The many faces of IP VPNs

There are many definitions of an IP VPN, though many people believe their definition to be the only one.

All that can really be taken for granted with the word “VPN” is that the WAN service keeps your traffic private and segregated, even though you are sharing bandwidth with other customers to gain economies of scale. 

VPNs originated in the voice world in 1985, allowing enterprises to carve “virtual private” bandwidth out of the public phone network for custom call plans. Frame relay and ATM subscriber services followed as Layer 2 data VPNs, which emulate private lines over a shared infrastructure using permanent virtual circuits, or PVCs.

Today, the following are all perfectly acceptable definitions of a Layer 3 IP VPN:

* A shared but segregated IP WAN service confined to a single operator’s IP or Multi-protocol Label Switching (MPLS) network that does not encrypt traffic. The service might or might not include carrier-managed CPE, such as a router.

* A shared but segregated IP WAN service confined to a single operator’s IP or MPLS network that includes carrier-managed encryption. This encryption can be in the form of managed standalone CPE or embedded CPE router software. Or it can be a network-based encryption service, encrypting traffic across the service provider backbone only.

* “IP-enabled” VPN services that use any CPE interface – frame relay, Ethernet, ATM, DSL – in the access network and unwrap the IP address at the service provider edge for “meshed” WAN connectivity. It might or might not use managed or user-controlled encryption, depending on customer requirements.

* A public Internet-based service using IPSec, Secure Sockets Layer or another encryption method to segregate and secure your traffic. This option is most often used to support remote users.  You can either own and manage the encryption yourself in the form of a VPN appliance (or embedded router software) or outsource the function.

Next time: Enhancements to IPSec.