November 2001

 
Combating The Challenges Of VPNs Head-On

BY MARK KAPLAN

Go Right To: [ Service Differentiation Through Network Management In IP VPNs ]

Despite these benefits, the "connectionless" nature of IP VPNs and the fact that information is sent on a "best-effort" basis present performance challenges for businesses deploying services over the Internet. IP does not guarantee that the packets being sent across the network will arrive at their destination in the order they were sent, or that they will arrive at all, and how long the packets that do make it to their destination take to get there is another issue altogether.

To combat these challenges head-on, businesses require well-engineered, managed IP VPN solutions that allow them to achieve optimal performance and security with quality of service (QoS) guarantees. Many are willing to pay a premium to achieve this end. Service providers merely need to provide it.

THE RISE OF IP VPNs
First, businesses purchased all of their communications services from telephone companies. Next, private networks became popular because they delivered increased flexibility at reduced long-term costs. Then, connection-based VPNs emerged, built out of enterprise-owned and -managed routers connected by private lines or frame relay or asynchronous transfer mode (ATM) services. They offered all of the benefits of the private network, but with even greater flexibility and at reduced cost.

IP VPNs are the next step in this evolution pattern. It's a positive development for service providers because IP-based VPNs figure, at least long-term, to be easier to provision and manage than frame relay- or ATM-based VPNs. Also, they can be scaled more cost-efficiently.

The advantage for enterprises is multifold. Businesses want no limits on access, and IP VPNs deliver because Internet access is globally prevalent. Availability of public frame relay and ATM remains relatively limited; the wait for a connection-based VPN can be very long -- months from provisioning through installation and implementation. Businesses also must constantly seek reduced costs, and again, IP VPNs shine. Lack of competition, access, and technical issues keep public frame relay and ATM services priced in the luxury range -- affordable in many areas to large enterprises only. With IP VPNs, customers pay a lower price for a single interface handling Internet, intranet, and extranet communications.

IP VPNs are suitable for an enterprise's range of remote-access, branch-to-branch, branch-to-headquarters, business-to-business and business-to-customer applications. IP VPNs' relevance for extranets is especially appealing. When a company is dealing with a trading partner outside the enterprise across a frame relay or ATM link, which party pays for that connection? One line spans both entities. This is a delicate business question -- pregnant with all sorts of possible, bad implications -- and it simply does not arise in the world of IP VPNs. The connection is already there and paid for; the path is virtual.

THE CASE FOR MANAGED SOLUTIONS
Are connectionless IP VPNs best built on a foundation of customer-owned and -operated customer-premise equipment (CPE), or as outsourced solutions offered and managed by service providers?

Basing IP VPNs on CPE is widely practiced and viable. Secure, virtual tunnels are created among locations. Customers get three of the key benefits that they're seeking: IP address transparency, greater flexibility in connectivity, and data security.

Performance guarantees are an issue, though. CPE-based IP VPNs rely on IPSec boxes. IPSec is the Internet's leading protocol for tunneling, encryption, and authentication, but it has nothing to do with QoS. This means that -- in a customer-operated IP VPN infrastructure, with the service provider responsible merely for delivering bandwidth -- there is no mechanism for ensuring that contracted performance levels are met. And performance guarantees are a must-have for business customers mulling the considerable leap of faith involved with entrusting their mission-critical traffic to IP VPNs. The problem is that the service provider simply doesn't have visibility of the traffic traversing the links. And if the service provider doesn't "see" the IP VPN, it isn't ensuring that the IP VPN is receiving a priority QoS.

With CPE-based IP VPNs, there also is a management burden passed down to the subscriber. The business customer is charged with managing its own IPSec boxes and distributing keys. For the enterprise, that means more work for its IT department and dissipated focus on its core business. This runs in opposition to prevailing thought among businesses today.

With a managed IP VPN solution, customers retain the ability to preserve existing IP addresses, realize greater connectivity flexibility, keep data secure, and receive performance guarantees. They can also do so while reducing the scope and depth of responsibilities on their IT departments. Service providers, meanwhile, tap into a promising revenue stream.

PICKING PROTOCOLS
In a common service-provider infrastructure for offering IP VPNs, intelligent routers at the network edge prioritize and reshape packets, freeing core backbone routers to process traffic at optimal speeds. Service providers weigh multiple factors in determining which routing protocols are best suited for these networks. Often, they put into play a mix of tunneling protocols and Multi-Protocol Label Switching (MPLS).

The tunneling protocols include IPSec, Layer 2 Tunneling Protocol (L2TP), and Point-to-Point Tunneling Protocol (PPTP). L2TP and PPTP are tactical solutions that were developed when the details of IPSec were being fleshed out. PPTP brings VPN support to Microsoft Windows products. L2TP was designed to augment PPTP and ready non-IP traffic for encryption. The actual encryption process is left to IPSec, which has emerged as the leading tunneling protocol for CPE-based IP VPNs.

MPLS is intriguing for providers of managed IP VPN solutions because, unlike IPSec, this protocol has mechanisms for both QoS support and traffic engineering -- the two key capabilities that enable service providers to offer and profitably deliver on the performance guarantees that customers demand with their IP VPNs.

QoS support enables the network to intelligently handle class-marked traffic and ensure that mission-critical applications are given sufficient bandwidth and appropriate delay characteristics. Traffic engineering is also important. The Shortest Path First (SPF) algorithm used in most IP networks is concerned only with maintaining connectivity and can, in fact, contribute to congestion, even in a lightly loaded network. SPF tells the network to send traffic along the shortest path, even if that means converging multiple streams when alternate, non-optimum paths are underutilized. With networks becoming larger and more dense -- and user applications growing more bandwidth-intensive -- severe congestion is not uncommon.

MPLS delivers both of these capabilities by leveraging two independently operating functions: MPLS traffic engineering (MPLS TE) for controlling individual QoS queues and ensuring operational efficiency, and MPLS DiffServ for controlling the aggregate queue and enforcing QoS guarantees. Together, they give service providers the tools they need to safely engage in service-level agreements.

CREATING CONFIDENCE
Still, the rate of market adoption for advanced data services such as IP VPNs will continue to be throttled until service providers overcome the difficulty they experience in communicating the performance of those services -- in short, proving that they provide what they're providing. It must be glaringly apparent to business customers that the cost and flexibility advantages of premium virtual services delivered over a shared facility meet their performance and security requirements.

This challenge spawned a market demand among service providers, which, in turn, has spawned the emergence of new protocol- and vendor-agnostic software designed specifically for the task. New service-assurance solutions -- situated at a layer on top of the physical operation support system (OSS) -- recognize varied service-quality definitions specific to a particular IP service, continually monitor performance indicators in real time and offer customers an ongoing, real-time
feedback mechanism to ensure that desired qualities and service levels are received. They improve communication among suppliers and users. They put a service provider's marketing, sales and customer-service personnel in closer touch with more detailed market intelligence. And they help service providers realize increased return on investment in network infrastructures.

But the overriding, primary impact of these platforms is creating customer confidence in the value of advanced IP services. By sharing a clear, complete view of the performance of advanced IP services with customers, these platforms foster confidence. This is why an effective service-assurance solution is the critical, final piece for a service provider completing its IP VPN infrastructure puzzle.

DELIVER REAL SOLUTIONS
Managed IP VPN solutions are gaining in popularity because they are capable of delivering the connectivity options, security and performance guarantees that customers require with a greater level of flexibility and lower cost than associated with private-line, public frame relay or public ATM services. The challenge for service providers is to engineer their IP VPN infrastructures wisely -- with effective service-assurance platforms that both spark and accommodate heightened demand.

Mark Kaplan is director of Product Marketing with Viewgate Networks. Viewgate Networks, Inc., is a leader in customer-centric service assurance. Its Inteligo software platform creates the confidence necessary for the adoption of advanced IP services. Headquartered in Alexandria, VA, Viewgate's customers include some of the world's leading service providers.

[ Return To The November 2001 Table Of Contents ]

BY LISA LUDWIG

The two primary approaches to IP VPNs -- CPE- based and network-based -- are complementary and can be used together to augment a VPN implementation. The CPE approach focuses on placing equipment on the customer premises to deal with the establishment of the VPN to other sites taking part. CPE-based solutions generally focus on using IPSec tunneling between sites providing a transparent solution over private or public intermediate networks. CPE-based IP VPNs will continue to be a solution for a long time to come. However, for those providers running out of capacity to service large numbers of VPNs, there is a new and more scalable alternative.

Network-based VPNs adopt a different approach than CPE-based VPNs. The customer utilizes an existing technology to connect its IP network to the VPN -- in a similar manner to Internet connectivity. The operator network handles the transfer of private addressing information across the public network to the other VPN sites. What makes these network-based VPNs possible is a technology called MPLS. The use of MPLS, BGP (Border Gateway Protocol), and virtual routers facilitate the provisioning of this transparent solution. MPLS also integrates IP and Layer 2 networks (such as ATM and Frame Relay), and it allows the VPN to differentiate between services according to application. This solution offers many attractions for network operators, not least because it allows them to offer the full VPN solution within their own networks, without the need to locate specific equipment on customer premises approach.

In this case, VPN functionality, management, and hardware reside on the service provider's domain rather than at a customer site. Essentially, customers use their own equipment to link the IP access network to the VPN. Providers then handle the transfer of private addressing information across the network to the other VPN sites. Network-based VPNs are also highly scalable, and users no longer have to worry about managing equipment on their premises.

ENABLING IP VPNs
The key to making VPN's work for customers is network and service management. These features allow service providers to maximize the full range of features that are available in network routers -- such as MPLS, DiffServ, traffic engineering, and so forth.

Element and Network Configuration
For the VPN to work, the network elements have to be in working order. Either or both element configuration management systems and network configuration management systems could be used to accomplish this task depending on the capabilities in the applications.

Network-Based IP VPN Deployment
To make a IP VPN a reality, management software will be busy. First, network connections must be established. Customer subnets and sites must be identified. Then the sublink interface (the connection between the CER and LER) must be defined. There are other tasks that also may also be necessary, such as defining the routing protocol between the CER and LER. Again, the network and/or service management software must provide this capability ion order to deploy the IP VPN service.

Policy Provisioning and Deployment
When a customer subscribes to an IP VPN service, a Service Level Agreement (SLA) is established. The SLA is the contract between the service provider and the customer that identifies the specifics of the services to be rendered by the provider. A provider may offer different levels of service contracts such as Bronze, Silver, and Gold, with Gold being the highest level of service. The more the customer pays, the higher the service quality.

Performance Monitoring of IP Network and Services
Once the Quality of Service policies are established for the IP VPN service, the IP network must be monitored. The metrics for monitoring performance should be defined in either the policy management software or within the performance monitoring system itself. Thresholds need to be associated with the network characteristics being monitored. For IP networks, it is important to monitor the connections, jitter, pack loss, and delay.

Fault Management of Network and Services
The role of the fault management system in an IP VPN service is to generate alarms so that corrective action will be taken quickly by network managers to fix a potential problem before the quality of service is affected. It is important that an alarm is generated real-time when thresholds are exceeded in VPN-linked routers before the router fails. A good fault management system will generate alarms, and also provide alarm correlation and root-cause analysis.

Customer Care and Billing
Billing standards for IP VPN services are still being debated. Today, service providers typically charge a flat rate that is about twice the cost of a dial-up service. Why? Mainly because they are unable to collect other types of data. However, this is changing. Both network equipment vendors and software vendors are beginning to provide information detail such as who uses the network, for how long, at what time of day and for what volume of usage. Look for changes in the billing situation shortly to cover these parameters shortly.

SERVICES INTO THE FUTURES
Equipment vendors will continue to offer top quality, feature rich, high-speed IP routers that get better and better every year. Network and service management elements can and will play a crucial role in the successful growth and commercial acceptance of IP VPNs. Network and service management helps to differentiate and enhance advances made in IP router technology by improving the ease and accuracy of operation. They are vital attributes that will continue to be central to offering even more new services in the years ahead.

Lisa Ludwig is director, Product Marketing, Ericsson Datacom Network and Service Management. Ericsson is smoothing the transition from mobile and wireline circuit-switching networks to a converged packet-switching network by leveraging the best of existing and evolving technology.

[ Return To The November 2001 Table Of Contents ]