Of the compelling arguments against VPN, one stands out as the constant: the Internet. Simply put, the Internet has been labeled as an unreliable, high latency network that could come or go at anytime. This author can remember in recent history talking with managers from large organizations who felt that expenditures on a 256K connection to the Internet were ridiculous due to the uncertainty of the service. As the Internet has grown, we have become increasingly dependant on the services it provides, but the thought that the Internet has not grown physically remains.
This is a great irony because the Internet was primarily designed around a concept of creating a network that has no single point of failure. One can argue that the local connection to the Internet might fail or be severed, but the same holds true for many dedicated connections. It is common practice in today’s communication industry to implement several backup systems or standby connections to provide service if the primary communication fails. Several organizations spend incredible amounts of money to simply bury a fiber cable or some form of connectivity on the other side of a building just to mitigate the risk of digging incidents. Given these two primary, standard practices and reasoning, why are the same concepts for Internet connections not accepted? For organizations that rely heavily on the Internet for business, such as ISPs, ASPs, and DotComs, multiple connections to the Internet are mandatory; but for the enterprise market, the focus on redundancy communications continues to reside in the WAN.
The reality is that the Internet has grown substantially in reliability and reduced latency. However, the connection from one ISP to another through many other ISPs begins to surface as the true straw that is breaking the VPN’s back. The concept of connecting two sites through a network that is supported by several different vendors is not a new situation. In some Frame Relay networks, it is necessary for a primary provider to leverage another to accommodate connectivity to a remote location or a region not directly supported. This process is sometimes referred to as NNI (or network- to-network interface), which also represents the protocol for maintaining PVCs between networks.
Many of the early VPN implementers were not cognizant of the importance of Internet connections at specific points throughout the design. The result was high latency and packet loss, ultimately resulting in a major disappointment of VPN perfor- mance. The importance of selecting a well-designed and established ISP is absolutely crucial to the success of a VPN. For organizations based in developed countries, the options are many. Even international long hauls can be realized through Internet-based VPNs when the relationship between Tier 1 ISPs is properly investigated. Of course, problems begin to surface when remote locations are identified that do not have established connectivity to the Internet, and have limited Frame Relay services. Good examples are South America, Africa, and China, where the environment, economic status, and vast terrain complicate communications. Getting any form of connectivity can be challenging in these situations; and when limited bandwidth becomes available, many companies do not opt to add the complexities and latency associated with low- tier ISPs and rely on the guarantees of Frame Relay.
An example of the commitment required to fully investigate the Internet connec- tions and relationships between ISPs can be seen in a client that this author consulted on an international VPN. The organization is huge; it firmly exists in over 130 different countries and maintains informational relationships with hundreds of partnering organizations — including competitors. The Frame Relay costs were unimaginable; a
single, modest PVC across the Atlantic Ocean was costing over $10,000, and was only one of thousands of international PVCs.
The evolution of the VPN design was very interesting and was contrary to typical beliefs at the time. In that time, VPNs were considered “local,” in that for long hauls over great distances, Internet latency and hops would become too excessive, thus resulting in poor performance. As the investigation of the ISP’s networks continued, it became increasingly clear that the large ISPs had reputable international presence in the expected developed locations with very high bandwidth capabilities between loca- tions. On one occasion, a shot from New York to London would run on SONET OC-48 (2488.32 Mbs) with peak time utilization of 60 percent, and plans were in place for implementing OC-96 (4976.64 Mbs). In contrast, a typical Frame Relay network was operating at OC-12 (622.08 Mbs) and realized utilization was greater due to the operation of Frame Relay technology.
As costs were compared between Frame Relay and ISP services, a trend contrary to normal belief became apparent. To purchase a T1 Frame Relay connection from New York to London, with a high CIR, quickly became expensive. The charge for a local loop, service, and CIR level all conspired to create a high reoccurring charge. However, Internet connection costs are not distance based, but merely bandwidth based: the more one needs, the more one pays. Once on the Internet, who cares where you go? There are, of course, cost overlaps, such as the local loop for the connection is typically canceled out when compared to Frame Relay. The real savings come from the ISP charges, which can be significantly less than the same bandwidth in Frame Relay.
The cost disparity is based on the fundamental differences in service. While Frame Relay is a guaranteed service and information rates can be closely monitored and controlled, the Internet simply offers a connection — after that, you are on your own — but is that always true? The answer is No. Take as an example the large ISP UUNet. UUNet operates many of the networks (equipment, cables, etc.) on which the Internet runs. The odds of UUNet routing a request for a remote portion of its network over someone else’s network is quite low — actually, dramatically low. By combining the expansive service of an ISP to its primary locations and then overlaying the locations of the client sites, one can develop a comprehensive data flow over the Internet using VPNs instead of PVCs over a private network. Now, the client can spend a fraction of the money and receive two or three times the bandwidth to the Internet as opposed to Frame Relay.
The point where this concept does not necessarily compute well — cost versus performance — is in local communications in highly developed regions versus sparsely populated, limited technological regions. In technically evolved environments, the Frame Relay costs are very competitive and there is typically no NNI within a country. In technically limited countries, the available connectivity is usually low bandwidth and low on the priority list of the next-tier provider. In these scenarios, the cost of Frame Relay is either so competitive that it makes good business sense, or that the connectivity is so expensive that latency would destroy what little communications are being allowed. In between these two realizations is interstate or European communications where the distances are not massive but the handing-off of data from one carrier to another becomes a point of interest. With Frame Relay, distance and exchanges have an impact on the final cost of the PVC. In contrast, an ISP may have support that extends out into the necessary regions, or the distance has little affect when data swaps ISP networks.
In each of these scenarios, one can see several typical designs, common directions and uses, and finally trends in technology implementations. Given the competitive costs and guaranteed service of Frame Relay, many organizations lean toward that with which they have become familiar. Also, the quickly realized savings tend to surround the remote access aspect of VPNs, which has resulted in many remote access VPN solutions, whereas network-to-network VPNs are more rare. However, with the advent of broadband Inter- net access, remote access VPNs are taking on a different look and affecting the definition of a remote user and network. With cable or xDSL, high-speed connections, normally only experienced at large organizations, can be obtained for home use.
The Internet’s early reputation had been built on questionable foundations and limited bandwidth. Now, the Internet is maturing and high-speed access is the norm and not the exception. In the beginning, the concept of sending anything real-time over the Internet was affected by poor performance factors and latency of immature networks and relationships. Now that the Internet has evolved and technologies are being lever- aged to enhance the service, selecting the proper ISP and understanding its data networks as well as its business ones, can greatly impact the performance impression of the VPN solution.