vpn presentation · vpn presentation author: steven taylor created date: sunday, june 06, 1999...
TRANSCRIPT
1
VPNs: RealityBehind the Hype
Steven TaylorDistributed Networking Associates
Summer - 1999
Professional Opinions - All information presented and opinions expressed by Distributed Networking are thecurrent opinions of Distributed Networking based on professional judgment and best available information atthe time of presentation. Consequently, the information is subject to change, and no liability for advicepresented is assumed. Ultimate responsibility for choice of appropriate solutions remains with the Customer.
Biographical Information - The seminar will be led by Steven Taylor, President of Distributed NetworkingAssociates and Publisher/Editor in Chief of Webtorials.Com, a premier source of on-line telecommunicationsseminars and market research. An independent consultant, planner, author, and teacher since 1984, Mr.Taylor is frequently quoted in the trade press and is one of the industry's most published authors on highbandwidth networking techniques. Distributed Networking Associates may be contacted at 2707 Lake ForestDrive, Greensboro, NC 27408; (336) 288-3858. E-mail: [email protected].
Copyright, 1999 - Distributed Networking Associates. All portions of this presentation are copyrighted byDistributed Networking Associates and/or the organization credited as the source of information. All forms ofreproduction and/or recording, including photocopying, tape recording, and video taping are strictly prohibitedwithout the express prior written permission of Distributed Networking Associates. Clipart used may includeimages from Corel, Broderbund, and IMSI.
Copyright & Notices
2
VPNs: Reality Behind the Hype
z Overviewz VPN Reference Architecturesz VPN Application Modelsz VPN Business Casez What to Look For in a VPNz Summary
VPNs: Reality Behind the Hype
èOverviewy Definitionsy Technology assumptions
3
What’s a Virtual Private Network (VPN)?
z Hottest marketing term of 1999y Viewed as the newest panacea to all your networking
woesx Infinite free bandwidth with no configuration needed
y Often implies IPx Even “Internet” is sometimes implied
z Need to examine two aspectsy “Private Network”y “Virtual”
Private Networks
z Enterprise adds switching intelligence to basictransmission facilities from a carriery More appropriately called “Leased Line Networks”y Leased lines are usually 56/64 kbps to T1/E1 to T3/E3y Switches integrate data channels & virtual voice trunks
4
Historical Reasons EnterprisesImplemented Private Networks
z Appropriate services not available from the carriersy Circuit switched with quantum leaps in bandwidthy Based on the “voice” hierarchy
z Economicsy Nets paid for themselves within a few months
z Controly Especially for rapid deployment of data applications
z Egoy “BYOB” networking for fun, career advancement
What is a Virtual Private Network?
z Virtual network: A network that provides virtualcircuits and that is established by using the facilitiesof a real network.*
z Has the look and feel of a “real” private networkz Enterprise maintains control of the network
y Customer Network Management (CNM) is a key feature
z Usually will be based on packet switching
*Source: Federal Standard 1037C at http://glossary.its.bldrdoc.gov/fs-1037/
5
Broadband Packet Service Types
z Frame Relay, IP and ATMare becoming widespreadand are more similar thandifferent
z Key differences:y Fixed vs. variable packet
lengthy Connection vs.
connectionless
Delim
iter
Head
erPayload
Payload
Trailer (o
pt.)
Delim
iter
Generic Packet Format: Payload
z Variable: Framesy Efficient use of bandwidthy “Frame Relay” & IP
6
Generic Packet Format: Payload
z Variable: Framesy Efficient use of bandwidthy “Frame Relay” & IP
z Fixed length: Cells (ATM)y Easy to process with
Predictable delay
Generic Packet Format: Payload
z Variable: Framesy Efficient use of bandwidthy “Frame Relay” & IP
z Fixed length: Cells (ATM)y Easy to process with
Predictable delayy Always the same size
7
Generic Packet Format: Header
z Connectionless (IP)y “Universal,” unique addressy Needs large address space
x Is this a problem?
z Connection orientedy Virtual Circuit numbery Conserves address spacey ATM and Frame Relay
Generic Packet Format: Header
z Connection orientedy Virtual Circuit numbery Conserves address spacey ATM and Frame Relay
z Connectionless (IP)y “Universal,” unique addressy Needs large address space
x Is this a problem?
