VPN

IP—VPNs Part 2: The Technology

There are several types of virtual private networks (VPNs) currently being deployed. Of those, the IP-based VPN (IP—VPN) offers the greatest QoS assurances, but vendors are struggling to differentiate their service offerings.

by Tim Hills and Margaret Hopkins of analysys [July 18, 2001]

VPN, in general, is a misleading term because it is used to describe several different network situations.

Types of VPN include Voice VPN (right). Case 1 illustrates reserved voice capacity on a carrier's switched network, with or without switch partitions reserved for private use. A second network situation, illustrated in Case 2, is Voice VPN combined with a Centrex service, without Private Branch Exchanges (PBXs).

A second set-up scenario includes ATM-VPN or Frame Relay-VPN. In this situation, data networks based on ATM or frame-relay permanent virtual circuits (PVCs) that may also carry voice work together to create the connection for a virtual private network (above).

Finally, there are three different variations of IP-VPN networking situations:

• IP-VPN case 1: secure IP connections made across the public Internet (an Internet VPN).
• IP-VPN case 2: secure IP connections with QoS guarantees on a managed IP network. VPN servers can be either on the customer premises (case 2a) or on the operator's network (case 2b).
• IP-VPN case 3: reserved capacity and router partitions on a managed IP network that may also carry voice. Customers might not (case 3a) or might (case 3b) have VPN servers on their premises. Routers are partitioned and support MPLS. (Each case shown below.)

The common characteristic of VPNs is that users gain some advantages of having their own leased connections while still using a public network. The advantages obtained are predominantly security and guarantees for other aspects of performance. Connecting to a shared network will always be cheaper than paying for dedicated capacity.

There are three types of IP—VPN
The most basic type of IP—VPN implementation is 'case 1', the Internet VPN, which does not require any involvement from the service provider. Users install a firewall, a router, an Internet Access Device (IAD) or another edge device to provide selective encryption of data for intra-company destinations.

The 'case 2' IP—VPN, in which the service provider provides encryption, uses either CPE or a network device, combined with QoS guarantees for availability, delay (network latency), packet loss, and possibly other parameters for end points on their network.

The 'case 3' IP—VPN provides reserved capacity across the service provider's network, with guaranteed bandwidth and partitioned routers. This offers some level of security combined with more stringent QoS guarantees for availability, throughput, packet loss, delay and jitter. It may be combined with encryption for extra security.

Go to page 2: Creating IP—VPNs>