ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells

Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas

FeatureArticle.gif (14230 bytes)
First Quarter 1998

IP Virtual Dialup Networks


Internet Service Providers (ISPs) and traditional carriers are beginning to offer Virtual Private Dialup Networks (VPDNs), providing many of the same advantages that Virtual Private Voice Networks have offered for years. Embedding a "private network" within "public facilities" permits enterprises to gain economies of scale and achieve lower telecommunications costs than fixed access networks. At the same time, carriers can increase their return on investment on their existing access and core infrastructures by providing national or global dialup access to the enterprise network. For the ISPs, VPDNs create additional revenue streams with higher valued services than their traditional flat rate tariff dialup IP service.

By setting up secure VPDNs over the Internet or other public networks, enterprises can gain substantial savings for their companies. Network and IS managers are looking to use VPDNs as an economical way to connect their telecommuters or users in remote offices. The essence of a VPDN is to provision a secure connection between a remote dial user and the enterprise network. It is secure in the sense that the remote dial user is authenticated and authorized to access the requested enterprise network. In addition, the enterprise may require the VPDN connection to be encrypted, especially if the VPDN service is provisioned over the Internet.

Traditional IP dialup service is currently offered by both ISPs and carriers. The service allows the user to access both the Internet and the enterprise network. Traditional IP dialup can be characterized by access control, security, and accounting of the service. Security involves authentication of the user to identify if the actual user is registered within the service. Authentication is carried out within the ISP or carrier environment before the user gains access to the enterprise. Access control involves identifying what the actual authenticated user is allowed to do within the service, for example, what IP destination addresses is the user allowed to connect to. Access control is carried out by the ISP or the carrier prior to connection to the enterprise. Lastly, accounting is also carried out by the ISP or carrier for billing the individual user or the enterprise for the service delivered.

Traditional IP dialup can further be characterized in terms of how the dialup protocol is handled. A dialup IP user will typically use Point-to-Point Protocol (PPP) or, to a much less extent, Serial Line IP (SLIP) or other protocols. Authentication through dialup PPP requires the PPP to be terminated within the ISP or carrier Network Access Server (NAS) which often includes a Remote Authentication Dial In User Service (RADIUS) solution as well as support for smart cards and one-time passwords.

IP VPDN service will be offered by both ISPs and carriers. While access to an IP VPDN has many similarities to the traditional IP dial service, the VPDN service is distinctive in that it limits both ingress and egress to defined "on net" locations. The service allows authorized users to access the enterprise network, while rejecting attempts from unauthorized users. In addition, the VPDN will generally limit users to predefined locations or applications, which simplifies network administration and lowers network costs and wasted resources. The IP VPDN can also be characterized by access control, security, and accounting of the service.

Security involves authentication of the user to identify if the actual user is registered within the actual enterprise. Authentication is carried out within the enterprise, although the ISP or carrier may carry out a partial authentication of the user to determine the actual enterprise to which a connection needs to be established. There are two ways for the ISP or carrier to determine the actual Home Server (HS) location, either by the DNIS/ANI (Dialed Number In Service/Automatic Number Identification) if available, or by the user name delivered through the PPP. Access control involves identifying what the actual authenticated user is allowed to do within the enterprise. Access control is carried out by the enterprise. Lastly, accounting is also carried out by both the ISP or carrier and the enterprise. The ISP or carrier require accounting for billing the enterprise, while the enterprise may carry out billing for user call back or auditing purposes.

The IP VPDN service can further be characterized in terms of how the dialup protocol is handled. Authentication through dialup PPP requires the PPP to be terminated within the enterprise HS, which often includes a RADIUS solution as well as support for smart cards and one-time passwords.

In the case of adding another level of complexity to the provisioning of a VPDN service across multiple carriers or ISPs, the issue for the intermediate ISP or carrier can be characterized in terms of security and accounting. Each intermediate ISP or carrier may need to carry out a partial authentication of the user to determine not only the actual enterprise HS to which a connection needs to be established, but also if the user is allowed to traverse the intermediate network. Typically, this will be achieved by the user name delivered through the originating PPP, but may also be handled through the DNIS/ANI being delivered from the originating ISP or carrier to the intermediate or terminating ISP or carrier. Accounting may also be carried out by the intermediate ISP or carrier. The intermediate ISP or carrier may then deliver billing to the originating ISP or carrier.

VPDNs use a technique called "tunneling," which is the encapsulation of data from one protocol into the protocol stream of another. Tunnels are by topology "point to point" virtual connections between a network ingress point and a network egress point. At the ingress point, data is encapsulated while at the egress point data is de-encapsulated into the original source format. In terms of physical platforms, an ingress point is typically a NAS, and the egress point is typically an HS.

There are many diverse vendor specific protocols to establish, maintain, refresh and tear down tunnels. Digital Equipment Corp. adopted the AltaVista Tunnel that handles both IP tunneling and public key, private key encryption and authentication. Microsoft, Ascend, ECI Telematics, 3Com, and U.S. Robotics formed the Point-to-Point Tunneling Forum to allow remote access over the Internet to Windows NT servers. Cisco developed and implemented the Layer Two Forwarding protocol (L2F) for tunnel handling. As the paths diverged, the need for a standard protocol which would be transparent to the network media has become critical.

Tunnels do not obviate the need for firewalls. Rather, VPDNs are viewed as a complement to those dedicated hardware and software gateways, which restrict access to corporate resources based on a rules base. A firewall's rules base could reject or limit a user's access to applications and data on the basis of the domain name. The tunnel end point within the enterprise will be typically behind the firewall rather than in front.

