SLAs Meet Managed VPNs

Although just beginning to take shape, guaranteed service levels for VPN and other manged security services will become vitally important in the emerging application services market.

by Lisa Phifer VP Core Competence, Inc. [April 5, 2000]

Service level agreements (SLAs), long a staple of telco service contracts, specify agreed service targets between provider and customer and spell out penalties for non-compliance. In recent SLAs years have morphed, adapting to fit emerging technologies and the new services they enable.

Managed remote access and site-to-site VPN SLAs are one such growth area. In a managed security service survey conducted by ISP-Planet last fall, a number of ISPs claimed to offer managed VPN services with SLAs. Curiosity thus piqued, I found myself wondering: What do managed VPN SLAs look like? How are targets measured and enforced? What remedies are provided when SLAs are not met?

Backbone SLAs Rule—for Now
While many providers publish backbone network SLAs, VPN SLA development lags behind. A survey of six top-tier ISPs—AT&T, Cable and Wireless, Intermedia, PSINet, Sprint, and UUNET—found that most publish backbone network SLAs. All appear to offer SLAs for VPN products. But just two currently publish specific VPN SLAs on the web for all to see.

For example, Cable and Wireless, when it existed in the U.S., used to guarantee DirectConnect dedicated Internet access customers an average monthly roundtrip latency of no more than 70 ms and packet loss of no more than 1 percent within its U.S. backbone. But when asked to be interviewed for this story, a C&W representative said "Our SLAs for IP VPN and Managed Firewall are still in development and have yet to be announced publicly."

Sprint guarantees its Internet VPN customers 99.9- to 100 percent end-to-end availability across its backbone with a maximum average backbone delay of 75 ms. But these targets do not appear to extend beyond the edge of the backbone. And firewall availability and response time to repair hardware targets are not described in similar detail on Sprint's website.

I did find VPN-specific SLAs published by GTE Internetworking (powered by BBN) and UUNET (an MCI WorldCom company, now part of Verizon). These providers specify both backbone SLAs and VPN SLAs, combined in a tiered fashion. For example, backbone latency is measured between hubs on UUNET's North American network. With UUsecure VPN Direct, latency measurements extend further, reaching end-to-end between CPE routers. In other cases, the same guarantee applies to both levels: for example, busy-free dial targets for GTE's DiaLinx global dial and VPN Advantage remote access services.

What Do Managed VPN SLAs Look Like?
VPN service level agreements can run the gamut. SLAs can define the scope of the service and its cost. They may specify the speed with which CPE is installed, troubles are resolved, and change requests are processed. For example, GTE's Site Patrol for FireWall-1 Managed Plus guarantees that security policy and configuration changes will be made by the close of the next business day.

SLAs can enumerate the methods used to monitor and report measurements and outages. For example, UUNET guarantees that it will notify UUdirect customers within 15 minutes after it determines service has become unavailable. Cable & Wireless SLAs include online customer access to monthly statistics.

Many people immediately think "performance" when they hear "SLA." Indeed, performance guarantees form the basis for the specific VPN SLAs published by GTE Internetworking and UUNET:

Why Offer Specific VPN SLAs?
According to Jeff Aliber, Product Marketing, GTE Internetworking VPN and Internet Security Services, "When our organization was formed, we used focus groups, phone interviews, one-on-one interviews to gather medium-to-large customer requirements. It became clear that, if people were going to move [to VPN] from legacy services like Frame Relay and leased lines, they'd expect guarantees of identical or close to existing service levels. In the Frame Relay world, people are used to CIR. We needed to create a similar concept in the IP VPN world."

UUNET's Tom Bregman, Senior Product Manager for UUsecure VPN Total Access, believes that SLA reporting is an art, and that VPN-specific SLAs are needed to measure data that reflects customer experience. For example, VPN latency targets should be loop-inclusive, with measurements made through customer tunnels. "We also think it's important to publish SLAs externally and stand behind them, not just talk about them one-on-one behind closed doors," says Bregman.

go to page 2: How Are Targets Mesured and Enforced?