Next-Generation VPNs: Safer, Cheaper, Faster

Here's a conundrum to mull over. Tomorrow's application and networking requirements will increasingly demand direct connections between offices. At the same time, CIOs are more paranoid than ever about security and privacy. So what mainstream WAN architecture can an IT architect recommend that will satisfy both design and security requirements?

The answer is none--at least none for the responsibly paranoid IT architect. Frame relay is practical only when interconnecting offices through a central site. Layer-3 Multiprotocol Label Switching (MPLS) VPNs such as AT&T's IP-Enabled Frame Relay, Sprint's Global MPLS VPN, and MCI's Private IP certainly come closer to meeting those requirements, but while they can connect offices directly to one another, they also require enterprises to expose their routing infrastructure to their service providers.

But that's all going to change, as anybody who attended last month's Supercomm trade show can attest. This year's buzz was about the IETF's Virtual Private LAN Service (VPLS) and how service providers can deliver national, multipoint, switched Ethernet networks by carrying Ethernet frames across their MPLS networks. And unlike today's layer-3 VPNs, these layer-2 VPNs don't require IP encapsulation. Masergy Communications went live early last year with the first commercially available national VPLS offering. Time Warner Telecom followed suit last summer, and Broadwing Communications just announced its service in June. More services are expected in 2006.

When combined with Ethernet access, VPLS transforms the WAN into a large Ethernet switch, says Dean Lissner, director of IT at storage networking vendor Emulex, an early customer of Masergy's inControl VPLS. Just like an Ethernet switch, IT architects can adapt the WAN to match application flows. For example, VoIP traffic can be sent directly between sites, while point-of-sale applications can still be structured to interact with servers in the regional hub or headquarters. All the while, a company's disaster recovery plan can be improved by removing the single point of failure--the WAN hub--in the network design. As for pricing, preliminary research suggests that multipoint, switched layer-2 VPNs will run about 20 percent less than their layer-3 counterparts (see "Ethernet Service Pricing").

All this can be done without significant personnel investment in learning a WAN technology. "It's made our WAN so easy. We didn't have to do any BGP [Border Gateway Protocol] configuration or PVC [Permanent Virtual Circuit] configuration--just added another VLAN to our LAN that represented the Masergy network and routed between them," says Lissner.Service providers are hoping other potential buyers will feel the same way. More than just another service, layer-2 VPNs represent a shift in the way service providers maintain their networks. Today, they use separate equipment, management systems, and provisioning systems for each of their networks--ATM, frame relay, and now Ethernet. Although frame relay and ATM account for far more of a service provider's revenue, Ethernet's low cost, multiple access speeds, and familiarity to enterprises make the technology particularly attractive as a service offering. Service providers without an installed base hope to use Ethernet to attract existing frame/ATM customers, while service providers that do have an installed base are looking to use Ethernet to migrate those customers onto a common MPLS network, dramatically cutting their own costs.

This means, of course, that IT architects should expect the usual marketing blitz that accompanies any new technology. While the choices between frame relay and a layer-2 VPN may be straightforward--frame relay isn't cost-effective or easily manageable when deployed as a meshed network--that's not the case with the choice between a layer-2 and layer-3 VPN. If application requirements demand more than IP on the WAN or if routing information is particularly sensitive, then enterprises will have an easy choice--layer-2 VPNs (unless those enterprises span more than 50 sites, in which case layer-3 VPNs look to be the right choice). Otherwise, it'll be back to the typical discussion of geographic availability, pricing, SLAs, and available service features. On that front, layer-2 VPNs may have a leg up on pricing, but not on availability, as service delivery for Ethernet access is often still spotty.

THE ETHERNET MENU

While VPLS may be new, Ethernet services are certainly not. Service providers have offered Metro Ethernet services for a couple of years now. The Metro Ethernet market amounted to $518 million in 2004 and is expected to grow to $1.4 billion in 2008, according to research firm Vertical Systems Group.

The most popular of the Ethernet services are multipoint, switched virtual networks interconnecting three or more sites. These account for 43 percent of ports sold in 2004, says Erin Dunne, director of research services at Vertical. The rest of the market consisted of Ethernet-based Internet access (41 percent) and Ethernet private line services where sites are interconnected via point-to-point links over an Ethernet network (16 percent).

