VPNs Grow Up

After years of hype, network-based IP virtual private networking might finally be getting closer to reality, as more vendors announce support for the technology.

One of the problems with VPNs is that they vary in terms of the technology and features used to employ them. The common split comes between those using Multiprotocol Label Switching (MPLS) technology and those that use IPSec encryption.

Yesterday, Unisphere Networks Inc. announced that it would be adding two new versions of VPN: IPSec, as well as Layer 2 "Martini" and "Kompella," which are two Internet Engineering Task Force (IETF) draft standards for VPNs based on MPLS. Unisphere routers already employ Layer 3 MPLS VPNs.

By itself, the Unisphere announcement is not earth shattering, but recently several edge-routing companies and IP service switch makers have announced support for some, if not all, of these VPN flavors in their offerings, signaling that perhaps a real market for network-based VPNs is around the corner.

"Apparently, there is a market and some interest in offering different types of VPNs," says David Newman, president of Network Test Inc. "Otherwise we wouldn't be seeing Juniper, Cisco, and Unisphere making these announcements."

For years, VPN technology has been touted as the next hottest thing since buttered toast. But service providers have been slow to embrace it. Early entrants to the market, like CoSine Communications Inc. (Nasdaq: COSN), have not found a lot of customers willing to buy their products.

One problem with the VPN market is that people are confused about what each of the technologies actually does. First, there are the traditional Layer 3 VPNs based on MPLS. This type of VPN allows service providers to offer customers private tunnels through public Internet Protocol (IP) networks using MPLS tagging. The drawback with this implementation is that it can only be used with IP traffic.

Then there are Layer 2 MPLS VPNs, based on the Martini and Kompella drafts. This technology can carry all types of traffic by mapping Asynchronous Transfer Mode (ATM), Frame Relay, or Ethernet traffic into an IP/MPLS core. To the end user, it still looks like a Frame Relay or ATM connection. Supporters of Martini [Cheers!] say that it provides the best of both IP and circuit-based worlds.

But each of these MPLS VPN technologies lacks a key ingredient: Neither offers authentication and encryption, security components that many businesses require. This is where IPSec comes into play. IPSec offers authentication and encryption so that end users -- like those in the financial community or in health care -- can secure the traffic being sent across their virtual pipes.

Companies supporting these technologies fall into one of two categories: edge routers and IP service switches. IP edge router companies like Juniper Networks Inc. (Nasdaq: JNPR), Cisco Systems Inc. (Nasdaq: CSCO), and Unisphere all support Layer 3 MPLS VPNs, and some are now starting to support the Layer 2 Martini version. Then there are the IP service switches from companies like CoSine, Nortel Networks Corp. (NYSE/Toronto: NT), and Lucent Technologies Inc. (NYSE: LU), which have built devices around IPSec functionality.

These two categories have started to merge into one. Routing vendors like Juniper and Unisphere have announced support for MPLS VPNs and IPsec VPNs. As with Unisphere's version, Juniper in February announced a router blade that does this (see ...But Announces Dull Edge Upgrades ). Cosine and Nortel now say that they are offering Layer 3 MPLS VPNs. And Cosine is also claiming that its product can be used as an edge router.

So the next question is: Are there too many companies in the market? It certainly looks that way.

"The market can't support 10 companies specializing in IP services and 20 companies selling edge routers," says Kevin Mitchell, an analyst with Infonetics Research Inc. "The two categories at the edge are definitely collapsing. In the end, the winners in the category will have to do both wire-speed edge routing and provide new services."

— Marguerite Reardon, Senior Editor, Light Reading
Page 1 / 6   >   >>
LightMan 12/4/2012 | 10:40:43 PM
re: VPNs Grow Up So my question is, since financial and healthcare companies mandate encryption to the CPE where does this leave MPLS with business critical data transport? Granted, these companies are already hesistant to move from their tried and true private lines, but what is the business model for MPLS to the edge? Does it make sense for only non-sensitive data? I understand the reasoning inside the core, but as someone who is exploring moving their private line network to a VPN, why would I explore IPSec over MPLS when I could just use IPSec? Is it the general concensus that IPSec is the service and MPLS solves the provider's problem of delivering the service (QoS and TE)?

I suppose for arguments sake, how do the new SSL VPN and Transaction Delivery Network players fit? Will they obviate the need for the lower layer VPN's for document based transactions (Web Services)?

TelcoDude 12/4/2012 | 10:40:43 PM
re: VPNs Grow Up IPsec VPNS make sense, from a security point of view. MPLS VPNS and all the corresponding drafts not worthwhile.

My impression of MPLS is the following: People who don't have any work at ther companies, Martini, Kompalla, etc write these drafts and promote them in IETF.

And MPLS is full of it anyway? keep it simple stupid rule wins. why make things complex. MPLS is going to die, sooner or later.

ATM to MPLS? IP to MPLS? IPX to MPLS... Vivace dude get some real work done at your company....
TelcoDude 12/4/2012 | 10:40:42 PM
re: VPNs Grow Up Whoes mindless concensus is that MPLS solves the QoS problem. MPLS was never intended to solve the QoS problem. USing 3 exp bits similar to the IPTOS/DSCP bits does not work in pratical networks. per packet arbitration and queuing sucks for IP, and not usable. But looks good in white papers.


>Is it the general concensus that IPSec is the >service and MPLS solves the provider's problem >of delivering the service (QoS and TE)?
Steve Saunders 12/4/2012 | 10:40:40 PM
re: VPNs Grow Up Allrounder,

Good post. Re:

"So only companies who put IPSec over MPLS will really satisfy the customer needs. The products with just either of them will fail."

What about using a product that supports MPLS VPNs, and installing it alongside existing firewall solutions? Isn't it better not to put all the network features in one box, sometimes?

