In the weeks leading up to NetWorld+Interop 97, and at the show
itself, we were subjected to such a dizzying explosion of hype that it's
hard to spot a trend. Despite this, vendor support for virtual private
networks (VPN) has been strident enough to be conspicuous.
Data VPNs are private network overlays on a public IP network
infrastructure such as the Internet. The theory is by drawing on the
economies of transmission
and switching that the larger Internet creates, VPNs would cost less. The
theory seems valid, but VPNs raise issues that may tarnish their economic
benefits. Security, for one. Quality of service (QoS), for another. Even
address management becomes an issue.
Users want data VPNs to work like voice VPNs - as private networks
hosted on public facilities. That means everything within a VPN must stay
as independent of interception or hacking as would a private network. It
means carriers must specify some level of network performance to justify
the cost. And it means carriers must not impose limits on addressing or
type of protocol.
None of these requirements come naturally to IP networks, which is why
VPNs aren't sweeping the market right now. But vendors and carriers want
that to change, and new developments suggest VPNs may succeed.
The most popular approach being taken by VPN vendors involves
tunneling. A tunneling protocol establishes an end-to-end connection
through a public IP network - the Internet, for example - that looks a bit
like a virtual circuit. Users can put any type of traffic, even non-IP
traffic, into the tunnel where it whizzes through the network and comes out
the other end. The tunnels only go to designated destinations - members of
the VPN - so the process is supposed to be secure. The tunnels can be given
resource priority using something like Resource Reservation Protocol so
they can provide QoS. Everything's fine.
Yeah, sure. You can believe that tunneling provides QoS and security
if you believe the Internet has service quality and is secure. Anything
that lets you intercept an IP datagram lets you intercept a tunnel.
Anything that delays an IP datagram delays tunnel contents. Tunneling, in
itself, contributes nothing to creating a practical VPN beyond creating the
illusion of separation.
Some vendors are starting to step beyond tunneling, however. Last
month Lucent Technologies announced its OneVision network management
system. OneVision has the ability to create and define service objects that
represent VPNs and map them to ATM virtual circuits. This announcement
didn't attract much press attention because it wasn't sufficiently
IP-oriented, but other vendors have followed Lucents lead.
For example, late last month Ascend Communications announced a series
of management system provisioning tools called NAVIS. Like the Lucent tool
kit, NAVIS provides for service-object creation but adds drag-and-drop VPN
provisioning. Ascend also addressed the issue of IP VPN building in the
core network, using its previously announced IP Navigator software.
With IP Navigator, or any software based on the evolving
Multi-protocol Label Switching (MPLS) standard, a source knows a
destination by a tag or label. If VPN traffic is assigned a unique label,
it will flow onto a different set of virtual circuits in a core network,
separate from those used for public service, such as the Internet.
Different virtual circuits means real security and real potential to
control QoS. Thus, by making the edge devices in a MPLS-compliant network
aware of VPN services, both security and QoS can be assured.
Newbridge Networks has countered with its own scheme, based on
Multi-Protocol over ATM (MPOA). In the Newbridge Carrier-Scale
Internetworking architecture, different route servers are used for each
VPN, segregating them from one another and from the public Internet. When
an MPOA agent requests an IP address be decoded into an equivalent ATM
address, the VPN identity determines which route server does the decoding.
The networks are kept independent. The use of ATM switched virtual circuits
for the connections allows QoS management. Better still, Newbridge is
promoting its approach through a partnership program that will allow VPNs
to extend through your network to the desktop.
The wild card here is Cisco. While the Ascend and Newbridge strategies
are technically effective, neither vendor has the lion's share of the
current public IP market. Cisco can make or break the VPN concept depending
on how it approaches the issue of public carrier VPN building.
Cisco has a problem here. As the premier router vendor, as well as an
ATM vendor, everything Cisco does in the VPN space will be examined to see
how it impacts the vendor's position on switching vs. routing.
Risks aside, Cisco has to do something or risk losing credibility in
the critical VPN market. Maybe it should take a hint from Ascend, Lucent
and Newbridge and make a strong network management and provisioning story
out of its announcement, thus deflecting attention from the core
technology issues.
Or maybe we'll get smart and realize it's provisioning that will
decide how useful VPNs will be. When you read stories on VPNs or consider
vendor VPN architectures, look for words like 'object-oriented
provisioning,' 'service creation' or 'service level agreements' and
give the network management features a special look. This is one time when
management is more than a tick on an RFP.
Nolle is president of CIMI Corp., a technology assessment firm in
Voorhees, N.J. He can be reached at (609) 753-0004 or tnolle@cimicorp.com.