Those services have been the testing ground for their national cousins, many of which will use the same service definitions defined by the Metro Ethernet Forum (MEF), an industry consortium of Ethernet equipment manufacturers and service providers. The MEF defines an Ethernet Virtual Connection (EVC) akin to frame relay's PVC and complete with a Committed Information Rate (CIR) and Excess Information Rate (EIR). The EVC logically connects ingress and egress ports on two Ethernet switches in an Ethernet network. Ethernet private line services, known as E-Line services, are point-to-point EVCs between two switch ports. Layer-2 VPNs, or E-LAN services, run a mesh of EVCs between all ports participating in the VPN.

No doubt a big reason for the popularity of layer-2 VPNs is price. Much has been said about the high cost of traditional telecom infrastructure. The long string of multiplexers, demultiplexers, and cross-connects needed to aggregate T1 and T3 interfaces into an OC-3 and beyond both increases cost and delays provisioning.

Even with layer-3 VPNs, providers must deploy more expensive equipment than with layer-2 VPNs. Layer-3 VPNs require more expensive edge routers capable of maintaining separate routing tables for each customer network. They also require having the right equipment and personnel in place to prevent customer edge routers from destabilizing the provider's router by rapidly changing, or "flapping," their routes.Layer-2 VPNs also offer other benefits besides price. They allow enterprises to run legacy protocols such as AppleTalk, IPX, NetBios, and SNA over the WAN without IP encapsulation. They also allow enterprises to control their own routing. This makes edge router configuration easier because IT architects don't have to worry about network engineers configuring or misconfiguring routers with static routes to the service provider's network. It also means greater security because enterprises can hide information about their routing domain from their service provider.

THE BACKBONE TRAP

Yet despite these benefits, national buildouts of multipoint Ethernet services have been slow in coming. Without VPLS, services providers couldn't extend native Ethernet across their MPLS cores.

Nor could providers easily deploy national Ethernet networks without MPLS. Scaling is one good example of how equipment suppliers have used slightly different approaches to address carrier-grade Ethernet issues. Layer-2 VPNs work by preserving the packet's VLAN tag assigned by the enterprise. The packet entering the carrier's network carries the same VLAN tag it did when it left the customer's network and is switched based on that tag. Service providers prevent VLAN conflicts between customers by nesting VLANs within one another using slightly different implementations of a technology called 802.1Q-in-802.1Q stacking.

Ethernet's reliability problems also complicate nationwide rollouts, as does recovery. Ethernet's Spanning Tree Protocol (STP) can take several seconds to recover from a network failure. The Rapid Spanning Tree Protocol (RSTP) improves on those times, but still isn't fast enough for many carrier networks. Scaling is also complicated by the nature of routing protocols. IT architects normally keep the number of adjacent routers to about 50 or less on an Ethernet LAN because of the impact on routing protocols such as OSPF. The same is likely to be true of layer-2 services, limiting layer-2 VPNs from connecting the very largest enterprises.VPLS addresses most of those problems by connecting layer-2 Metro Ethernet networks across MPLS Label Switched Paths (LSPs), or "pseudowires." This allows service providers to use Fast Reroute, the traffic management and reliability mechanism used by MPLS networks, to extend Ethernet. Of course, just how that VPLS deployment should be made has been the subject of intense debate within the IETF for at least two years, culminating in Internet drafts from Juniper Networks' Kireeti Kompella and Yakov Rekhter on the one hand, and Alcatel's Vach Kompella (Kireeti's brother) and Riverstone Networks' Marc Lasserre on the other.

Both drafts define how to create a VPLS across an MPLS network, but the biggest difference lies in how the system performs circuit setup and signaling, as well as VPN membership and discovery.

The Juniper proposal argues for the use of the already widely deployed BGP to distribute VPN membership information. The Alcatel-Riverstone approach, which calls for using MPLS' Label Distribution Protocol (LDP), would require adding auto-discovery and provisioning to LDP.

The Alcatel-Riverstone proposal argues that using BGP to transport VPN labels unnecessarily loads the critical routing protocol. What's more, because BGP broadcasts all changes, there may be privacy issues whereby all sites within a VPN can see VPN members entering and leaving the network. Ultimately, the market will decide the right choice, but at this point both approaches will be standardized by the L2VPN Working Group, says Rick Wilder, co-chairman of the group.THE SERVICES

With the VPLS standards starting to stabilize, service providers are gearing up to deliver VPLS-based services that employ the MEF definitions. The biggest challenge will be finding the service. Ideally, Ethernet access will be delivered over a fiber drop, but most businesses today lack such facilities. Figures for the number of buildings with fiber typically run around 40 percent, though nearly 60 percent of respondents to a Network Magazine survey indicated that they had fiber drops into their buildings.

