Are VPNs ready for prime time? Not for your IP backbone

Today most of the attention in the virtual private network market is focused on Internet-based VPNs. Don't be fooled. Such VPNs are over-hyped and are definitely not ready to be your IP backbone in for mission-critical applications requiring high reliability, consistent low latency and minimum bandwidth guarantees between sites. The good news is that there are other VPN architectures to choose from, so let's look at these and make an educated decision.

The first class of Internet-based VPNs overlay the Internet via IP tunneling. This approach is very attractive from economic and connectivity standpoints. However, Internet-based VPNs have little real value as an enterprise IP backbone because of the 'Net's unpredictability. In addition, this class of VPN is vulnerable to intruders who could take up valuable access bandwidth by sending unwanted data to a targeted site. The same considerations apply to roll-your-own VPNs, whereby the user owns and manages the tunneling router or security platform.

A second class of overlay VPN involves IP tunneling over an ISP's network, which is specifically engineered to meet certain latency limits and availability. These VPNs generally don't support any form of class of service (CoS), they can't offer bandwidth guarantees and are also vulnerable to access bandwidth intruders.

A third VPN architecture involves a different form of tunneling: virtual circuit tunneling, this time over Layer 2 frame relay or ATM permanent VCs. This approach addresses enterprise IP backbone requirements for availability, latency and guaranteed bandwidth by leveraging the CoS attributes of frame relay and ATM networking. It also makes access bandwidth invulnerable to intruders.

There are two major problems with IP and VC tunneling: limited network knowledge and scalability. IP and VC tunneling severely limit the service provider's ability to monitor, troubleshoot and generate reports on a per-customer basis because what flows in the tunnels is only visible at the end points. Scalability is limited by the number of routing adjacencies as the number of sites grows, and also by the need to manage a potentially large number of tunnels or connections, one per each pair of sites.

A fourth architecture, Layer 3 VPNs, addresses the issues of network knowledge and scalability by introducing a routing hierarchy to aggregate routes and give each VPN visibility in the network. This can be done by deploying multiple routers, one per VPN, in the central office (CO), but this results in operational complexity and higher costs.

A better solution is to create new CO routing switch architectures that allow traffic from multiple VPNs to be routed and switched across the network, while isolating the VPNs from one another. In this scenario, switches must support native IP addressing, thus eliminating any need for address reassignment and translation. Such an architecture provides a high degree of scalability and meets enterprise user requirements for security, service-level agreement (SLA) guarantees and reliability.

So what's a user to do? Overlay Internet-based VPNs are only an option if low cost is your objective and best-effort service is adequate; they are really extranet vehicles. If you have fewer than 10 sites, consider overlay VPNs from service providers that specialize in VPN service or Layer 2 VPNs, depending on how stringent your requirements are. If you have more than 10 sites, Layer 3 VPNs with their scalable security and SLA guarantees are the solution for you.

The VPNs: Ready for Prime Time? forum.

Rybczynski is director of strategic marketing and technologies in Nortel's Enterprise Data Networks Group in Ottawa, Canada. He can be reached at (613) 723-4920 or Tony.Rybczynski@ nortel.com.