IP VPNs: THE NEXT WAVE
By Tony Rybczynski Nortel (Northern Telecom)
tmcnet.com
May 1998
IP-based Virtual Private Networks (VPNs) have
become one of the hottest industry topics in the
last 12 months. VPNs allow IP-based traffic from
multiple customers to travel over common
facilities in a secure fashion. Unlike a circuit-
switched environment, in which users receive
dedicated ports and circuits for their network
traffic, VPNs operate on the premise of logically
separate networks to segregate end user traffic.
Enterprise users believe VPNs will allow them to
leverage the service provider's wide-area
network as well as their Network Operations
Centers, and hence, drive costs lower and
simplify their networking environments.
These expectations are rooted in their positive
experiences in other forms of VPNs. Voice
VPNs have been around for years as an
alternative to private line voice networks. Another
form of voice VPN is Centrex, which provides an
alternative to private PBXs on customer premises.
Data VPNs have been part of X.25 packet
network offerings for years and have evolved to
support all forms of adaptation for SNA, point of
sale, and LAN traffic. VPNs may not be for
everyone. For example, enterprises can achieve
significant price/performance improvements
through network consolidation.
In any case, VPNs are an important new option
for enterprise users.
At the business level, competitive pressures
combined with limited availability of skilled
resources are forcing more organizations to focus
on their own core competencies while turning to
third parties for network outsourcing.
Networking costs are becoming increasingly
subject to scrutiny while network managers are
being required to demonstrate positive business
case analyses for capital and operating
expenditures. On top of this, the proliferation of
new and possibly incompatible technologies has
elevated the risks inherent in private router
networking. The specter of a multimillion dollar
investment in a network technology, which is
subsequently rendered obsolete, is one that haunts
many network managers. At the network level, IP
is becoming the dominant communications
protocol for private networks, constituting over
30 percent of total traffic currently and the vast
majority of traffic growth. The shift from 80
percent of traffic staying on the LAN towards 80
percent moving outside of the LAN and
increasingly to the WAN is exasperating a
network, that is already growing at 30 percent to
50 percent per year. The challenge is to
accommodate this growth while offering
performance guarantees to the most critical traffic.
Service providers recognize the importance of this
market as a new revenue opportunity, and also
see considerably higher (positive) margins for
VPNs than for the consumer Internet offerings.
Various sources estimate that by the year 2000,
the VPN services market will be in the range of
$8 billion (NBI, September 1996). This is why
VPN offerings are a high priority for service
providers around the world.
REQUIREMENTS FOR VPNs
Enterprise users are largely concerned with three
areas when it comes to outsourcing their intranets
to service providers: security, Service Level
Agreements, and reliability. Traditionally,
enterprise users have deployed their private
networks over a mix of private-line circuits, and
are now accustomed to completely secure and
guaranteed network performance. Only recently
have they accepted frame relay virtual circuit
(VC) networking as a viable alternative to private
lines. Hard boundaries must exist between VPNs
to ensure no traffic leakage between circuits.
When outsourcing the network to the service
provider, enterprise network managers often fear
losing total control over network performance. In
order to alleviate this fear, service providers must
provide the enterprise with some form of
performance guarantee, not only addressing
up-time, but latency and throughput as well. Most
users will request a window on their VPN through
a customer network or service management
offering from the service provider.
The purpose is twofold: to monitor network
performance in real- time so as to avoid network
outages as well as to track historical performance
relative to agreed upon levels of service. No VPN
service can be successful without a service
management offering.
Reliability is the third area of concern for
enterprise users considering VPN services. As
more and more business applications are
delivered over IP-based networks, up-times in
the 99.99 percent plus range are required.
Of course the major motivator for using the public
network is to provide more cost-effective
connectivity. This includes connectivity:
Between company sites on an always-on
basis.
To telecommuters and SOHO sites on an
as-needed basis (always-on would be nice,
but may be cost prohibitive).
To road warriors from hotels, airports, and
cars.
To partners and suppliers on a controlled
basis (these are referred to as extranets).
To the public Internet at large.
There's another, more subtle requirement.
The IETF recommends that private networks use
IP addresses of the form 00.000.xx.xxx. As a
result, multiple enterprises have overlapping
addresses, implying the use of dedicated routers
for each enterprise user as well as some form of
encapsulation for wide- area transport across the
shared network.
In addition to the above, many enterprise users
would want their VPN to be part of an integrated
VPN from the service provider for all their traffic
(e.g., including voice and legacy data VPN
capabilities).
TODAY'S VPN SOLUTIONS
Currently, service providers are providing
managed router and VPN services with CLE
routers interconnected by frame relay or ATM, or
tunneled over segregated IP networks and/or the
public Internet. These do not generally meet the
service provider's needs for operational
efficiencies, nor the enterprise user's needs for
service level guarantees. There is a large segment
of the VPN market that can best be served with
truly partitionable CO routing integrated with
ATM operation as the means of delivering
economic sharing of network resources while
meeting user needs for security and SLAs. This is
at the heart of vendor strategies to make VPN
offerings much more appealing to enterprise users.
