Internet protocol virtual private networks (IP VPNs) are rapidly increasing in popularity as a secure enterprise networking solution. Yet as popular as IP VPNs have become, a great deal of confusion abounds in the marketplace as companies decide which technology to pursue. Competing providers of IP VPN services are not always speaking the same language and may describe their products in different and confusing ways.
The original distinction between true IP VPNs was between remote-access or dial VPNs and dedicated VPNs. Now, however, the primary distinction is based on which technology a carrier chooses.
The need to understand the varying types of services available is vitally important as the size of the IP VPN services market continues to grow. The estimated market size of the global managed IP VPN market was US$6.736 billion in 2001 and is expected to grow to an estimated $8.805 billion in 2002 and US$20.506 billion in 2005, according to Gartner Dataquest.
The MPLS-based IP VPN enables businesses to deploy IP architecture that will accommodate the dynamics of doing business globally today. It allows them to adapt to their ever-changing environment, to move in and out of markets with ultimate flexibility and to do business wherever market conditions are best. At the same time, the MPLS IP VPN provides the security of a private intranet and enables the network provider to offer service level agreements (SLA) that cannot be warranted by a service that depends on a patchwork of networks and the vulnerability of the public Internet.
The best of both worlds
IP VPNs are becoming the network solution of choice for multinational companies that want the flexibility and scalability to quickly add or delete network locations and to dynamically change applications that are transmitted over the network. An IP VPN is also important in creating electronic partnerships linked through extranets. Many companies are replacing conventional frame relay or ATM WAN services with IP VPNs. The MPLS IP VPN brings the reliability of frame relay and ATM to the flexibility of IP.
The MPLS-based IP VPN enables businesses to deploy the IP architecture that will accommodate the dynamics of doing business globally today. It enables businesses to adapt to their environment, to move in and out of markets with ultimate flexibility and to do business wherever market conditions are best. At the same time, the MPLS-based IP VPNs provide the security of a private intranet and enable the network providers to offer service level agreements that cannot be warranted by a service that depends on a patchwork of networks and the vulnerabilities of the public Internet.
What is an IP VPN?
The creation of private networks within an existing network became possible with the invention of the multiplexer in 1966. Calling a private network 'virtual' means the network can isolate part of the network from other parts, assigning specific resources to each customer. VPNs are cost-efficient alternatives to leased lines or circuit-switched infrastructures.
With the inherent flexibility of IP, the IP VPN has become the wave of the future. The overall cost of ownership becomes even lower with an IP VPN because of:
- Lower investment cost;
- Improved operational efficiency;
- Greater scalability;
- Faster and more flexible growth.
Companies can add or subtract from an IP VPN far more quickly than with other types of networks, in which adding or deleting one location site can affect all locations, thereby increasing planning activities and cost. Cost of ownership reductions with IP VPNs are achieved by reducing the operational investment in a complex router network. Businesses no longer need to recruit, train and retain expensive IP specialists.
Despite the promise and increasing ubiquity of IP VPNs, their definition can differ widely in various regions of the world. For instance, in Europe today, discussions of IP VPNs generally concern an MPLS-based IP VPN, which can only be operated on a shared private network. However, in the United States, comments about IP VPNs often are related to IP VPNs that are operated on the public Internet.
IPSec VPNs and others
Another distinction must be made between MPLS IP VPNs and IP Security (IPSec) IP VPNs, which use IPSec technology to build tunnels on the network. An IPSec IP VPN is a complex technology that can operate either on the public Internet or on a shared private network. Using the Internet for business applications mandates the security provided by IPSec. IPSec tunnels must be built and maintained to each location that needs to communicate with another. If a company has 30 locations and deletes one of them, it must administer 29 different IPSec hosts. The complexity of IPSec technology is reflected in the number of tunnels required. For example, for 30 sites to communicate with each other, 435 tunnels would be needed. Even the smallest change could require a re-address of virtually every location on the network. These changes are not necessary with an MPLS IP VPN.
In addition, some companies have chosen the do-it-yourself route to build and maintain CPE-based IP VPNs. The company deploys customer premise equipment that creates secure tunnels across a private IP network or the Internet. This type of IP VPN requires considerable staffing at the company and can encounter service problems that an Internet service provider cannot or will not address.
Some companies offer MPLS as a routing device over networks using the Internet as the transport medium. This approach does take advantage of the power of the VPN and such attributes as VPN Routing and Forwarding (VRF) Tables. Without the VPN, the company requires IPSec or other tunnelling methods to provide necessary business class security. The use of the VPN with MPLS is a significant differentiator.
At times a company decides to extend an IP VPN beyond the domains of the enterprise to partners that may be on a different provider's VPN network. When going beyond the boundaries of the enterprise, the company must consider additional security methods. IPSec is a means of sending data across a public network and using encryption to establish privacy. The partners may want to interconnect their VPNs and at these points they may install a firewall to establish connections at these virtual sites to provide secure connectivity between the two entities.
MPLS class of service
Prior to the development of MPLS and associated IP technology, companies could not consistently achieve delivery of IP packets in a way that matched the needs of multi-media business applications.
Multi-protocol label switching uses new protocols to tag each packet of data that travels on the IP VPN, ensuring that the packets are correctly handled by the network. The tags enable the use of different classes of service to speed the delivery of the most important data. MPLS can offer several classes of service, such as:
- Real time. This is the top priority, comparable to driving in the fast lane on a highway. Real time is reserved for such applications as voice and video.
- Interactive. For time-sensitive and relatively high-priority data, such as PeopleSoft and SAP applications.
