x
Optical/IP

Readers Take Shots at IP VPNs

Virtual private networks (VPNs) based on IP technology have many drawbacks -- and will take years before they're ready for prime time.

That's the message from a number of readers who have responded to a recent article in Light Reading about services from AT&T Corp. (NYSE: T) and Sprint Corp. (NYSE: FON). These products aim to move customers to IP VPNs by linking existing Frame Relay and ATM networks to core IP services, allowing users to run both kinds of services simultaneously (see Crossing Over to VPNs).

At least one large Frame Relay customer says that's not what he's looking for at all. Art King, who manages a 500-site international network for a large U.S. manufacturer (King preferred his employer remain unnamed), says carriers have yet to "make the math work" to move him to an IP VPN -- though they're trying.

While he's open to having a faster network that's cheaper and easier to manage, he claims his leading carriers, including two major IXCs, are showing him alternatives nearly double the cost of what he's paying for Frame Relay services now. He says they tell him it costs less to move from Frame Relay to an IP VPN, but they're basing that on Frame Relay configurations that are a lot denser than his hub-and-spoke setup. There may be other adjustments required, as well, such as moving from using OSPF to BGP. Even a transition service can't erase the ultimate pain of the added costs, King says.

"I have a very simple charter. I'm never technology driven. I want faster for less money. Is it sexy? Who cares?"

Carriers also have their issues with the technology. They differ on just how to port customers to IP VPNs. There are differences about design, protocols to be used, and whether or not to deploy private or public Internet Protocol (IP) links.

Rob McCormick, CEO of Savvis Communications Corp. (Nasdaq: SVVS), for instance, doesn't see the benefit of transition services, which he says complicate existing networks. And he's not sold on popular methods of supporting VPNs, either.

Like Sprint, Savvis gives Multiprotocol Label Switching (MPLS) a thumbs down at present (see Sprint Spurns MPLS for Global VPNs). McCormick says MPLS lacks failover and quality-of-service guarantees and is at least four years away from being fully developed enough to perform all the functions it needs to for corporate VPNs.

"Two years ago, I was more bullish on MPLS. Now I don't have confidence the R&D is there to finish it. It will be four to five years before it reaches an acceptable maturity for corporate data networks," McCormick says. Ditto high-speed Ethernet access links: McCormick says they're just not in big demand on corporate nets and probably won't be for another five years at least.

In the meantime, Savvis uses dedicated Layer 2 links from customer to POP, with Shasta gear from Nortel Networks Corp. (NYSE/Toronto: NT) converting the traffic and performing "virtual routing" and IP switching functions. Savvis's core is based on Asynchronous Transfer Mode (ATM) switches from Lucent Technologies Inc. (NYSE: LU). Savvis is offering access links at 128 kbit/s to 1 Gbit/s.

With so many points at issue, it's easy to see why the "great VPN migration" isn't taking the world by storm.

Still, the need is there, pushing customers to seek solutions and carriers to put their cards on the table. McCormick says at least 75 percent of Savvis's business consists of putting in IP VPNs for Frame Relay users who can't get one or another application to work on their networks any longer.

For his part, IT manager King says carriers need to come up with a reasonable way to get VPN performance at lowest cost. He says he may have figures to share in a month or so. Stay tuned.

— Mary Jander, Senior Editor, Light Reading
Page 1 / 3   >   >>
Dr.Q 12/5/2012 | 12:41:51 AM
re: Readers Take Shots at IP VPNs Art King sums it up with his comment "I have a very simple charter. I'm never technology driven. I want faster for less money. Is it sexy? Who cares?"

Note to technology geeks (self included): getting the Art Kings of the world what they want is the best path to continued employment.

-Dr. Q
Tony Li 12/5/2012 | 12:41:50 AM
re: Readers Take Shots at IP VPNs Agreed. And the best way to do that is to keep it very simple. IPSec tunnels based on the CPE is the
obvious path.