While users are attracted to VPNs based on the
ubiquity and cost structures of the Internet, the
reality is that most VPNs aren't actually running
over the public Internet. The reason is simple: The
performance of the Internet fails to live up to
business-grade standards when compared to
private router networks. This is by no means
saying that the Internet is a poor business tool to
communicate to many parties "off-net." The
Internet revolution is real and the opportunities,
looking forward, are immense. From a user
perspective, if the price performance is right, it
doesn't matter if the VPN is delivered over
router- or switch-based environments - so long
as users' requirements are met.
Early market offerings are based on one of three
approaches:
A managed intranet service with CLE/CPE
(customer located equipment) routers that
tunnel over a segregated IP network (i.e.,
not over the public Internet). IP tunneling
protocols, such as L2F, provide security,
including the concept of encapsulating
private addresses onto a public- address
space.
A managed router service with CLE
routers interconnected by frame relay or
ATM. In this case, security and address
encapsulation is performed through VC
tunneling.
An Internet-based VPN. This model has
very attractive economics but, due to the
sporadic reliability of the Internet, is only a
viable solution in exceptional conditions like
remote sites or perhaps extranets where
connectivity is the overriding factor.
Within the constraints identified, these schemes
can work if a relatively small number of sites is
involved. However, as the number of sites
increases by an order of magnitude, scalability
becomes a primary issue. There are two
scalability issues to resolve in managed router
services:
The number of tunnels or VCs that need to
be configured in the network.
The number of routing adjacencies or
router neighbor relationships.
Since building a very large, flat router network
creates far too many router peering sessions, a
routing hierarchy is required to achieve route
aggregation. Introducing a routing hierarchy in
VPNs requires the deployment of CO routers on
a per-customer basis, thus leading to a large
number of CO routers.
The method for tunneling impacts the ability of the
service provider to provide performance
guarantees. With IP tunneling, all traffic from
multiple users is aggregated onto a single IP
backbone. This limits the service provider's ability
to offer differentiated services (this means more
than just bandwidth guarantees) as well as their
ability to monitor, troubleshoot, and generate
reports on a per-customer basis. With VC
tunneling, both frame relay and ATM class of
service support enhance the service provider's
ability to deliver on performance guarantees.
A fourth option is emerging, which is based on
new CO switch architectures that allow multiple
VPNs (supporting overlapping address) to be
routed on a single switch. These can be
interconnected via IP or VC tunnels, though VC
tunnels have the advantages identified above.
Such an architecture provides a high degree of
scalability and meets the enterprise user's needs
for security via VC tunneling, SLA guarantees via
VC class of service support, and reliability via
CO-grade switching.
SO WHAT'S THE BOTTOM LINE?
Enterprises deploying VPN solutions should
expect to achieve secure communication at an
improved price/performance ratio compared to
private router networks. In addition, by virtue of
the outsourcing arrangement, the service provider
now assumes all the risks associated with
identifying, investing in, and implementing the best
VPN technology. Thus, provisioning sufficient
capacity to meet the most bursty end user traffic
patterns now falls on the shoulders of the service
provider.
Not all VPN service provider offerings will be
equivalent. Key service differentiators include:
Breadth of the VPN offer: The carrier's
ability to offer end-to-end net-working,
including the ability of the carrier to manage
customer located equipment and to deploy
points of presence on the customer's
premises.
Depth of the VPN offering: The
carrier's willingness to support mail,
conferencing, Web hosting, and directory
services.
Extent of the VPN service: Geographic
coverage and support of "off-net" traffic
(e.g., from telecommuters and road
warriors).
Levels of performance: Offered together
with the nature of guarantees and
management tools offered.
So, the bottom line - as is often the case - is
this: Educated buying can solve real problems and
reap big benefits.
Note: The author would like to thank Ted
Gagnon of Nortel's Carrier Data Networks
Division for assistance in putting together this
article.
Tony Rybczinski is director of strategic
technologies and marketing for Nortel's
(Northern Telecom's) newly formed Enterprise
Data Networks business unit. Enterprise Data
Networks will focus on delivering
high-performance data networks globally. The
business unit will broaden customer choice by
offering new alternatives to increasingly
complex data network infrastructures through
direct and indirect sales channels. By
expanding Nortel's already broad portfolio of
open standards-based products and
technologies, Enterprise Data Networks will
specifically target opportunities in
high-performance data networking.
For more information, visit the company's
Web site at www.nortel.com E-mail questions
or comments to the author at
tony.rybczynski@nortel.com.
Technology Marketing Corporation
One Technology Plaza
Norwalk, CT 06854 U.S.A.
Phones: 800-243-6002, 203-852-6800
Fax: 203-853-2845
e-Mail: tmc@tmcnet.com
Send your comments regarding this web site
to: webmaster@tmcnet.com
Copyrightc Technology Marketing Corporation 1997-1998 |
