the-shelf, open-standards-based IP-Ethernet phone.

As the demand for quality telecommuter applications increases, both businesses and service providers can benefit greatly from the application-driven IP local exchange. By moving now to this next-generation solution, providers can strengthen their positions in the increasingly competitive business telecom marketplace by easily extending all enterprise voice features to telecommuters. c

William Rich is CEO of VocalData. VocalData is a leader in the rapidly emerging IP local exchange market. The company provides a complete solution of call agents, customer premise equipment (CPE), and network hardware that allows service providers to offer fully featured business and residential telephone service over data networks. For more information on the company's products and services, please visit their Web site at www.vocaldata.com.

[ return to the August 2000 table of contents ]

It's Time To Take A Look At Private IP Networks 


There is good reason for today's organizations to add private IP to their enterprise-wide telephony options. Global network providers are driving their owned and managed converged voice, data, and native IP platforms to performance and reliability levels that leave the public Internet, not to mention the public switched telephone network (PSTN), far behind. These new IP platforms give enterprises a viable and cost-effective alternative to the traditional networks.

Increasingly, there is a meaningful choice when it comes to IP networking through these "private IP" transport platforms that can be deployed enterprise-wide. New IP routing protocols permit enterprises to integrate voice, fax, and data traffic over global private IP networks. In addition, Internet access and managed firewall services can be incorporated into the solution. Access speeds of 155 Mbps and 45 Mbps enable multi-service networks without paying for the Committed Information Rates (CIR) needed on frame relay networks to assure acceptable performance levels.

There is a significant difference between these private IP networks and the public Internet. Most use the term "pure IP" to describe the enhanced infrastructure and support, which results in highly secure virtual private networks (VPNs) that emulate a private wide-area network and are operated with end-to-end equipment management, IP address administration, managed Internet security, and 24x7 services monitoring. These private IP networks also provide secure public Internet access that extends the reach of the network worldwide with a variety of access technologies and pricing to customers, suppliers, remote sites, and business partners. These extranets create significant cost savings for corporations that deploy them.

In addition, the enhanced applications now being deployed for IP make private IP networks a desirable option to the PSTN. In a recent report entitled "Global IP Telephony Service Markets," Frost & Sullivan acknowledged the importance of enhanced applications in IP networking, noting that the decline of the PSTN makes value-added features take on "increased significance." In particular, the report cites unified messaging, presence management, and click-to-talk applications for call centers as "the most prominent enhanced applications," adding that "recently introduced Internet call waiting and virtual second-line applications will be added to this list."

What is pulling corporate networks into private IP is the chance to do packetized voice right the first time. There is no doubt that a converged voice and data network is cheaper than switched voice -- and much more versatile. The flexibility of VoIP is combined with the quality and reliability of traditional data transport on a single platform that has the bonus of the Web's convenient browser-type interface. To initiate a voice call from a handset, one simply dials the number and a virtual PBX routes the call over the private IP network. When the call is initiated from a PC, all that's required is to click on voice call buttons on intranet/extranet pages or on a corporate telephone directory. Either way, the technology underlying these voice calls, because of the clarity and lack of latency that private IP delivers, is transparent to end users when making both on-net and off-net calls from any type of calling device.

Given that the 5,500 largest multinational enterprises alone spent over $9 billion on international voice services last year, according to a Yankee Group "Europe 100" survey, the savings perspective is compelling. The cost benefit of running voice services over a private IP network is obvious in the form of 20 percent or more savings on international long-distance as compared to traditional voice services. The savings versus calls over the public Internet are not measured by comparing costs, but by comparing usage. The improved quality of voice over private IP as compared to Internet-based telephony results in widespread end user acceptance. This immediately translates into lower switched voice costs because perceived resistance to IP calling is eliminated.

Call center operations are also prime candidates for private IP networks. Increasingly, these operations are being fully integrated with Web and intranet/extranet access. The end user wants to complete the online experience with a voice communication. For this type of application, private IP offers the best underlying transport technology because it allows open routing of the call from any point in the network to any other point. Innovative software and hardware companies have refined PSTN-to-IP gateways and Internet dialers so as to resolve prior performance issues.

Return on investment (ROI) is an accounting concept that is becoming one of the newer terms in the network manager's vocabulary. No longer is the enterprise network viewed by top management as a cost of doing business. Increasingly, they view it as a strategic investment. As private IP network deployment increases, ROI will improve. The primary reason is that network resources and application requirements can be more closely matched. It will no longer be necessary to over-provision bandwidth to meet the needs of mission-critical applications only at certain peak periods. Instead, the private IP network delivers priority routing on demand.

This is accomplished by class of service options enabled by multiprotocol label switching (MPLS) or related technologies over the private IP backbone. There is a choice of three levels of performance for each application (e.g., voice, intranet, Internet access). The highest level is reserved for top priority, low latency traffic such as voice, interactive business applications, and SNA, and is the highest performing class of IP networking available today. Another level is optimized to transport multiprotocol applications that are less sensitive to delay. The third level transports all other traffic while still providing performance and security that are superior to the public Internet.

The ideal candidates for private IP networking are enterprises with integrated intranet/Internet traffic over highly meshed enterprise networks and a need for Internet-type, any-to-any pricing without incurring added CIR costs. With private IP, these enterprises receive a network that is easy to order and configure since there is no CIR sizing and/or pricing involved. Additional value is realized through Internet gateways to build extranets with business partners and complete internal security with 24x7 managed firewalls. Later on, the private IP backbone can be easily migrated to the Internet, or its successor, as new technologies in the areas of class of service, security, and applications emerge that resolve existing performance and security issues that are now inherent in using a public IP network.
The payoff for private IP is that today's network managers can execute a proactive, ROI-driven converged networking strategy that removes the cost and administrative concerns required to maintain both a public switched voice and IP data networking configuration. On top of this, the private IP network is totally scalable and future-proof while delivering superior performance and reliability today. Given all of these factors, adding private IP to an enterprise's networking platform is an alternative whose time has come. 

Doug Laurin is director of IP business services for Infonet Services Corp. Infonet is an independent, single-source supplier of global networking services to multinational enterprises. For more information, visit Infonet's Web site at www.infonet.com, or contact him at Doug_Laurin@infonet.com

[ return to the August 2000 table of contents ]

Technology Marketing Corporation

2 Trap Falls Road Suite 106, Shelton, CT 06484 USA
Ph: +1-203-852-6800, 800-243-6002

General comments: tmc@tmcnet.com.
Comments about this site: webmaster@tmcnet.com.


© 2020 Technology Marketing Corporation. All rights reserved | Privacy Policy