Virtual Private Networks

An Early Look At Network-Based VPN Deployment —continued

AduroNet and CoSine Communications IPSX 9000
CoSine's IP Service Delivery Platform is based on the IPSX 9000, a carrier-class processor that provides switching, virtual routing, and advanced IP services like firewalls and VPNs, able to support "tens of thousands of subscriber networks." CoSine's InVision Service Management System (SMS) enables provisioning and maintenance of IP services delivered by IPSX 9000 switch networks. A Healthy Start program assists providers with architectural consultation, project management, integration assistance, on-site field engineering, lab access, assistance with test and acceptance, and other services designed to facilitate successful rollout.

In May, CoSine (www.cosinecom.com) announced that Qwest Communications had used the IPSX 9000 in its production network for the past six months, delivering network-based VPN services to Quebecor World. CoSine also announced major purchase orders by BroadBand Office and AduroNet. Paul Wynne, Senior Vice President of Operations and Architecture at AuduroNet (www.aduronet.com) spoke with me about his company's experience with CoSine.

AduroNet, in business for six months, is a European network access wholesaler. "Provisioning partners like ntl and clara.net connect customers, then tunnel IPsec across their backbone to reach our CoSine box securely," said Wynne. "Our partners connect to us at very high bandwidth (T3 or better), and tend to make more than one connection for resilience. Inside our own network, everything is dualed for a resilient core. If you're going to carry 1000 customers through one box, you've got to make sure you have resilience."

CoSine built AduroNet's network architecture in its San Francisco lab. "We sent our engineers there, and they spent 7 weeks trying to break it, finding holes and limitations," said Wynne. "CoSine engineers helped us stress-test our architecture to make sure that everything works as we'd envisioned. CoSine even has engineers here in the UK now, helping us deploy new switches for our initial VPN rollout."

AduroNet placed dual CoSine IPSX 9000 switches in 12 major POPs throughout Europe. "Our partner networks are providing reach," said Wynne. "Using this approach, we're able to provide shorter tail circuits to customers. Traditional Frame Relay uses long tail circuits from a very few POPs — these long tail circuits are both costly and a single point of failure. In our model, we've reduced the risk of failure because tail circuits are so much shorter. We've reduced the cost as well."

AduroNet works closely with partner ISPs to make sure they can deliver QoS end-to-end. "If you've got a VPN tunnel that starts in a partner network in the UK and ends in another partner network in Spain, each partner is depending on the other to deliver QoS end-to-end," said Wynne. AduroNet partners deliver tail circuits and routers, and engineer their own backbone for QoS. AduroNet manages VPN provisioning from its NOC, using CoSine's SMS. "In a traditional FR VPN with 15 locations, you needed to provision 15x15 virtual connections. In our case, the network provides fully-meshed connectivity inside the network cloud; we only need to provision one tunnel from the IPSX 9000 to the customer. This lets our partners deploy smaller, lighter, less complex routers at the customer premises."

AduroNet intends to provide premium IP services for business market, including accelerated web content, managed IP VPNs, and eCommerce platform services. "We have a number of commercial offerings that we'll be launching in 3Q00," said Wynne. "Our trans-Atlantic transit service is already up. Our European transit service, which will include the trans-Atlantic service, will soon be commercially available. Both of these are traditional Internet bandwidth services."

AduroNet's next major service will be VPN, available by the end of the year. "This service will provide office-to-office connectivity for small-to-medium size businesses," said Wynne. "Traditionally, European ISPs are bounded by their country — for example, a UK provider can offer VPN service, but only connecting locations within the UK. We can help ISPs offer VPN services Europe-wide."

AduroNet also plans to provide content services at the center of its network. "We've engineered our network to be one hop away from two data centers (London and Frankfurt)," said Wynne. "We'll locate some very big, mean servers there that can be used by ASPs to host applications with one-hop access. Each data center will shadow the other, so that, if for some reason you cannot reach one center, you can still reach shadowed content at the other." VPN customers will be able to access centrally-located application services, including very large, hit-intensive services and large applications like databases and office applications. "We intend to host these types of services for ASPs like eTrade," said Wynne.

"The whole idea of network-based VPN is that you've got control of IP services on a wholesale basis," said Wynne. "Expensive equipment sits in the center of the network, and customers connect to that for access to the Internet and to other VPN locations. The CoSine box allows us to create new routers on the fly — virtual routers in software, not hardware. With CoSine, we can add IP services like firewall and virus scanning to the VPN."

Furthermore, Wynne says that private ATM and Frame Relay networks require racks and racks of big routers to support a few hundred customers. "The CoSine box takes up half a rack and supports thousands of customer connections," said Wynne. "This gives us massive economy of scale. The kind of economy of scale we need in the wholesale business."

Parting Thoughts
Much progress has been made in the network-based VPN market since our first look last fall. These three vendors were able to name over a dozen providers with active deployment, and certainly there are many more behind the scenes, not yet ready for public disclosure. But commercial service delivery is still pretty new. It is really too early to determine just how well network-based VPNs will live up to their potential — and how they will impact service provider bottom lines.

I'd expect any vendor-supplied customer reference to offer product praise, but I heard more in the voices of those I interviewed for this article. These providers appear genuinely excited about network-based VPNs, and encouraged by their experiences thus far. Time will tell, but certainly any provider considering large-scale VPN service deployment must give serious consideration to taking a network-based approach.

According to Infonetic's Mitchell, the biggest obstacle may be educating end users. "Certain end users will still prefer CPE solutions, but service providers will want to move to network-based VPNs for scalability and ease of deployment," said Mitchell. "Once these providers themselves have big-name customers using network-based VPNs and publish case studies about them, users will become educated and more accepting of this alternative."

1. Introduction

2. Broadslate's Experience with Lucent

3. Savvis' Experience with Nortel

4. AduroNet's Experience with CoSine, and Conclusion