IP VPNs: Where We’re Going

foreseeable future, Frame Relay access will continue a slow, measured growth to meet these types of capacity requirements.

The IP services and Internet “gold rush” left many providers with yet another network overlay, dividing new customer services from the old. The past disconnect between legacy Layer 2 and new Layer 3 VPNs has caused providers to create separate, purpose-built networks, increasing complexity and cost through additional network layers that each must be provisioned, operated, and maintained.

Now, new capabilities allow providers to create common network infrastructures over which both Layer 3 and Layer 2 VPN services can be effectively delivered. By unifying multiple network layers, software services, and management platforms, service providers can reach a broader customer set while leveraging the capabilities of IP and the Internet, making VPNs truly global in reach.

IP VPNs: Where We’re Going

IP-based VPNs enable enterprises to take advantage of the flexibility and scalability of both the Internet and service provider IP networks to create any-to-any WAN communications for geographically disperse sites. Using a common transport service, Internet access, LAN to LAN service, and client/server applications can be simultaneously delivered.

The demand for and initial self-deployment of IP VPN solutions by large enterprises has, in part, awakened service providers to the realization that they must transform their Layer 2 core infrastructures more rapidly to Layer 3 IP-based capabilities, in order to capitalize on emerging IP services. IP VPNs require publicly addressable IP routing across shared net- work infrastructures. If Layer 3 facilities aren’t available, traditional Layer 2 infrastructures are easily bypassed. Internet service providers (ISPs) generally fit this need, and many established service providers began ISP business units not only to profit from the Internet rush but also to legitimize long-term IP services for the purpose of staying in the IP VPN market. The catalyst for this interest is the projection of the U.S. IP VPN services market to exceed $20 billion by the year 2009.1

Service providers have a considerable opportunity to capitalize on VPNs. The reason for this is that IP VPNs carry service pull. First, these are IP services with built-in, world-aware intelligence and service adaptability. Second, VPNs allow customers to optimize WAN expense, converge voice and data, and position for advanced IP services through provider assistance and out-tasking. The networking convergence of voice, data, Internet, and virtual access services can make VPNs a compelling vehicle for keeping everyone in touch. Businesses of all sizes can bypass the distractions of in-house internetworking services design, deployment, and management, better focusing on core processes that boost innovation and customer service.

The Internet has helped fuel the growth of VPNs, allowing businesses to enhance and extend their network boundaries and services further than previously possible. Taking

advantage of secure VPN technology, the Internet becomes a pervasive transport medium for remote access and global workers, and easily extends intranets into partner networks for extranet process integration. Service providers can participate in this IP VPN market with regional, national, and international IP networks.

IP VPNs are the answer to international connectivity. The broad reach of the Internet, combined with service provider IP infrastructures, lower the cost of linking dispersed employees, company offices, suppliers, and customers worldwide. Companies can now afford to take their WANs to international markets with global reach. IP VPNs are how they’ll be pursuing these opportunities.

Providers of traditional leased lines and data transport services hope to avoid being their own cannibals: in the short term, IP VPNs, and in the long term, Ethernet. Transforming and adding IP VPN services will leverage the power of IP across their investment in communication plants and equipment. IP services create high-bandwidth demands leading to requirements for high-speed Ethernet links.

The goal of IP VPNs is to provide IP connectivity over a shared IP infrastructure while maintaining the security and service features of a dedicated private network. In order to extend the capabilities of private networks, VPNs require the following essential attributes:

•

applications traveling across networks.

•

privacy for network traffic moving across public networks both in the core and network edge.

•

redundancy, broadband backbones, access links, high availability features, and 24x7 management to increase network availability.

•

private line, Point-to-Point Protocol (PPP), Frame Relay, ATM, DSL, cable modem, and Ethernet decrease provisioning times and enhance speed of access.

•

points and IP visibility through which to monitor and report on data traversing their networks.

VPNs based on IP protocols have become the most pervasive. The availability of the global Internet accelerated the VPN market as a natural outgrowth of company Internet access connections. Three classes of IP VPNs are most prevalent:

•

of mobile professionals, teleworkers, and workday extenders. Access VPNs deliver work to the worker, wherever they are. Access VPNs use IPSec, Secure Socket Layer (SSL), and other technologies, some of which can be leveraged across the Internet or over a service provider’s shared IP infrastructure to create secure hooks back into the corporate network for private communications.

IP Security (IPSec) 165

•

because they are cost-effective network extensions for expanding businesses and enterprises. Site-to-site VPNs use VPN equipment to connect two company locations by establishing a virtual point-to-point network connection over the Internet or provider network through each location’s Internet access link. Large enterprises, education, and governmental organizations have been the largest adopters to date. Multiprotocol Label Switching (MPLS) VPNs are also in the intranet VPN market space. MPLS VPNs were originally intended for service providers and carriers, giving providers the capability to provide and manage customer IP routing within their own logical network instance. This can expand data and IP revenue opportunities for the provider by carrying secure VPNs on converged network infrastructures that save network and operational expenses for providers, while creating lower networking costs for customers. Large enterprises are also using or considering MPLS VPNs to meet challenges in their growing networks. Additionally, technology such as Layer 2 Tunneling Protocol version 3 (L2TPv3) has the interest of providers wishing to deploy RFC 2547-like VPNs over an L2TPv3 infrastructure.

•

VPNs. Today, extranet VPNs are largely built on lower-cost, Internet broadband access technology linking noncompany partners, suppliers, and customers together in secure private communications. As a result, extranet VPNs streamline interbusiness processes and improve time to market.

The IPSec IETF standard is frequently an enabling technology for secure VPNs and is dis- cussed next. The remainder of this chapter describes the three general classifications of VPN—access, intranet, and extranet VPNs—in greater detail and then introduces a few considerations for determining whether you should build or buy VPN services.

IP Security (IPSec)

IPSec secures Layer 3 IP communications. The base IPSec standard (RFC 2401) and related standards (RFC 2402-2412 and 2451) employ a set of protocols and technologies such as Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), Data Encryption Standard (DES), Advanced Encryption Standard (AES), and others into a complete system that provides confidentiality and authenticity of IP data. The IPSec standard applies to both IPv4 and IPv6 environments. As an open standard, IPSec ensures interoperability between different manufacturer’s devices and represents a fundamental building block for many types of VPN architectures.

Although IPSec is generally deployed for WAN extension over publicly shared facilities, the technology might also be used to encrypt and secure communications within a LAN, a campus, or even a private point-to-point Intranet. For example, many state governments share their WAN topologies with state law enforcement and might choose to encrypt

data-sensitive applications used by police, sheriff, fire, and investigative bureaus. IPSec can provide this point-to-point confidentiality within an organization’s private WAN.

According to the IETF RFC 2401, “Security Architecture for the Internet Protocol,” IPSec is designed to provide interoperable, high-quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered include access control, connectionless integrity, data origin authentication, protection against replays, confidentiality

(encryption), and limited traffic flow confidentiality. IPSec data integrity protocols, forwarding modes, and security options are discussed next.