September 2001
 

Navigating A VPN Roadmap

BY TONY RYBCZYNSKI

Infonetics predicts that the service revenues in the VPN market will increase six fold to $35 billion by 2004. In many cases, voice networking has been left "off the table," being very cost-effectively handled by legacy circuit-switched voice VPN services. That said, all the VPN technologies have evolved to include "voice-over" capabilities. A VPN roadmap should assist enterprises in navigating through these options.

VPNs DEFINED
VPNs have a common characteristic. They all provide some form of secure segmentation of the public network for an enterprise's own use. This segmentation can be done on a configured basis, as has been done when using frame relay or ATM permanent virtual circuits, or on an as-needed basis by dynamically establishing IP tunnels over the Internet or private labeling Ethernet frames received from a customer. While connectivity is a primary feature of public service offerings, enterprise requirements for Service Level Agreements (SLAs), and the service provider's need to differentiate their services, have led to the development of more comprehensive service definitions, including specification of reliability, throughput, and delay.

VPNs serve various purposes. They can be used for inter-site connectivity, the traditional realm of private networks, or for secure access for employees working from home or on the road, traditionally served through switched access into modem pools. These later environments have not stood still (in more ways than one) with users demanding access through high-speed Internet (e.g., cable modems and DSL) and wireless (e.g., PDAs). In addition, business imperatives have dictated the opening up of the enterprise networks in a controlled fashion to partners and for B2B communications.

PRIVATE LINE EMULATION
With the dominance of private line networks in the 1980s, it was reasonable that the first VPN services were based on the concept of emulating these private lines using what are called virtual circuits, first in the form of frame relay and then extended to higher speeds via ATM. Just like physical circuits, virtual circuits were preconfigured on a point-to-point basis.

Much of the class-of-service richness of ATM has not played a role in VPN services, since frame relay was the lowest common denominator. As a site-to-site VPN service, frame relay and ATM have served the multiprotocol LAN and legacy world well, but convergence on IP as the networking protocol of choice, on Ethernet as the LAN technology of choice, and maturing of the Internet has created new VPN categories.

TUNNEL VISION
The ubiquity and cost structure of the Internet make it very attractive to reach millions of customers across the globe, ideal for keeping connected with employees wherever they may be, and for new remote offices that require instant connectivity. It's also ideal for ad hoc networking with partners, where these partners change frequently in response to business needs. In these cases, the advantages of Internet ubiquity and low cost far outweigh lack of consistent performance and the overheads associated with tunneling and firewall management.

The above created a new category of Internet-tunneled VPNs. These entailed taking IP traffic originating in a remote office, employee's home, hotel room, or car, and creating secure tunnels across the Internet with an enterprise central site "extranet switch" providing tunnel termination. Security is addressed through user authentication and encryption mechanisms such as IP Sec, and through personal or small office firewalls. Internet-tunneled VPNs initially applied to dial-up modem scenarios with ISPs providing local modem pools, bypassing expensive 1-800 services used by enterprises. This solution naturally evolved to environments with remote users using cable modems and DSL always-on services. Internet-tunneled VPNs also allow partner access and B2B networking via secure extranets, most often using a PC-based soft VPN client. Putting an extranet switch with some added functionality at both ends extended this VPN concept to site-to-site connectivity over the Internet.

In their first incarnations, these Internet-tunneled VPNs were implemented at the edge of the Internet, that is on the customer's premise, either as a roll-your-own solution or via a service provider managed service. New technologies have been introduced which allow service providers to provide the VPN handling functionality within the cloud, minimizing the complexity of customer premise VPN functionality. These IP service management systems accept data coming from the customer on a dedicated physical or logical port. This could take the form of a physical circuit, a DSL port, via a dedicated physical circuit, via a frame relay or ATM virtual circuit, or via a secure IP tunnel. These IP service management systems manage all the security and encapsulation functions required across an enterprise's sites. Since these systems are heavily standards-based, hybrid private/public configurations are also possible.

Inevitably, some people started talking about these Internet-tunneled VPNs as the emerging architecture of choice for all enterprise networking, though for some enterprises this was emerging to be the case. But no matter how appealing the Internet is from a price and connectivity perspective, enterprise reliability, performance, and security requirements continue to move the industry towards networking technologies that are better suited for enterprise site-to-site networking for mission-critical applications.