When a remote user places a call through a PSTN modem or an ISDN terminal adapter (TA) to an ISP or carrier POP, the NAS determines the particular VPDN based on the DNIS. The ISP or carrier NAS dynamically assigns either a TA or modem based on the DNIS and filter within the ISDN setup (the filter will identify analog channel or digital channel) to accept the call. Before assigning the TA or modem resource the NAS ensures that the requested call is within the Service Level Agreement. If the CSR has not been reached for the particular VPDN, then a TA or modem resource is dynamically assigned from the particular VPDN Service Pool. If the CSR for the particular VPDN has reached its maximum value, then the NAS will attempt to assign a modem or TA resource as defined by the ESR for the particular VPDN. If the ESR for the particular VPDN is at maximum, then the NAS will not accept the call.

On acceptance of the call by the NAS, the user now initiates a PPP connection. The ISP or carrier NAS has determined the HS based on the DNIS. The NAS attempts to establish a tunnel connection with the HS through a connection oriented packet based protocol. The HS accepts the tunnel request and the dial PPP client protocol is terminated within the HS located at the enterprise. Authentication, authorization, and accounting are carried out within the enterprise's home LAN (normally behind the firewall) using a RADIUS-based authentication product. The HS conforms to RADIUS accounting and RADIUS authentication.

The dial PPP (asynchronous or synchronous) is encapsulated within the tunnel using RFC 1598, which is then carried over IP to the HS. Each tunnel is established with a unique ID at each end of the connection to ensure tunnel security from other enterprise traffic. In setting up the tunnel, the NAS encodes the NLPID (Network Layer Protocol Identifier) into the first bytes of the tunnel Request Packet. The HS accepts the calls and de-encapsulates the data packets which contain standard PPP PDUs (Protocol Data Units) and terminates the PPP stream.

In order to establish VPDNs over a Frame Relay infrastructure, the NAS would interpret the incoming client PPP stream and encapsulate in conformance with RFC 1598 before placing it onto the specified frame relay DLCI associated with the VPDN. The HS is again responsible for termination of the user PPP stream.

Implementing the Layer 2 Tunneling Protocol (L2TP) described for VPDN provisioning will provide a common tunnel format which allows service provider interoperability among IP tunnels from different vendors.

This strategy will enable the service provider to provision VPDN services within their existing networks and also to provision such services through third-party networks for tunnel traversing. The L2TP protocol will allow the service provider to carry out partial authentication of the user to identify the home domain the user belongs to and provide billing to the enterprise based on service usage. Furthermore, L2TP will give an intermediate ISP or carrier the ability to handle traversing tunnels and collect accounting information for billing the tunnel originator.

Paul Mallinder is director of product marketing at ECI Telematics, an international provider of integrated wide-area network solutions for the requirements of public and private networks' data and voice communications. Certified to ISO9001 standards, the company designs, manufactures, and markets a complete line of network solutions for mission-critical intelligent networks where quality of service, high performance, and reliability are of prime importance to the network provider and operator. ECI Telematics is a wholly owned subsidiary of ECI Telecom Ltd., a global provider of digital telecommunications and data transmission systems. For more information, visit the company's Web site at www.telematics.com.

A Sample NAS Solution For VPDN Service

Clearly, providing VPDNs is a non-trivial endeavor for an ISP or carrier. The multiple functions that must take place at the ingress and egress points need to be implemented by sophisticated Network Access Servers (NAS). Given the investment in the NAS equipment, the service providers are motivated to provide the highest value and service differentiation possible, compared to their competitors. One of the most attractive service differentiators for VPDN and other dial access services is the concept of a guaranteed level of service. The following example shows how an advanced NAS can be used to provide such a service differentiation.

Using a multiservice NAS, a service provider has launched a unique VPDN service to capture the enterprise outsourcing business. The NAS deployed supports 120 ports provisioned through 4 ISDN PRI access interfaces. All ports can be dynamically assigned across the VPDN service offering. Furthermore, each port can be dynamically assigned (typically based on DNIS) to support either analog or digital calls (PSTN or ISDN) and also dynamically assigned to support any dialup protocol from the remote user. However for the purpose of simplicity, we will assume that all ports will be provisioned to support PPP dial users.

The service provider has launched a "Progressive VPDN Service."

Service Service CSR Service ESR
Gold 40 60
Silver 15 45
Bronze 5 35

Enterprise A has subscribed to the Gold Service. The Gold Service guarantees a Committed Service Rate (CSR) at an individual dialup POP to be 40 in conjunction with an Excess Service Rate (ESR) of 60. Therefore, Enterprise A is guaranteed 40 remote access ports but can actually utilize up to 100 of the available 120 access ports. The Silver Service provides a lower CSR of 15 but allows Enterprise B the capability to burst to 60 remote access ports. The Bronze Service guarantees a CSR of 5 and allows Enterprise C to burst to a capacity 40 remote access ports. The progressive service provider has before him a unique solution to create innovative VPDN service differentiators.

In effect, the service provider in this example, is able to provision a 200-port (virtual) rotary across 120 (physical) ports, which enables an ever decreasing price per port to the service provider and greater service performance for the users.

Additional Reading

VPDNs are an exciting set of service offerings being made available by many carriers and ISPs. A flexible, dynamic NAS is the critical element of such offerings, and a wide variety of such equipment is available from at least ten vendors. Understanding the functions and features is critical to an effective, economical set of services.

For additional information, The following Web sites provide relevant information:
On Radius Authentication Servers: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2059.txt and http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2058.txt.
On PPP Encapsulation: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1598.txt.