Just asking.

allrounder 12/4/2012 | 10:40:40 PM
re: VPNs Grow Up In the article, the author mentions there is a split between IPSec VPN and MPLS VPN. Some users want IPSec while others want MPLS.

To me, this is an invalid statement. VPN is invented to replace the private lines for the sake of cost reduction. However, no user would like to cut cost at the expense of quality degrading. Therefore, for VPN to prevail, it needs to provide the same quality of service that the private line offers today. The two most notable benefits of using a private line are high security and true QoS (RAS + SLA). Unless a VPN technology can provide both, it won't be well received. Now, let's look at the two VPN technologies mentioned in the article: IPSec and MPLS. IPSec is a security oriented VPN by adding an extra layer of encryption so that the original addresses and payload can be scrambled. It doesn't nothing for QoS. MPLS is designed as a replacement of ATM. It retains the best part of ATM, namely QoS, while eliminates the overhead and scalability problem of ATM. MPLS is a layer 2 protocol although people always hype it as layer 3. As a layer 2 protocol, just like ATM, its main job is transport with QoS not security. Can anybody recall what kind of security offered by ATM? Hence, these two VPN technologies are not conflicting each other but compensating each other. Only a combination of IPSec and MPLS can be closer to offering the QoS that the private does. So only companies who put IPSec over MPLS will really satisfy the customer needs. The products with just either of them will fail.
boozoo 12/4/2012 | 10:40:39 PM
re: VPNs Grow Up TelcoDude wrote:
Whoes mindless concensus is that MPLS solves the QoS problem. MPLS was never intended to solve the QoS problem. USing 3 exp bits similar to the IPTOS/DSCP bits does not work in pratical networks."

The 3 EXP bits are ment only for one aspect of QoS: traffic differentiation. With 3 bits you can discriminate between 8 types of traffic, which is more than enough.

However, QoS is much more than that, it's about implementing and SLA:

1) When providing VPN services, you also need to separate the traffics of various VPNs/services. If you don't do it, then VPNx traffic might starve VPNy and the service quality suffers.
To acheive this, you need a connection oriented transport mechanism + as many queues as possible on the datapath, especially at the edge. That's where the strength of ATM is versus IP.
MPLS is not too bad either in implementing this.

It's tougher to emulate a L1 service than a L2 service and it tougher to emulate a L3 service than a L2 service.

2) you also need to provide various degrees of service availability.
MPLS is OK here since it provides both slow and fast reroutes.
ATM is also OK, as long as you keep the number of VCs within limits.

The conclusion is that MPLS is able to solve in a scalable manner the "QoS problem" of deploying VPN services.

fiber_r_us 12/4/2012 | 10:40:38 PM
re: VPNs Grow Up There seems to be a lot of misinformation and misunderstanding of MPLS VPNs in this article, especially with respect to comparing it to IPSec.

Do many customers (other than the government stuff) encrypt thier data sessions over ATM, FR, or private line (PL) networks? Not many do because FR/ATM are Layer 2 network implementations and PL is a Layer 1 network and none of them have direct public access to the carrier infrastructures. Therefore, there is little chance of anyone (other than the carrier) being able to affect a FR DLCI, ATM VC, or PL circuit. A customer only encrypts FR/ATM/PL links if they are truely paranoid and thier information is so sensitive that they don't even want to take the chance that the carrier might look at it.

If the data falls into the realm where encryption would not have been used for FR, ATM, or PL, then the L2 MPLS VPN solutions (such as Martini and Kompella) should not pose any security concerns. The MPLS infrastructure that Martini/Kompella are run over is similar to that of a FR or ATM network. That is, a MPLS backbone is a L2 backbone that has no direct customer access to its infrastructure anymore than a FR or ATM network does.

IPSec was invented to allow secure sessions to be established over the public Internet where the public has the ability to disrupt things and many ISPs may not be trusted. On the Internet, if you are not concerned about the security of your data, you could have just as easily created an IP-over-IP VPN tunnel across the Internet (with no encryption).

If you are one of the truely paranoid, nothing prevents you from IPsec'ing everthing even if it goes over FR, ATM, PL, or MPLS.
allrounder 12/4/2012 | 10:40:38 PM
re: VPNs Grow Up Steve, what you said makes sense. It is really a network design issue. There are two existing IPSec models. One is using a IPSec enabled firewall like cisco PIX. This model is cost effective but the performance of IPSec could be a problem. Another model is using a dedicated VPN router like cisco 7000 series. It depends on the VPN traffic. If traffic is light, the firewall solution can work well. If the traffic is heavy which is the case of site-to-site VPN within a big enterprise, the firewall solution is not good. Using a dedicated VPN router will better serve this case. For users who prefer an IPSec in firewall solution, sure having a MPLS only CPE is enough. But for users who need a dedicated VPN router, isn't it better to have a combo of IPSec/MPLS on one box than buying two boxes?
boozoo 12/4/2012 | 10:40:38 PM
re: VPNs Grow Up Great post, allrounder.

However, here's another possible solution that would meet the quality criteria you describe:

IPSec over channelized SONET AND/OR DWDM.

VPNs will then be isolated and therefore QoS-guaranteed at L1.

Especially in the metro, I think this might be a compelling solution.

allrounder 12/4/2012 | 10:40:37 PM
re: VPNs Grow Up fiber_r_us, from pure technology point of view, I agree that connection oriented network s like ATM/FR can provide a high secure pipe. It is all about self-protection. If you are an IT manager, do you want to take any risk? In another word, do you trust the SPs? If the enterprise highly trust the service providers, they don't even need a firewall. So, In practical cases, enterprises would have their own encryption than just leave all their data to be visible to carriers.
Page 1 / 6   >   >>
Sign In