VPNs: Reality

Behind the Hype

Steven Taylor
Distributed Networking Associates
Summer - 1999

Copyright & Notices

Professional Opinions - All information presented and opinions expressed by Distributed Networking are the
current opinions of Distributed Networking based on professional judgment and best available information at
the time of presentation. Consequently, the information is subject to change, and no liability for advice
presented is assumed. Ultimate responsibility for choice of appropriate solutions remains with the Customer.

Biographical Information - The seminar will be led by Steven Taylor, President of Distributed Networking
Associates and Publisher/Editor in Chief of Webtorials.Com, a premier source of on-line telecommunications
seminars and market research. An independent consultant, planner, author, and teacher since 1984, Mr.
Taylor is frequently quoted in the trade press and is one of the industry's most published authors on high
bandwidth networking techniques. Distributed Networking Associates may be contacted at 2707 Lake Forest
Drive, Greensboro, NC 27408; (336) 288-3858. E-mail: taylor@webtorials.com.

Copyright, 1999 - Distributed Networking Associates. All portions of this presentation are copyrighted by
Distributed Networking Associates and/or the organization credited as the source of information. All forms of
reproduction and/or recording, including photocopying, tape recording, and video taping are strictly prohibited
without the express prior written permission of Distributed Networking Associates. Clipart used may include
images from Corel, Broderbund, and IMSI.

1
VPNs: Reality Behind the Hype

z Overview
z VPN Reference Architectures
z VPN Application Models
z VPN Business Case
z What to Look For in a VPN
z Summary

VPNs: Reality Behind the Hype

èOverview
y Definitions
y Technology assumptions

2
What’s a Virtual Private Network (VPN)?

z Hottest marketing term of 1999

y Viewed as the newest panacea to all your networking
woes
x Infinite free bandwidth with no configuration needed
y Often implies IP
x Even “Internet” is sometimes implied
z Need to examine two aspects
y “Private Network”
y “Virtual”

Private Networks

z Enterprise adds switching intelligence to basic

transmission facilities from a carrier
y More appropriately called “Leased Line Networks”
y Leased lines are usually 56/64 kbps to T1/E1 to T3/E3
y Switches integrate data channels & virtual voice trunks

3
Historical Reasons Enterprises
Implemented Private Networks

z Appropriate services not available from the carriers

y Circuit switched with quantum leaps in bandwidth
y Based on the “voice” hierarchy
z Economics
y Nets paid for themselves within a few months
z Control
y Especially for rapid deployment of data applications
z Ego
y “BYOB” networking for fun, career advancement

What is a Virtual Private Network?

z Virtual network: A network that provides virtual

circuits and that is established by using the facilities
of a real network.*
z Has the look and feel of a “real” private network
z Enterprise maintains control of the network
y Customer Network Management (CNM) is a key feature
z Usually will be based on packet switching

*Source: Federal Standard 1037C at http://glossary.its.bldrdoc.gov/fs-1037/

4
Broadband Packet Service Types

z Frame Relay, IP and ATM

Trailer (opt.)
are becoming widespread

Delimiter
Delimiter

Header
d
and are more similar than y loa
Pa
different
z Key differences:
y Fixed vs. variable packet
length
y Connection vs.
connectionless

Generic Packet Format: Payload

z Variable: Frames
y Efficient use of bandwidth
y “Frame Relay” & IP

5
Generic Packet Format: Payload

z Variable: Frames z Fixed length: Cells (ATM)

y Efficient use of bandwidth y Easy to process with
y “Frame Relay” & IP Predictable delay

Generic Packet Format: Payload

z Variable: Frames z Fixed length: Cells (ATM)

y Efficient use of bandwidth y Easy to process with
y “Frame Relay” & IP Predictable delay
y Always the same size

6
Generic Packet Format: Header

z Connection oriented z Connectionless (IP)

y Virtual Circuit number y “Universal,” unique address
y Conserves address space y Needs large address space
y ATM and Frame Relay x Is this a problem?

Generic Packet Format: Header

z Connection oriented z Connectionless (IP)

y Virtual Circuit number y “Universal,” unique address
y Conserves address space y Needs large address space
y ATM and Frame Relay x Is this a problem?