To those ends, expect traditional carriers to announce or complete local infrastructure rollouts as a prelude to their service announcements. AT&T is trialing a 10Mbps service in Atlanta using WiMAX, for example. Ethernet trials are expected early next year, with services to be delivered in 2006. Last May, MCI announced that it was building out its Converged Packet Access infrastructure, which replaces the multiplexing and demultiplexing equipment tree with an Ethernet network. The MCI VPLS is also due out in 2006.

Even then, coverage is far from perfect. MCI's new Packet Access service will only be available in 25 of the biggest U.S. metro areas by the end of 2005. That's not even half of the roughly 80 metro areas where MCI claims to have fiber rings, and only a fraction where frame relay is available (that number is so large that MCI would only say it was ubiquitous). Time Warner has been able to leverage its local presence and deliver VPLS to 44 locations. Those numbers roughly represent the 30 most interconnected U.S. cities as defined by telecommunications research firm TeleGeography. Masergy has no local fiber presence per se, relying on relationships with LECs and CLECs to deliver fiber to the customer premises.

IT architects whose buildings lack an existing fiber drop can expect to pay four or five times more than the typical service price to have fiber pulled to their premises, estimates Lowen Wiessenberger, national account manager for sales at Masergy. However, companies that don't require fiber speeds aren't completely cut out. Masergy and Time Warner can both deliver Ethernet services over bonded T1s or a T3 access line.Even if they can get to the right service, IT architects still face a complex market of very different services being sold under the common Ethernet brand. Masergy's inControl VPLS and Time Warner's Native LAN service are both national layer-2 VPN services based on VPLS, but they differ in many areas. Masergy offers different qualities of service with its VPLS, for example, while Time Warner doesn't.

Yipes Enterprise Services also offers a "national" layer-2 VPN service, which is actually a series of layer-2 VPNs interconnected by its national Ethernet network. But that network, known as the National Area Network (NAN), offers Ethernet private line services, not E-LAN-like services, so companies today can't purchase meshed services between cities, only within a city.

Riverstone advocates a third wrinkle on the VPLS-MPLS configuration. A white paper on its VPLS.org site posits an architecture that uses a national layer-3 VPN service to interconnect regions of metro VPLS networks. Presumably, however, such an architecture would diminish one of the benefits of VPLS because sites in different regions wouldn't be able to run non-IP protocols across the inter-regional layer-3 VPN service.

There's also likely to be confusion around the E-LAN and E-Line definitions. While the MEF has made great strides in defining these services, it has necessarily left room for service providers to innovate and differentiate. The upshot is that some of the problems that enterprises have had in defining exactly what's being delivered in a frame relay service may persist in Ethernet services. The duration and size of a burst in a frame network--something that varies between providers--hasn't been set for E-Line services.

IT architects will want to pay attention to some of the less conspicuous support plans offered with these services, particularly when they're delivered by boutique suppliers such as Masergy or Yipes. Companies could be cutting back on the back-end services to reduce their front-end pricing. Emulex's Lissner's call to Masergy's NOC went answered right away one time, for example, but the next was dropped into voice mail after three rings.These are all good reasons not to ignore layer-3 VPNs. Since these services run at layer 3, there are none of the scaling concerns that affect Ethernet. Sprint's Global MPLS VPN service is available worldwide, offers variable levels of service, and can be delivered across a number of access technologies, including frame relay and Ethernet. The same goes for MCI's Private IP. Aside from price, the biggest downside for many companies will be revealing their routing infrastructure to their providers. How much that matters to a given project or IT department, only the IT architect can decide.

David Greenfield, executive editor, can be reached at [email protected].

Ethernet Service Pricing

So how much cheaper are layer-2 VPNs than layer-3 VPNS? Try 22 percent. That's what came out of our RFI for a mock five-site company. Layer-2 VPN services from Masergy and Yipes ran on average 22 percent less than comparable layer-3 VPNs from Sprint and MCI. The scenario called for a main headquarters in Chicago and major sites in San Francisco, Houston, Atlanta, and New York. Each site was to have n x T1 access, with half the bandwidth dedicated to the data network and half to local Internet access. Traffic patterns were to use partial meshing, with VoIP traffic going between all sites, and ERP, e-mail, and backup traveling back to Chicago. For details on the RFI's specific traffic profiles and networking requirements, visit www.networkmagazine.com/tco/.

0