Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
The botnet world is booming
How ending exclusivity agreements would change the telecom industry
How to use electrical outlets and cheap lasers to steal data
EMC distances rival NetApp
Crime lab saves energy costs by turning up heat in the data center
IBM security software masks confidential info
Google Native Client provides hints on Chrome OS gambit
Ericsson signs deal to run Sprint wireless, wireline networks
Verizon helping companies assess application vulnerabilities
Internet's biggest issue? IPv6 transition, new ARIN CEO says
Gmail, other Google apps, out of beta
Microsoft may have known about critical IE bug for months
Symantec de-duplication strategy targets data growth, virtual machines
Windows 7 ramp-up will be sharp
Security /


Feature /

Variations on a VPN theme

By Irwin Lazar
Network World, 04/08/02

VPN UpdateA new breed of VPN based on Multi-protocol Label Switching is emerging as an alternative to traditional VPNs based on IP Security. To further complicate the issue, MPLS-based VPNs come in two flavors: Layer 2 and Layer 3.

So what are the differences between the various types of VPNs, and what's the best choice for your network?

Service providers typically offer two VPN alternatives to traditional WAN offerings such as frame relay, ATM or leased line: IPSec-encrypted tunnel VPNs and MPLS VPNs.

Advertisement:

The IPSec option

IPSec tunnel-based VPNs are sometimes referred to as client-premises equipment-based VPNs because the service provider typically places equipment at the client site.

This device handles encryption and decryption of traffic before it goes out over the service providers' network. Traffic within the service provider network is routed the same as any other IP traffic, and the service provider has no visibility into the IP tunnel. Nor does the service provider network need to be configured in any special manner to support IPSec VPNs.

Because traffic in an IPSec-based VPN is encrypted, it is generally considered secure to use IPSec to transport sensitive traffic over a public IP network.

Deployment dilemma

You have two choices when deploying IPSec VPNs: managed vs. roll-your-own. With a managed VPN, one service provider deploys and manages customer client-premise equipment, and all traffic is carried over that provider's network. This lets the provider offer service-level guarantees for assured performance.

See also: The promised LAN


In a roll-your-own scenario, the company deploys its own VPN devices and does not necessarily rely on a single service provider. Roll-your-own approaches are recommended for connecting branch offices that only have one Internet connection.

The disadvantages to roll-your-own are that the company is responsible for managing VPN configurations, and because traffic is transversing the Internet, there are no performance guarantees. Moreover, it typically is difficult to support latency-sensitive traffic, such as voice.

However, a roll-your-own approach lets corporations establish a VPN to any site that has access to the Internet.

Because IPSec requires each end of the tunnel to have a unique address, special care must be taken when implementing IPSec VPNs in environments using private IP addressing based on network address translation. Fortunately, several vendors offer solutions to this problem. However, they add more management complexity.

The MPLS method

MPLS-based VPNs come in two classes: Layer 2 and Layer 3. Layer 2 VPNs based on the Internet Engineering Task Force's (IETF) Martini draft or Kompella draft simply emulate Layer 2 services such as frame relay, ATM or Ethernet.

Action Items

1. If you are using frame relay or ATM, and you need to incorporate meshing, you generally can do so at a lower cost with MPLS-based VPNs, assuming you can get connectivity from one provider to all your locations. Otherwise, MPLS VPNs may not offer any advantage to your current service.

2. For small remote sites with high Layer 2 service costs (such as international locations), or sites with strong security requirements, IPSec VPNs are an ideal way to provide connectivity, although there are generally no performance guarantees unless all traffic is carried by a single provider.

Typically, Layer 2 MPLS VPNs are invisible to the end user, much in the same way the underlying ATM infrastructure is invisible to frame relay users. The customer is still buying frame relay or ATM, regardless of how the provider provisions the service.

With Layer 3 MPLS VPNs (also known as "IP-enabled" or "Private-IP" VPNs), service providers assign labels to IP traffic flows. These labels represent unique identifiers and allow for the creation of virtual IP circuits or Label Switched Paths (LSP) within an IP network.

By using labels, a service provider can create closed paths that are isolated from other traffic within the service provider's network, providing the same level of security as other private virtual circuit (PVC)-style services such as frame relay or ATM.

Because MPLS VPNs require the service provider to modify its network, they are considered network-based VPNs. MPLS-based VPNs require no client devices, and tunnels usually terminate at the service provider edge-router.

Layer 3 VPNs offer significant advantages to traditional Layer 2 services. Because they rely on IP routing to build paths, they easily can be used to create fully or partially meshed networks within a service provider cloud, with only one entry point into the cloud from each location. This eliminates the problem of setting up and managing multiple PVCs that plague fully or partially meshed networks created with ATM or frame relay. The IETF has defined standards that let MPLS VPNs support Differentiated Services, which let providers enable prioritization of voice and/or other latency-sensitive traffic.

Providers also can use MPLS to perform traffic engineering, which can provide predictable performance characteristics for individual classes of traffic.

IPSec VPN

Lazar is a senior consultant for Burton Group, where he focuses on strategic planning and network architecture for Fortune 500 companies and large service providers. He can be reached at ilazar@burtongroup.com.

Related Links

The promised LAN
If you operate a private ATM campus network or metropolitan-area network, a Multi-protocol Label Switch Layer 2 VPN could be a cost-effective, high-speed alternative. Network World, 04/08/02.

How it works: Layer 2 VPNs
With Multi-protocol Label Switching Layer 2 VPNs based on the Martini approach, a customer's Layer 2 traffic is encapsulated when it reaches the edge of the service provider network, mapped onto a label-switched path, and carried across a network. Network World, 04/08/02.

VPN audio primer
. In this 6-minute primer you'll learn how VPNs work as well as if they are right for your remote access needs. Network World Fusion.

VPN e-mail newsletter
A twice-weekly look at VPN technologies and trends. Network World Fusion.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.