7
Broadband Packet Types

z Bottom Line: All three “work”

y Single-technology world view misses the big picture
x Great for marketing, selling magazines, and creating editorial
content and controversy
x Promotes the “Technology of the Month Club”
y “Broadband Packet” looks at the bigger picture
Fixed length Variable length
Connection ATM Frame Relay
Connectionless N/A IP

Today’s Reasons Enterprises Should

Implement Virtual Private Networks

z Appropriate services are available from the carriers

y Most carriers offer Frame Relay, ATM, and IP services
z Economics
y Frame Relay and ATM usually cost less than half of
private lines for equivalent performance
z Control
y CNM same as or better than private line
z Ego
y Enterprises are returning to their “core competencies”

8
VPNs: Reality Behind the Hype

z Overview
èVPN Reference Architectures
y “VPN” legitimately means many different things to
different communities
y Hot marketing term to use
y Define three reference architectures
x Internet Backbone VPN
x Leased Line Replacement VPN
x Enhanced IP VPN

Internet Backbone VPN (IB VPN)

z Uses the Internet for transport layer, with:

y Tunneling - For multiprotocol, private addressing, etc.
y Encryption - For security across “unknown” connections
y Authentication - To ensure the connection is to the
“right” user

The Internet

9
 Internet Backbone VPN Scorecard
VPN Type Strengths Weaknesses
Internet Backbone Price Requires Tunnelling,
Encryption, and
Authentication
Ubiquity Lack of Security
Connectivity No guaranteed QoS
Leased Line Replacement
Enhanced IP

Leased Line Replacement VPN (LLR

VPN)

z Traditional Frame Relay or ATM service

y Provides same basic functions as leased lines
x At a fraction of the cost
y PVCs provide continuous point-to-point connectivity
x More than 95% of installed VCs are PVCs
x SVCs for any-to-any connectivity, but not widely implemented

Frame Relay or
ATM Network

10
 Leased Line Replacement VPN Scorecard

VPN Type Strengths Weaknesses

Internet Backbone Price Requires Tunnelling,
Encryption, and
Authentication
Ubiquity Lack of Security
Connectivity No guaranteed QoS
Leased Line Replacement Price vs. Leased Line Predefined endpoints
Inherent security Limited dial-up
Well-defined QoS Not glitzy
Inherent Multiprotocol
Support
Enhanced IP

Enhanced IP VPN (EIP VPN)

z IP as the “UNI” to the network

z Switched infrastructure using a combination of
MPLS*, Frame Relay, and ATM
z NOT over the Internet, but has gateway functions
z Inherent security and QoS IP UNI

Switched IP
over FR/ATM
Infrastructure
*MultiProtocol Label Switching (MPLS): Follow-on successor to tag switching and switched IP.

11
Leased Line Replacement VPN Scorecard
VPN Type Strengths Weaknesses
Internet Backbone Price Requires Tunnelling, Encryption, and
Authentication
Ubiquity Lack of Security
Connectivity No guaranteed QoS
Leased Line Replacement Price vs. Leased Line Predefined endpoints
Inherent security Limited dial-up
Well-defined QoS Not glitzy
Multiprotocol
Enhanced IP Great for IP IP Only (without encapsulation)
Secure on backbone Some static definition required
Transparent addressing Needs gateway services for ubiquity &
connectivity
QoS Emerging technology/service
Has IP "Name"

VPNs: Reality Behind the Hype

z Overview
z VPN Reference Architectures
èVPN Application Models
y VPNs can address many different applications
y Four application models for matching applications with reference
architectures
x “Road Warrior”
x Fixed-location Telecommuter
x Corporate Intranetwork Transport
x Remote/Branch Office

12
“Road Warriors”

z Calls from anywhere in the world

y No fixed location; Dial service
z Great fit for Internet Backbone VPN
y Possibly VLL VPN or EIP VPN with
modem pool

The Internet

Fixed Location Telecommuter

z SOHO (Small Office / Home Office)

y Location doesn’t change
y Could fit all 3 models depending on
x QoS
x Multimedia
x Local access options

13
Corporate Intranetwork Transport

z Core corporate communications as

opposed to “remote access”
z “Leased line” function and reliability
y Capabilities outweigh price
z LLR VPN (ATM/FR) usually best
y EIP if most traffic is IP

Frame Relay or
ATM Network

Remote Office / Branch Office

z Small workgroup, Regional office,

Functional workgroup, etc.
y Low traffic compared with intranetwork
node, but more than SOHO
y Multiple applications
x Probably includes voice, maybe video
x May have multiple protocols (e.g. banking)
y LLR VPN, or maybe EIP VPN
x Depends on multiprotocol and tolerance of
overhead

14
 Application Models and Reference
Architectures
Model Internet-Based VPN Leased Line Enhanced IP VPN
Replacement VPN
“Road Warrior” Great fit Not mobile OK, with dial capability
Fixed-location Good, if enough Seldom economical Excellent, especially if
Telecommuter bandwidth local
Corporate QoS, security, and Great fit OK, depending on
Intranetwork throughput concerns protocol mix
Transport
Remote/Branch Maybe, depends on Good, especially if Good, especially if IP-
Office protocol and multiprotocol Centric
throughput

Interworking among Application Models

z Networks require any-to-any connectivity

z The network infrastructure must be seamless
y Separate infrastructures are expensive to build and
maintain

15
Technology Interworking

z IP to Frame Relay Interworking is especially key

y Similar to “IP-Enabled Frame Relay”
y Maps IP address to FR PVC at gateway
Interworking Enhanced IP VPN Leased Line Internet-Based VPN
Replacement VPN
Internet-Based VPN IP to Internet Gateway IP (Internet) to FR/ATM IP Gateway
Gateway
Leased Line IP FR/ATM Gateway Current NNI for each
Replacement VPN technology

Enhanced IP VPN IP Gateway

VPNs: Reality Behind the Hype

z Overview
z VPN Reference Architectures
z VPN Application Models
èVPN Business Case
y From the Enterprise perspective
y From the Carrier perspective
y For each application model

16
Enterprise Perspective: “Road Warrior”
using Internet VPN
z $19.95 per month versus
long distance dial-in
y 400 minutes to break even
at 5¢ per minute
x 20 minutes per business day
z Additional benefits
y Carrier has modem pool
and dial support
y Enterprise has “normal”
internet connection
Carrier Perspective: “Road Warrior”
using Internet VPN
z Advantages:
y Incremental business
revenue
x May justify a premium
versus “residential”
y Stable, multiple-account
customer base
x Reduced (or consolidated)
sales and support
z Caveats
y “Roaming” or long distance
surcharges
y Footprint of ISP service
y Administration and support
for tunneling, encryption,
and authentication
y Support (finding “local”
numbers, etc.)
z Caveats:
y Nationwide (or worldwide)
service footprint needed
x May accelerate inter-ISP
coverage arrangements
x Inter-ISP “settlement”
opportunity
y Could force issue of
interworking among VPN
services
x Expands the role of the ISP
17
Enterprise Perspective: Fixed Location
Telecommuter
z If Internet VPN:
y $19.95 per “Road Warrior”
y May be most attractive for
“long distance”
telecommuter
z If LLR VPN or EIP VPN
y Assume equivalent pricing
y More expensive than
Internet VPN, but more
capabilities
Carrier Perspective: Fixed Location
Telecommuter
z If “local” using Internet
VPN
y Adds more business
x Like “road warrior” without
remote problems
y Watch for LONG hold times
z If LLR VPN or EIP VPN
y Adds to Frame Relay (or
ATM or IP) core business
y May be more price-
sensitive if local
z Watch for:
y Access costs/option
x xDSL, cable modem, etc.
may be an important factor
x ISDN and IDSL unless
service is metered
y Anything usage-sensitive
z Hidden advantage
y Carrier takes care of
access
x (No modem pools!)
z Caveats
y Must be price-competitive
with analog telephony plus
modem
y High-speed access likely to
be more of an issue than
with “Road Warrior”
y More likely to need
multimedia (or at least
voice), especially if not
local
18
Enterprise Perspective: Corporate
Intranetwork Transport using LLR VPN

z Most realistic comparison z Enhanced IP should be in

is with traditional leased
lines
y Usually save at least 50%
y The larger and more
complex the network, the
greater the savings
the same price range
y “Free” internet bandwidth
(via Internet VPNs) for the
corporate infrastructure is
not a reasonable
expectation

z Enhanced IP may have z This application requires:

similar savings... y QoS - including some form
of “CIR”
y Manageability

Carrier Perspective: Corporate

Intranetwork Transport using LLR VPN

z Key addition / expansion z Initially less profit than

to exiting ATM and/or
frame relay nets
z Multimedia (Voice over
IP/FR/ATM) will be a driver
z Enhanced IP VPN has
same advantages if
y Multimedia is supported
y QoS is available
existing leased lines, but
y Necessary to avoid losing
business in the near term
y Eventually less expensive
than leased line due to
lower cost of packet
infrastructure
x See “Can Carriers Make
Money on IP Telephony?” in
Business Communications
Review, 8/98