PRIVATE LABELING
The evolution of public networks towards massively scalable terabit-switched optical networks is creating VPN service solutions that can better serve the needs of enterprise networking. Specifically, the industry adoption of multiprotocol label switching, or MPLS, on top of optical systems is the key enabler of these new types of VPNs. These underlying optical systems can support hundreds of wavelength or lambdas, each lambda supporting 10 Gbps and more, over thousands of kilometers without repeaters. "Multiprotocol" implies that multiple payloads can be supported, including ATM cells, Ethernet frames, Internet IP traffic, and enterprise VPN IP packets. "Labels" are headers that can be attached to these packets (or frames or cells), and dictate how these packets are handled in the network.

An important feature of MPLS is that multiple labels can be carried with a packet through a technique called label stacking. Label stacking opens up the possibility of uniquely identifying all packets belonging to a particular enterprise or user group within the enterprise, that is to a particular VPN. "Switching" refers to the ability to route these labeled packets across the network, even ultimately mapping certain traffic with common attributes onto switched lambdas (hence the term multiprotocol lambda switching).

MPLS standards and initial products already exist, though it will be a few years before the service provider core networks will support multiprotocol MPLS. There are two schools of thought on how to leverage this emerging infrastructure to provide VPNs, these distinguishable by the nature of the interface to the user. These can be called Virtual Private Ethernets and Virtual Private IP Networks.

Virtual Private Ethernets provide an Ethernet User Network Interface, to which the customers attach their LAN switches or routers. Ethernet frames are labeled and initially switched using distributed Ethernet Switching running directly over fiber, over wavelengths, or over Resilient Packet Rings (see my August 2001 column). Virtual Private Ethernets will rely on MPLS to provide added scalability required to support thousands of enterprises, particularly across the long-haul public network. They operate purely at Layer 2 and can be configured on a point-to-point basis (emulating a circuit), on a point-to-multipoint basis (emulating frame relay star networks), or on a many-to-many basis (emulating a broadcast LAN across a configured set of customer sites). As a Layer 2 service, they are transparent to Layer 3 transport protocols (e.g., IP, Novell's IPX, IBM's APPN, and Appletalk) and associated addressing schemes, routing protocols (e.g., Open Shortest Path First or OSPF) and associated protocols (e.g., Dynamic Host Control Protocol or DHCP). A key opportunity that Virtual Private Ethernets present are the ability to make a remote site look logically like a wiring closet in a campus site, for the first time dramatically simplifying branch networking, by enabling redistribution of routing, processing and storage to regional sites.

Virtual Private IP Networks operate at Layer 3 and interface to the customer router as a routing peer. While routed networks can be multiprotocol, these services will likely be specific to IP. IP packets will be MPLS labeled either on the customer premise or at the entry point into the cloud, which will have to be aware of routing protocols and IP addressing used within the enterprise. They rely on IP-only (vs. multiprotocol) MPLS in the network core to switch the customer's IP packets across the network. The key advantage of Virtual Private IP Networks is that they are Layer 3 services and can be transported on any Layer 2 network independent of speed. The key disadvantage is that they are Layer 3 services and are not transparent to the enterprise IP network, are complex to configure, and introduce additional network processing and delays.

IP SEC AND LABELS COMPLEMENT EACH OTHER
Enterprises continue to look to network outsourcing so that they can refocus their resources on their core businesses. VPNs are the answer and continue to evolve to better meet the needs of enterprises. There are two complementary solutions. Internet-tunneled VPNs, and Labeled VPNs either in the form of Virtual Private Ethernet or Virtual Private IP Networks. Internet-tunneled VPNs are here to stay for remote access, extranets, and for the cost-conscious site manager.

The choice between Virtual Private Ethernets and Virtual Private IP Networks will be dictated by how well each meets the enterprise requirements for tight security, high reliability, improved price/performance and scalability, operational simplicity, and meaningful SLAs. The explosion in the availability of optics right to business sites makes Virtual Private Ethernets the preferred VPN service solution for enterprises looking for lower latency, more reliability, and the inherently simpler Layer 2 solutions.

Tony Rybczynski is director of strategic marketing and technologies for Nortel Networks' Enterprise Solutions unit. E-mail questions or comments to tonyryb@nortelnetworks.com.

[ Return To The September 2001 Table Of Contents ]