8
Broadband Packet Types
z Bottom Line: All three “work”y Single-technology world view misses the big picture
x Great for marketing, selling magazines, and creating editorialcontent and controversy
x Promotes the “Technology of the Month Club”
y “Broadband Packet” looks at the bigger picture
Fixed length Variable lengthConnection ATM Frame Relay
Connectionless N/A IP
Today’s Reasons Enterprises ShouldImplement Virtual Private Networks
z Appropriate services are available from the carriersy Most carriers offer Frame Relay, ATM, and IP services
z Economicsy Frame Relay and ATM usually cost less than half of
private lines for equivalent performance
z Controly CNM same as or better than private line
z Egoy Enterprises are returning to their “core competencies”
9
VPNs: Reality Behind the Hype
z OverviewèVPN Reference Architectures
y “VPN” legitimately means many different things todifferent communities
y Hot marketing term to usey Define three reference architectures
x Internet Backbone VPNx Leased Line Replacement VPNx Enhanced IP VPN
The Internet
Internet Backbone VPN (IB VPN)
z Uses the Internet for transport layer, with:y Tunneling - For multiprotocol, private addressing, etc.y Encryption - For security across “unknown” connectionsy Authentication - To ensure the connection is to the
“right” user
10
Internet Backbone VPN Scorecard
VPN Type Strengths WeaknessesPrice Requires Tunnelling,
Encryption, and Authentication
Ubiquity Lack of SecurityConnectivity No guaranteed QoS
Leased Line ReplacementEnhanced IP
Internet Backbone
Leased Line Replacement VPN (LLRVPN)
z Traditional Frame Relay or ATM servicey Provides same basic functions as leased lines
x At a fraction of the cost
y PVCs provide continuous point-to-point connectivityx More than 95% of installed VCs are PVCsx SVCs for any-to-any connectivity, but not widely implemented
Frame Relay orATM Network
11
Leased Line Replacement VPN Scorecard
VPN Type Strengths WeaknessesPrice Requires Tunnelling,
Encryption, and Authentication
Ubiquity Lack of SecurityConnectivity No guaranteed QoSPrice vs. Leased Line Predefined endpointsInherent security Limited dial-upWell-defined QoS Not glitzyInherent Multiprotocol Support
Enhanced IP
Internet Backbone
Leased Line Replacement
Enhanced IP VPN (EIP VPN)
Switched IPover FR/ATMInfrastructure
IP UNI
z IP as the “UNI” to the networkz Switched infrastructure using a combination of
MPLS*, Frame Relay, and ATMz NOT over the Internet, but has gateway functionsz Inherent security and QoS
*MultiProtocol Label Switching (MPLS): Follow-on successor to tag switching and switched IP.
12
Leased Line Replacement VPN Scorecard
VPN Type Strengths WeaknessesPrice Requires Tunnelling, Encryption, and
Authentication
Ubiquity Lack of Security
Connectivity No guaranteed QoS
Price vs. Leased Line Predefined endpoints
Inherent security Limited dial-up
Well-defined QoS Not glitzy
Multiprotocol
Great for IP IP Only (without encapsulation)
Secure on backbone Some static definition required
Transparent addressing Needs gateway services for ubiquity & connectivity
QoS Emerging technology/service
Has IP "Name"
Internet Backbone
Leased Line Replacement
Enhanced IP
VPNs: Reality Behind the Hype
z Overviewz VPN Reference ArchitecturesèVPN Application Models
y VPNs can address many different applicationsy Four application models for matching applications with reference
architecturesx “Road Warrior”x Fixed-location Telecommuterx Corporate Intranetwork Transportx Remote/Branch Office
13
“Road Warriors”
z Calls from anywhere in the worldy No fixed location; Dial service
z Great fit for Internet Backbone VPNy Possibly VLL VPN or EIP VPN with
modem pool
The Internet
Fixed Location Telecommuter
z SOHO (Small Office / Home Office)y Location doesn’t changey Could fit all 3 models depending on
x QoSx Multimediax Local access options
14
Corporate Intranetwork Transport
z Core corporate communications asopposed to “remote access”