19
Enterprise Perspective: Remote / Branch
Office using LLR VPN and EIP VPN
z Just like corporate
intranetwork transport,
significant cost savings
y Greater connectivity than a
single line for “meshed”
connectivity
y Local FR/ATM (and IP)
services in same price
range (or less expensive)
as dedicated point-to-point
Carrier Perspective: Remote / Branch
Office using LLR VPN and EIP VPN
z Key component of overall
business case for these
services
y Most frame relay networks
are still star topologies with
low-speed access
y Nationwide service and/or
intercarrier agreements are
already in place for most
services
z Provides a foundation for
multimedia, including voice
y Can often fit into the “noise” of
the data bandwidth
z Internet VPN is an option, but
y Be sure to include access
costs
y Watch for speed and
multimedia limits
y “$19.95” plans usually do not
include multilink
z Internet VPN could be
used if traffic is light and
fits “SOHO” model, but
y Traffic will exceed “normal”
Internet VPN profile
y Lack of QoS could result in
unhappy customers
20
Bottom Line on Business Case

z For the Enterprise z For the Carrier

y At least one of the VPN
reference architectures
provides significant cost
advantages for each
application model
y It’s important to match the
application with the “right”
VPN service
y Choose a carrier with all
three options and
interworking capabilities
y The availability of the entire
suite of services is much
stronger than the single
individual services
y One size doesn’t fit
everybody
y Enterprises would like to
purchase the entire VPN
solution from a single
carrier

VPNs: Reality Behind the Hype

z Overview
z VPN Reference Architectures
z VPN Application Models
z VPN Business Case
èWhat to Look For in a VPN
y Top ten features
y Enterprises need these for efficient networks
y Carriers need to offer them to be competitive

21
1. Security

z Tunneling/encryption/authentication if Internet-
based or IP-based Enterprise Class
z Connection-oriented backbone provides security for
Leased Line Replacement
y Frame Relay and ATM provide inherent “connectivity
security”
x Paths are pre-defined; misdelivered packets are discarded
z Enhanced IP has inherent security if over a Frame
Relay / ATM backbone

2. Flexibility

z Multiple Access Options

y Traditional, including dial and dedicated
y Packet, including local frame relay and ATM services
y xDSL, cable modem, etc.
z Ability to Move within the Suite of Services
y Support for all VPN architectures
y Full interoperability among services
z Reasonable Term Commitments

22
3. Throughput

z Overhead Considerations
y IP versus Frame Relay
versus ATM overhead
y When does overhead
matter?
z Network Design
y Eliminating “star”
bottlenecks
x E.g., IP “Accelerated” frame
relay

4. Network Design Agility

z Any-to-Any Virtual
Topologies Router
y Unlike current Frame Relay
z Eliminating “star”
bottlenecks
y E.g., IP “Accelerated”
frame relay
Router Router

IP Accelerated
Traditional
Frame Relay

23
5. Multiprotocol / Multimedia Support

z Non-IP Data
y E.g., SNA
x Does the customer prefer
DLSw or RFC-1490?
z Voice
y QoS issues
x Absolute delay, Jitter, etc
z Video / Image
y Real-time video has
constraints similar to voice

6. Availability

z Various QoS levels

y Best effort versus
“Gold” service
x Some applications
may be fine with
“basic” service
x Different service levels
on a per-flow basis
x Policy-based flows
z Pricing commensurate
with the service level

24
7. Scalability

z Scalable Control
y Core services
y Managed services
y Full outsourcing
z Scalable Complexity
y Private addresses, etc.
z Access Speeds and
Options
y Traditional and non-
traditional from 56 kbps to
OC-n

8. Manageability

z CNM capabilities
y Adds, moves and
changes under the
customer’s control
y Customer-controlled
QoS
y Support for private IP
addresses
z Preserve the “look and
feel” of the private
network

25
9. Service Level Agreements

z Service Level definitions are a first step

y Define the terminology and parameters to be measured
y Frame Relay Forum has FRF-13
y Similar definitions are needed for other services
z SLAs for Internet VPNs are intrinsically difficult
y You can’t guarantee what you can’t control
y Good reason for connection-oriented infrastructure for
Enhanced IP VPNs

10. Integrated Total Service Packages

z Need for smooth interworking among the three

VPN reference architectures
y Frame Relay to IP interworking is especially important
z Gateway services to other services
y Also for packet to traditional voice
y Including directory services
z CPE (CLE) equipment management as an option
y Managed Network Service

26
VPNs: Reality Behind the Hype

z Overview
z VPN Reference Architectures
z VPN Application Models
z VPN Business Case
z What to Look For in a VPN
èSummary

Summary

z Be sure you choose the right type of VPN

z There’s a great business case for VPNs
y Enterprise customers can save a lot of money
y Carriers can be successful with
x The right complete suite of services at
x The right price with
x Proven quality and dependability based on
x The proper set of service and equipment features

27
Summary

z VPNs have the potential to be a win-win situation

for the Enterprise and Carriers
z Allow both to excel at their core competencies

28