Edge-Router Evolution
Once a carrier has an MPLS-based VPN, service intelligence at the edge can be used to add value and generate new revenues, by partitioning separate management on a per-customer basis with virtual-router technology and applying the appropriate mix of service features onto a customer’s VPN.
Remote Access and Broadband Networking
Figure 5 shows an example – a universal remote access service, similar to that being rolled out by carriers such as Equant (NYSE: ENT; Paris: EQU). In this service the IPSec and Firewall features are applied to the customer VPN's virtual routers, allowing any type of remote access to participate in the customer’s VPN. CoSine Communications says that customers like this arrangement because it allows employees – like the mobile sales force or factory workers or knowledge workers – to plug into the corporate VPN no matter where they are and with whatever access method is best at that particular location.
“We are seeing renewed interest in what I call the second wave of remote access, and this is fueled primarily by the growing popularity of broadband and wireless technologies, and to some extent Ethernet,” says Almeida. “From the IP manager point of view, they no longer have to worry about rogue, unprotected users exposing the company to security threats, which is always a concern, especially with the ease with which people can plug into a WiFi hotspot.”
Strategic advantages for carriers include:
Figure 6 shows a KT Corp. installation of an integrated intranet/Internet service. MPLS, firewall, and NAT services are applied to the customer’s VPN virtual routers. Note that MPLS doesn’t have to be used – similar implementations have been made with Frame Relay instead.
The crucial point is that the customer gets both WAN service and a secure Internet service over a single port. So the enterprise customer no longer has to pay for two access links or two ports, and they also offload all the public Internet traffic from the mission-critical WAN. They don’t need any extra CPE, and they are able to support and enforce corporate-wide policies for both their WAN and the Internet. There is also a nice angle for incumbent carriers, in particular – instead of just supplying the WAN, as is often the case, they can now become the customer’s ISP as well.
IPSec-to-MPLS Interworking
To maximize network reach and service versatility IPSec-to-MPLS interworking will be needed, as shown in Figure 7.
Here the customer’s virtual routers provide firewall, PKI, authentication, IPSec, and MPLS. Many carriers would offer this as a universal WAN service: Again, MPLS or Frame Relay connections can be used for the on-net sites (shown as Manufacturing Partners 1 and 2); and off-net sites can connect via the Internet and available access methods, such as DSL or dialup. IPSec-to-MPLS interworking allows several service providers to interconnect their MPLS networks to provide wider coverage, getting round the fact that MPLS network-to-network interfaces (NNIs) for direct MPLS interconnection are still at a very early stage.
Figure 7 is based on the NTT Communications Corp. worldwide extranet service to the Japanese Automotive Exchange. That exchange consists of companies like Toyota, which is interconnected with its manufacturing partners and autodealers around the world, either with MPLS for those directly connected to NTT’s MPLS network, or with IPSec with those sites that are not.
Remote Access and Broadband Networking
Figure 5 shows an example – a universal remote access service, similar to that being rolled out by carriers such as Equant (NYSE: ENT; Paris: EQU). In this service the IPSec and Firewall features are applied to the customer VPN's virtual routers, allowing any type of remote access to participate in the customer’s VPN. CoSine Communications says that customers like this arrangement because it allows employees – like the mobile sales force or factory workers or knowledge workers – to plug into the corporate VPN no matter where they are and with whatever access method is best at that particular location.
“We are seeing renewed interest in what I call the second wave of remote access, and this is fueled primarily by the growing popularity of broadband and wireless technologies, and to some extent Ethernet,” says Almeida. “From the IP manager point of view, they no longer have to worry about rogue, unprotected users exposing the company to security threats, which is always a concern, especially with the ease with which people can plug into a WiFi hotspot.”Strategic advantages for carriers include:
- Offsetting with managed-VPN revenues some of the losses on dialup revenues as those revenues start to shift to broadband services
- A hold over the customer account through owning the managed VPN portion of the service, even if they do not own large chunks of the access link
- Opportunity to innovate on service bundles by aggregating VPNs into other pricing plans
- Reduced risk of carrying CPE inventory that may not support all needed types of broadband access
Figure 6 shows a KT Corp. installation of an integrated intranet/Internet service. MPLS, firewall, and NAT services are applied to the customer’s VPN virtual routers. Note that MPLS doesn’t have to be used – similar implementations have been made with Frame Relay instead.
The crucial point is that the customer gets both WAN service and a secure Internet service over a single port. So the enterprise customer no longer has to pay for two access links or two ports, and they also offload all the public Internet traffic from the mission-critical WAN. They don’t need any extra CPE, and they are able to support and enforce corporate-wide policies for both their WAN and the Internet. There is also a nice angle for incumbent carriers, in particular – instead of just supplying the WAN, as is often the case, they can now become the customer’s ISP as well.IPSec-to-MPLS Interworking
To maximize network reach and service versatility IPSec-to-MPLS interworking will be needed, as shown in Figure 7.
Here the customer’s virtual routers provide firewall, PKI, authentication, IPSec, and MPLS. Many carriers would offer this as a universal WAN service: Again, MPLS or Frame Relay connections can be used for the on-net sites (shown as Manufacturing Partners 1 and 2); and off-net sites can connect via the Internet and available access methods, such as DSL or dialup. IPSec-to-MPLS interworking allows several service providers to interconnect their MPLS networks to provide wider coverage, getting round the fact that MPLS network-to-network interfaces (NNIs) for direct MPLS interconnection are still at a very early stage.Figure 7 is based on the NTT Communications Corp. worldwide extranet service to the Japanese Automotive Exchange. That exchange consists of companies like Toyota, which is interconnected with its manufacturing partners and autodealers around the world, either with MPLS for those directly connected to NTT’s MPLS network, or with IPSec with those sites that are not.