z “Leased line” function and reliabilityy Capabilities outweigh price
z LLR VPN (ATM/FR) usually besty EIP if most traffic is IP
Frame Relay orATM Network
Remote Office / Branch Office
z Small workgroup, Regional office,Functional workgroup, etc.y Low traffic compared with intranetwork
node, but more than SOHOy Multiple applications
x Probably includes voice, maybe videox May have multiple protocols (e.g. banking)
y LLR VPN, or maybe EIP VPNx Depends on multiprotocol and tolerance of
overhead
15
Application Models and ReferenceArchitectures
Model Internet-Based VPN Leased Line Replacement VPN
Enhanced IP VPN
“Road Warrior” Great fit Not mobile OK, with dial capabilityFixed-location Telecommuter
Good, if enough bandwidth
Seldom economical Excellent, especially if local
Corporate Intranetwork Transport
QoS, security, and throughput concerns
Great fit OK, depending on protocol mix
Remote/Branch Office
Maybe, depends on protocol and throughput
Good, especially if multiprotocol
Good, especially if IP-Centric
Interworking among Application Models
z Networks require any-to-any connectivityz The network infrastructure must be seamless
y Separate infrastructures are expensive to build andmaintain
16
Technology Interworking
z IP to Frame Relay Interworking is especially keyy Similar to “IP-Enabled Frame Relay”y Maps IP address to FR PVC at gatewayInterworking Enhanced IP VPN Leased Line
Replacement VPNInternet-Based VPN
Internet-Based VPN IP to Internet Gateway IP (Internet) to FR/ATM Gateway
IP Gateway
Leased Line Replacement VPN
IP FR/ATM Gateway Current NNI for each technology
Enhanced IP VPN IP Gateway
VPNs: Reality Behind the Hype
z Overviewz VPN Reference Architecturesz VPN Application ModelsèVPN Business Case
y From the Enterprise perspectivey From the Carrier perspectivey For each application model
17
Enterprise Perspective: “Road Warrior”using Internet VPN
z $19.95 per month versuslong distance dial-iny 400 minutes to break even
at 5¢ per minutex 20 minutes per business day
z Additional benefitsy Carrier has modem pool
and dial supporty Enterprise has “normal”
internet connection
z Caveatsy “Roaming” or long distance
surchargesy Footprint of ISP servicey Administration and support
for tunneling, encryption,and authentication
y Support (finding “local”numbers, etc.)
Carrier Perspective: “Road Warrior”using Internet VPN
z Advantages:y Incremental business
revenuex May justify a premium
versus “residential”
y Stable, multiple-accountcustomer base
x Reduced (or consolidated)sales and support
z Caveats:y Nationwide (or worldwide)
service footprint neededx May accelerate inter-ISP
coverage arrangementsx Inter-ISP “settlement”
opportunity
y Could force issue ofinterworking among VPNservices
x Expands the role of the ISP
18
Enterprise Perspective: Fixed LocationTelecommuter
z If Internet VPN:y $19.95 per “Road Warrior”y May be most attractive for
“long distance”telecommuter
z If LLR VPN or EIP VPNy Assume equivalent pricingy More expensive than
Internet VPN, but morecapabilities
z Watch for:y Access costs/option
x xDSL, cable modem, etc.may be an important factor
x ISDN and IDSL unlessservice is metered
y Anything usage-sensitive
z Hidden advantagey Carrier takes care of
accessx (No modem pools!)
Carrier Perspective: Fixed LocationTelecommuter
z If “local” using InternetVPNy Adds more business
x Like “road warrior” withoutremote problems
y Watch for LONG hold times
z If LLR VPN or EIP VPNy Adds to Frame Relay (or
ATM or IP) core businessy May be more price-
sensitive if local
z Caveatsy Must be price-competitive
with analog telephony plusmodem
y High-speed access likely tobe more of an issue thanwith “Road Warrior”
y More likely to needmultimedia (or at leastvoice), especially if notlocal
19
Enterprise Perspective: CorporateIntranetwork Transport using LLR VPN
z Most realistic comparisonis with traditional leasedlinesy Usually save at least 50%y The larger and more
complex the network, thegreater the savings
z Enhanced IP may havesimilar savings...