- Standard. Most regular applications.
- General. Intranet browsing, corporate email.
- Internet. Web browsing, email over public Internet.
Providing class of service is a distinct advantage of an MPLS-based IP VPN over an IPSec IP VPN, which does not offer such prioritisation and cannot guarantee the timely arrival of packets.
Further adding to the confusion, some providers are marketing managed routers over frame relay as an IP VPN. While these may be adequate solutions for hierarchical IP networks, they are not the optimum solution for scalability. In fact, MPLS IP VPNs are the optimum solution.
IP VPN security
One of the major concerns of any business is the security of its IP VPN. The security of an MPLS-based IP VPN is as at least as good as the security on a frame relay or ATM network.
A great misconception about an IP VPN is that IP is necessarily on the public Internet and therefore is highly insecure. The reality of an MPLS-based IP VPN is that it is actually an intranet and the provider can control the entire network.
The MPLS-based IP VPN offers a routing technique that actually creates a permanent virtual connection across an IP network. It creates a highly predictable and secure route. The routing ensures that critical packets such as voice-over are not only received in sequence but also are evenly spaced so the voice can be constructed in real time.
Security of MPLS-based IP VPNs is established through their inherent privacy, whereas that of IPSec-based IP VPNs relies on secrecy through encryption of data. It is generally accepted that encrypting information can only prevent it from being read for a finite period. How long the data is protected for is dependent on two factors:
- Whether the encryption algorithm is known;
- How much processing power is available to the hacker.
Using well-known and established encryption technology that is not secret itself will not allow long-term security. In fact, data encrypted with the most common algorithm - DES - has been decoded in less than a day and its stronger counterpart - 3DES - takes only a little longer. The key problem is that once the one key is known it is possible to work out the algorithm of a known data source, thereby exposing corporate data to reading by unknown and unauthorised persons - the IPSec-based VPN is no longer private and secure.
Network quality and SLAs
Some providers that offer IP VPN services are offering Internet services with several Internet service providers hooked together to provide network access. In contrast, a true global provider will offer a seamless network that it controls end to end. The proof of this is the provider's ability to offer true SLAs that guarantee service from premise to premise. A patchwork network of ISP links cannot begin to guarantee service over links it does not control.
Contracting with a global provider will also limit the cost of internally managing a complex static network. The true global provider will submit bills that encompass all services rather than having the customer deal with multiple bills and multiple SLAs.
SLAs are provided in a variety of ways: country by country, customer by customer, service delivery time, service availability rate, packet loss and jitter, which measures voice quality. Only an MPLS-based IP VPN can truly provide guarantees related to jitter for IP-based voice and video applications.
A key element in measuring the quality of service (QoS) of a network is whether the provider is global or a patchwork collection of vendors. Quality of service guarantees simply do not work when one vendor hands off the packet to another. Some providers guarantee 100 percent availability on their network, but only in the fine print of their contracts can a company discover that the QoS guarantees do not apply beyond the boundaries of the provider's own network. In these cases, the provider must depend on the fragility of the public Internet for business applications - as opposed to a true global end-to-end business-quality network.
Future benefits
The beauty of the IP VPN is its global accessibility. It's an efficient way to connect worldwide branch offices. Communication links can be done quickly, cheaply and safely across the world. And, thanks to voice over Internet protocol (VoIP) capabilities, the IP VPN also provides HTM savings on voice calls made among its far-flung global locations.
Conclusion
Most desktop applications today rely on IP communications and companies may prefer to keep them on an IP-based network rather than converting them to frame relay. It is far easier to use a single end-to-end cohesive service and the cost of managing an IP network is typically less than using a frame relay network. Yet frame relay is still by far the most widely used technology.
The primary reason that IP VPNs will continue to grow in the future is the coming ubiquity of IP in the workplace. Within the foreseeable future, traditional PBX voice systems will become obsolete from a cost perspective. As the use of IP telephones grows within companies, a server and IP telephony will replace the current circuit-switched PBX.
While companies may not rush to replace their PBX systems in existing facilities, at new offices they will tend not to buy another PBX but go directly to IP telephony.
When planning to use voice over IP, companies then must examine the difference between MPLS-based IP VPNs, which provide class of service, and IPSec, which does not offer guarantees for jitter or latency.
The MPLS-based IP VPN not only opens the world to voice over IP, but also the ability to run video for conferencing or e-learning over the VPN. In today's business environment, where travelling to meetings is no longer the norm, the convenience and cost benefits of videoconferencing have never been more important.
The full implementation of IP telephony will result in an era when an order-taker and a customer can sit at their screens, a world apart, and examine a video showing the items under discussion, and enjoy a real-time business relationship that provides greater accuracy, dependability and speed. The companies who are first to offer all their services over the IP stream will be the winners in their industries.
The MPLS-based IP VPN will then provide the best of both worlds: the flexibility and speed of IP combined with the security and reliability of frame relay and ATM. And computers and telephony will finally merge and enhance the benefits of both technologies.
Phil Wardley is Head of Consultancy - Equant Asia Pacific Australasia and has over 25 years' experience in the IT industry. He commenced as a systems engineer, working large scale IT projects, before moving into service management and customer satisfaction. He then moved into the professional services sector, focusing on developing unique solutions for customers and building the Professional Services arms of a number of different organisations. At Equant, Philip heads the Consultancy Practice in Asia Pacific Australasia. delivering IT solutions including Joint Opportunity Assessments, Business Re-engineering, Process Improvement, Selective Out-sourcing services, Technology introduction, Managed Solutions, systems and network integration.
