Are VPNs ready for prime time? Not for your IP backbone
By Tony Rybzynski
Network World, 5/25/98
nwfusion.com
Today most of
the attention in
the virtual
private network
market is
focused on Internet-based
VPNs. Don't be fooled.
Such VPNs are over-hyped
and are definitely not ready
to be your IP backbone in
for mission-critical
applications requiring high
reliability, consistent low
latency and minimum
bandwidth guarantees
between sites. The good
news is that there are other
VPN architectures to choose
from, so let's look at these
and make an educated
decision.
The first class of
Internet-based VPNs
overlay the Internet via IP
tunneling. This approach is
very attractive from
economic and connectivity
standpoints. However,
Internet-based VPNs have
little real value as an
enterprise IP backbone
because of the 'Net's
unpredictability. In addition,
this class of VPN is
vulnerable to intruders who
could take up valuable
access bandwidth by sending
unwanted data to a targeted
site. The same considerations
apply to roll-your-own
VPNs, whereby the user
owns and manages the
tunneling router or security
platform.
A second class of overlay
VPN involves IP tunneling
over an ISP's network,
which is specifically
engineered to meet certain
latency limits and availability.
These VPNs generally don't
support any form of class of
service (CoS), they can't
offer bandwidth guarantees
and are also vulnerable to
access bandwidth intruders.
A third VPN architecture
involves a different form of
tunneling: virtual circuit
tunneling, this time over
Layer 2 frame relay or ATM
permanent VCs. This
approach addresses
enterprise IP backbone
requirements for availability,
latency and guaranteed
bandwidth by leveraging the
CoS attributes of frame relay
and ATM networking. It also
makes access bandwidth
invulnerable to intruders.
There are two major
problems with IP and VC
tunneling: limited network
knowledge and scalability. IP
and VC tunneling severely
limit the service provider's
ability to monitor,
troubleshoot and generate
reports on a per-customer
basis because what flows in
the tunnels is only visible at
the end points. Scalability is
limited by the number of
routing adjacencies as the
number of sites grows, and
also by the need to manage a
potentially large number of
tunnels or connections, one
per each pair of sites.
A fourth architecture, Layer
3 VPNs, addresses the
issues of network knowledge
and scalability by introducing
a routing hierarchy to
aggregate routes and give
each VPN visibility in the
network. This can be done
by deploying multiple routers,
one per VPN, in the central
office (CO), but this results in
operational complexity and
higher costs.
A better solution is to create
new CO routing switch
architectures that allow traffic
from multiple VPNs to be
routed and switched across
the network, while isolating
the VPNs from one another.
In this scenario, switches
must support native IP
addressing, thus eliminating
any need for address
reassignment and translation.
Such an architecture
provides a high degree of
scalability and meets
enterprise user requirements
for security, service-level
agreement (SLA) guarantees
and reliability.
So what's a user to do?
Overlay Internet-based
VPNs are only an option if
low cost is your objective
and best-effort service is
adequate; they are really
extranet vehicles. If you have
fewer than 10 sites, consider
overlay VPNs from service
providers that specialize in
VPN service or Layer 2
VPNs, depending on how
stringent your requirements
are. If you have more than
10 sites, Layer 3 VPNs with
their scalable security and
SLA guarantees are the
solution for you.
Feedback | Network World,
Inc. | Sponsor Index
Marketplace Index | How to
Advertise | Copyright
Home | NetFlash | This Week |
Industry/Stocks
Buyer's Guides/Tests | Net
Resources | Opinions | Careers
Seminars & Events | Product
Demos/Info
Audio Primers | IntraNet
The opposing view
The VPNs: Ready
for Prime Time?
forum.
Rybczynski is
director of strategic
marketing and
technologies in
Nortel's Enterprise
Data Networks
Group in Ottawa,
Canada. He can be
reached at (613)
723-4920 or
Tony.Rybczynski@
nortel.com. |