z Enhanced IP should be inthe same price rangey “Free” internet bandwidth
(via Internet VPNs) for thecorporate infrastructure isnot a reasonableexpectation
z This application requires:y QoS - including some form
of “CIR”y Manageability
Carrier Perspective: CorporateIntranetwork Transport using LLR VPN
z Key addition / expansionto exiting ATM and/orframe relay nets
z Multimedia (Voice overIP/FR/ATM) will be a driver
z Enhanced IP VPN hassame advantages ify Multimedia is supportedy QoS is available
z Initially less profit thanexisting leased lines, buty Necessary to avoid losing
business in the near termy Eventually less expensive
than leased line due tolower cost of packetinfrastructure
x See “Can Carriers MakeMoney on IP Telephony?” inBusiness CommunicationsReview, 8/98
20
Enterprise Perspective: Remote / BranchOffice using LLR VPN and EIP VPN
z Just like corporateintranetwork transport,significant cost savingsy Greater connectivity than a
single line for “meshed”connectivity
y Local FR/ATM (and IP)services in same pricerange (or less expensive)as dedicated point-to-point
z Provides a foundation formultimedia, including voicey Can often fit into the “noise” of
the data bandwidth
z Internet VPN is an option, buty Be sure to include access
costsy Watch for speed and
multimedia limitsy “$19.95” plans usually do not
include multilink
Carrier Perspective: Remote / BranchOffice using LLR VPN and EIP VPN
z Key component of overallbusiness case for theseservicesy Most frame relay networks
are still star topologies withlow-speed access
y Nationwide service and/orintercarrier agreements arealready in place for mostservices
z Internet VPN could beused if traffic is light andfits “SOHO” model, buty Traffic will exceed “normal”
Internet VPN profiley Lack of QoS could result in
unhappy customers
21
Bottom Line on Business Case
z For the Enterprisey At least one of the VPN
reference architecturesprovides significant costadvantages for eachapplication model
y It’s important to match theapplication with the “right”VPN service
y Choose a carrier with allthree options andinterworking capabilities
z For the Carriery The availability of the entire
suite of services is muchstronger than the singleindividual services
y One size doesn’t fiteverybody
y Enterprises would like topurchase the entire VPNsolution from a singlecarrier
VPNs: Reality Behind the Hype
z Overviewz VPN Reference Architecturesz VPN Application Modelsz VPN Business CaseèWhat to Look For in a VPN
y Top ten featuresy Enterprises need these for efficient networksy Carriers need to offer them to be competitive
22
1. Security
z Tunneling/encryption/authentication if Internet-based or IP-based Enterprise Class
z Connection-oriented backbone provides security forLeased Line Replacementy Frame Relay and ATM provide inherent “connectivity
security”x Paths are pre-defined; misdelivered packets are discarded
z Enhanced IP has inherent security if over a FrameRelay / ATM backbone
2. Flexibility
z Multiple Access Optionsy Traditional, including dial and dedicatedy Packet, including local frame relay and ATM servicesy xDSL, cable modem, etc.
z Ability to Move within the Suite of Servicesy Support for all VPN architecturesy Full interoperability among services
z Reasonable Term Commitments
23
3. Throughput
z Overhead Considerationsy IP versus Frame Relay
versus ATM overheady When does overhead
matter?
z Network Designy Eliminating “star”
bottlenecksx E.g., IP “Accelerated” frame
relay
4. Network Design Agility
z Any-to-Any VirtualTopologiesy Unlike current Frame Relay
z Eliminating “star”bottlenecksy E.g., IP “Accelerated”
frame relay
Router
Router Router
TraditionalIP AcceleratedFrame Relay
24
5. Multiprotocol / Multimedia Support
z Non-IP Datay E.g., SNA
x Does the customer preferDLSw or RFC-1490?
z Voicey QoS issues
x Absolute delay, Jitter, etc
z Video / Imagey Real-time video has
constraints similar to voice
6. Availability
z Various QoS levelsy Best effort versus
“Gold” servicex Some applications
may be fine with“basic” service
x Different service levelson a per-flow basis
x Policy-based flows
z Pricing commensuratewith the service level
25
7. Scalability
z Scalable Controly Core servicesy Managed servicesy Full outsourcing
z Scalable Complexityy Private addresses, etc.
z Access Speeds andOptionsy Traditional and non-
traditional from 56 kbps toOC-n
8. Manageability
z CNM capabilitiesy Adds, moves and
changes under thecustomer’s control
y Customer-controlledQoS
y Support for private IPaddresses
z Preserve the “look andfeel” of the privatenetwork
26
9. Service Level Agreements
z Service Level definitions are a first stepy Define the terminology and parameters to be measuredy Frame Relay Forum has FRF-13y Similar definitions are needed for other services
z SLAs for Internet VPNs are intrinsically difficulty You can’t guarantee what you can’t controly Good reason for connection-oriented infrastructure for
Enhanced IP VPNs
10. Integrated Total Service Packages
z Need for smooth interworking among the threeVPN reference architecturesy Frame Relay to IP interworking is especially important
z Gateway services to other servicesy Also for packet to traditional voicey Including directory services
z CPE (CLE) equipment management as an optiony Managed Network Service
27
VPNs: Reality Behind the Hype
z Overviewz VPN Reference Architecturesz VPN Application Modelsz VPN Business Casez What to Look For in a VPNèSummary
Summary
z Be sure you choose the right type of VPNz There’s a great business case for VPNs
y Enterprise customers can save a lot of moneyy Carriers can be successful with
x The right complete suite of services atx The right price withx Proven quality and dependability based onx The proper set of service and equipment features
28
Summary
z VPNs have the potential to be a win-win situationfor the Enterprise and Carriers
z Allow both to excel at their core competencies