Tony
bachus 12/5/2012 | 12:41:49 AM
re: Readers Take Shots at IP VPNs [snip]
There may be other adjustments required, as well, such as moving from using OSPF to BGP. Even a transition service can't erase the ultimate pain of the added costs, King says.
[snip]

If I am not mistaken, this is again one of the restrictions of Cisco's state-of-the-art IOS. IOS provides a maximum of 32 PDB's (protocol descriptor blocks). Each protocol instance consumes one including static and connected. BGP uses only one, which makes the only scalable choice of protocol on a Cisco router.

-bachus
skeptic 12/5/2012 | 12:41:47 AM
re: Readers Take Shots at IP VPNs Note to technology geeks (self included): getting the Art Kings of the world what they want is the best path to continued employment.
-------------
The technology gave them (in theory) what they
wanted. But the technology geeks don't have
any say at the pricing/service end of the
providers. For IP VPNs to make sense to
customers, they had to be sold at a lower
(or at least equal) cost to frame relay service.



rtg_dude 12/5/2012 | 12:41:47 AM
re: Readers Take Shots at IP VPNs tli wrote:

>Agreed. And the best way to do that is to keep
>it very simple. IPSec tunnels based on the CPE
>is the obvious path.

Amen!!!

With all the hype around 2547 people forget the
reason why routers do not care about TCP sessions
among hosts. The same architectural principles
apply to VPNs.

rtg_dude
teng100 12/5/2012 | 12:41:45 AM
re: Readers Take Shots at IP VPNs
In today's network, you must have solid Layer 2 to connect your critical VPN, since you can not even trust your neighbors these days if you are sharing the network with others based on Layer 3
methods.
digerato 12/5/2012 | 12:41:44 AM
re: Readers Take Shots at IP VPNs "The technology gave them (in theory) what they
wanted"

I don't think so -- I think vendors have only delivered the hardware, but not the management software. According to RHK, 49% of service provider expenditure goes to Opex (operating the service), and only 35% to capex (buying routers). No software to run the network means sky high service costs because you need an army of highly paid router jockeys to bang away at router CLIs all day -- which translates into uncompetitive pricing.

Software tool and OSS support for MPLS itself and very complicated (to provision) services like 2547 are risible. There are very few tools out there that can help you visualize and provision an MPLS core, let alone make it predictable and redundant (hence the comment from the Savvis guy). Notice to router geeks: fast re-route may function on your box, but it isn't operationally deployable because it is too hard to configure and control.

There are slightly more tools out there for 2547 config, but most of them simply offer a "GUI for the command line", or if they try to do more, don't have enouugh intelligence to figure out how to correctly configure the routers in all situations. Which means you're scared to let them loose on your network.

Most of the large scale MPLS networks today rely on a whole lot of home grown OSS software written by the service provider. That's not a good sign for large scale market growth!

There is nothing even close to the kind of software systems for deploying and traffic engineering ATM and frame relay networks. This is not to say that the IP world must slavishly copy ATM (please dear lord, no!), just that ATM actually has some good service management tools that work, and therefore the cost of service is much lower.

Digerato
cyber_techy 12/5/2012 | 12:41:43 AM
re: Readers Take Shots at IP VPNs > There may be other adjustments required, as
> well, such as moving from using OSPF to BGP.

If his IXC had Virtual routers based solution for VPNs instead of 2547 (BGP VPNs), such a move wouldn't be required. Maybe it's time for Virtual Routers to stage a comeback.

> Even a transition service can't erase the
> ultimate pain of the added costs, King says.

ip-eng 12/5/2012 | 12:41:42 AM
re: Readers Take Shots at IP VPNs prociding --> providing
ip-eng 12/5/2012 | 12:41:42 AM
re: Readers Take Shots at IP VPNs
Martini is closer to the existing FR and ATM VPNs probably has a good chance of getting adopted quickly.

VPLS and 2547bis are a little more complicated ... just like it took a little time for the non-ATM beleivers to start beleiving in ATM, it will take some time getting people to buy into the solutions ... it seems that most vendors are prociding them on the boxes but the question is who is using it right now?
Any providers out there care to share some knowledge on this are?
Page 1 / 3   >   >>
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE