With the explosive growth of the Internet and the
tremendous surge in telecommuting, corporate branch
offices, and the mobile workforce, more and more
businesses are using Internet Protocol virtual private
networks (IP VPNs) to share vital information with
employees, partners, and customers worldwide. Why? IP
VPNs offer enormous flexibility, security, and ease of
Despite these benefits, the "connectionless" nature
of IP VPNs and the fact that information is sent on a "best-effort"
basis present performance challenges for businesses
deploying services over the Internet. IP does not
guarantee that the packets being sent across the network
will arrive at their destination in the order they were
sent, or that they will arrive at all, and how long the
packets that do make it to their destination take to get
there is another issue altogether.
To combat these challenges head-on, businesses
require well-engineered, managed IP VPN solutions that
allow them to achieve optimal performance and security
with quality of service (QoS) guarantees. Many are
willing to pay a premium to achieve this end. Service
providers merely need to provide it.
THE RISE OF IP VPNs
First, businesses purchased all of their communications
services from telephone companies. Next, private
networks became popular because they delivered increased
flexibility at reduced long-term costs. Then,
connection-based VPNs emerged, built out of
enterprise-owned and -managed routers connected by
private lines or frame relay or asynchronous transfer
mode (ATM) services. They offered all of the benefits of
the private network, but with even greater flexibility
and at reduced cost.
IP VPNs are the next step in this evolution pattern.
It's a positive development for service providers
because IP-based VPNs figure, at least long-term, to be
easier to provision and manage than frame relay- or
ATM-based VPNs. Also, they can be scaled more
The advantage for enterprises is multifold.
Businesses want no limits on access, and IP VPNs deliver
because Internet access is globally prevalent.
Availability of public frame relay and ATM remains
relatively limited; the wait for a connection-based VPN
can be very long -- months from provisioning through
installation and implementation. Businesses also must
constantly seek reduced costs, and again, IP VPNs shine.
Lack of competition, access, and technical issues keep
public frame relay and ATM services priced in the luxury
range -- affordable in many areas to large enterprises
only. With IP VPNs, customers pay a lower price for a
single interface handling Internet, intranet, and
IP VPNs are suitable for an enterprise's range of
remote-access, branch-to-branch, branch-to-headquarters,
business-to-business and business-to-customer
applications. IP VPNs' relevance for extranets is
especially appealing. When a company is dealing with a
trading partner outside the enterprise across a frame
relay or ATM link, which party pays for that connection?
One line spans both entities. This is a delicate
business question -- pregnant with all sorts of
possible, bad implications -- and it simply does not
arise in the world of IP VPNs. The connection is already
there and paid for; the path is virtual.
THE CASE FOR MANAGED SOLUTIONS
Are connectionless IP VPNs best built on a foundation of
customer-owned and -operated customer-premise equipment
(CPE), or as outsourced solutions offered and managed by
Basing IP VPNs on CPE is widely practiced and viable.
Secure, virtual tunnels are created among locations.
Customers get three of the key benefits that they're
seeking: IP address transparency, greater flexibility in
connectivity, and data security.
Performance guarantees are an issue, though.
CPE-based IP VPNs rely on IPSec boxes. IPSec is the
Internet's leading protocol for tunneling, encryption,
and authentication, but it has nothing to do with QoS.
This means that -- in a customer-operated IP VPN
infrastructure, with the service provider responsible
merely for delivering bandwidth -- there is no mechanism
for ensuring that contracted performance levels are met.
And performance guarantees are a must-have for business
customers mulling the considerable leap of faith
involved with entrusting their mission-critical traffic
to IP VPNs. The problem is that the service provider
simply doesn't have visibility of the traffic traversing
the links. And if the service provider doesn't "see" the
IP VPN, it isn't ensuring that the IP VPN is receiving a
With CPE-based IP VPNs, there also is a management
burden passed down to the subscriber. The business
customer is charged with managing its own IPSec boxes
and distributing keys. For the enterprise, that means
more work for its IT department and dissipated focus on
its core business. This runs in opposition to prevailing
thought among businesses today.
With a managed IP VPN solution, customers retain the
ability to preserve existing IP addresses, realize
greater connectivity flexibility, keep data secure, and
receive performance guarantees. They can also do so
while reducing the scope and depth of responsibilities
on their IT departments. Service providers, meanwhile,
tap into a promising revenue stream.
In a common service-provider infrastructure for offering
IP VPNs, intelligent routers at the network edge
prioritize and reshape packets, freeing core backbone
routers to process traffic at optimal speeds. Service
providers weigh multiple factors in determining which
routing protocols are best suited for these networks.
Often, they put into play a mix of tunneling protocols
and Multi-Protocol Label Switching (MPLS).
The tunneling protocols include IPSec, Layer 2
Tunneling Protocol (L2TP), and Point-to-Point Tunneling
Protocol (PPTP). L2TP and PPTP are tactical solutions
that were developed when the details of IPSec were being
fleshed out. PPTP brings VPN support to Microsoft
Windows products. L2TP was designed to augment PPTP and
ready non-IP traffic for encryption. The actual
encryption process is left to IPSec, which has emerged
as the leading tunneling protocol for CPE-based IP VPNs.
MPLS is intriguing for providers of managed IP VPN
solutions because, unlike IPSec, this protocol has
mechanisms for both QoS support and traffic engineering --
the two key capabilities that enable service providers
to offer and profitably deliver on the performance
guarantees that customers demand with their IP VPNs.
QoS support enables the network to intelligently
handle class-marked traffic and ensure that
mission-critical applications are given sufficient
bandwidth and appropriate delay characteristics. Traffic
engineering is also important. The Shortest Path First
(SPF) algorithm used in most IP networks is concerned
only with maintaining connectivity and can, in fact,
contribute to congestion, even in a lightly loaded
network. SPF tells the network to send traffic along the
shortest path, even if that means converging multiple
streams when alternate, non-optimum paths are
underutilized. With networks becoming larger and more
dense -- and user applications growing more
bandwidth-intensive -- severe congestion is not
MPLS delivers both of these capabilities by
leveraging two independently operating functions: MPLS
traffic engineering (MPLS TE) for controlling individual
QoS queues and ensuring operational efficiency, and MPLS
DiffServ for controlling the aggregate queue and
enforcing QoS guarantees. Together, they give service
providers the tools they need to safely engage in
Still, the rate of market adoption for advanced data
services such as IP VPNs will continue to be throttled
until service providers overcome the difficulty they
experience in communicating the performance of those
services -- in short, proving that they provide what
they're providing. It must be glaringly apparent to
business customers that the cost and flexibility
advantages of premium virtual services delivered over a
shared facility meet their performance and security
This challenge spawned a market demand among service
providers, which, in turn, has spawned the emergence of
new protocol- and vendor-agnostic software designed
specifically for the task. New service-assurance
solutions -- situated at a layer on top of the physical
operation support system (OSS) -- recognize varied
service-quality definitions specific to a particular IP
service, continually monitor performance indicators in
real time and offer customers an ongoing, real-time
feedback mechanism to ensure that desired qualities and
service levels are received. They improve communication
among suppliers and users. They put a service provider's
marketing, sales and customer-service personnel in
closer touch with more detailed market intelligence. And
they help service providers realize increased return on
investment in network infrastructures.
But the overriding, primary impact of these platforms
is creating customer confidence in the value of advanced
IP services. By sharing a clear, complete view of the
performance of advanced IP services with customers,
these platforms foster confidence. This is why an
effective service-assurance solution is the critical,
final piece for a service provider completing its IP VPN
DELIVER REAL SOLUTIONS
Managed IP VPN solutions are gaining in popularity
because they are capable of delivering the connectivity
options, security and performance guarantees that
customers require with a greater level of flexibility
and lower cost than associated with private-line, public
frame relay or public ATM services. The challenge for
service providers is to engineer their IP VPN
infrastructures wisely -- with effective
service-assurance platforms that both spark and
accommodate heightened demand.
is director of Product Marketing with Viewgate
Networks. Viewgate Networks, Inc., is a leader in
customer-centric service assurance. Its Inteligo
software platform creates the confidence necessary for
the adoption of advanced IP services. Headquartered in
Alexandria, VA, Viewgate's customers include some of the
world's leading service providers.
To The November 2001 Table Of Contents ]