An IP VPN consists of a set of protocols that provides businesses with secure connections between locations – whether over the public Internet or across carriers’ private IP networks – that are shared by other users. IP VPNs use comprehensive security measures to ensure the privacy and safe passage of business data, including encryption, encapsulation, authentication, and authorization. IP security protocol (IPSec), point-to-point tunneling protocol (PPTP), and Layer 2 tunneling protocol (L2TP) define various forms of encryption and authentication.
How will your business decide between the many IP VPN services? Compare the IP VPN services & also get a consultative approach to getting the best and most cost effective and secure solution for your business today.
An IP VPN consists of a set of protocols that provides businesses with secure connections between locations – whether over the public Internet or across carriers’ private IP networks – that are shared by other users.
IP VPNs use comprehensive security measures to ensure the privacy and safe passage of business data, including encryption, encapsulation, authentication, and authorization. IP security protocol (IPSec), point-to-point tunneling protocol (PPTP), and Layer 2 tunneling protocol (L2TP) define various forms of encryption and authentication. Tunneling refers to methods of encapsulating a data packet within an IP packet. This allows the encapsulated packet, including its header, to be encrypted for security. Since the encapsulated packet need not be IP, tunneling supports multiprotocol traffic.
Customer premises equipment (CPE)-based IP VPNs and carrier network-based IP VPNs. Most CPE-based VPNs operate over the public Internet, using broadband or dedicated access lines and tunneling protocols to secure the data. The underlying IP network simply provides transport for VPN traffic. Available CPE ranges from small and home office hardware devices through high-speed routers with optical-speed connections. Carriers offer CPE-based IP VPNs as managed services, in which they install, manage, and maintain the CPE and set up and administer the VPN tunnels according to policies set by the customer.
In carrier network-hosted IP VPN services, the network is directly involved in the functioning of the IP VPN. Most service providers offer multiprotocol label switching (MPLS) IP VPNs, which allow them to keep customers’ private business traffic logically separated through the use of virtual circuit-like connections known as label switched paths (LSPs). This feature provides a level of security comparable to frame relay. The MPLS protocol is also designed to support traffic engineering, which the carrier can use to control individual “flows” of traffic over its network, in order to meet specific quality of service (QoS) performance requirements.
They can be set up through CPE managed remotely by the carrier, or through routers and/or switches inside the carrier’s network. In CPE, IP VPN features can be incorporated in an existing router or consist of a specialized device. Carriers also operate VPNs that are for internal use only, which they use to manage their IP/Internet backbones by splitting them up into logically separate virtual networks. In some cases, services described as Ethernet, frame relay, ATM, voice, and even transport actually run inside IP VPNs in the carrier network, showing off the technology’s great versatility while blurring the lines between different network services.
Just as many carriers built gateways between their frame relay and ATM backbones years ago, it is common for various networks to be connected across IP gateways, supporting the exchange of IP traffic between ATM and frame relay, network-based and premises-based IP VPNs, and public and private network IP VPNs. This convergence allows customers to mix and match ATM, frame relay, and various IP VPN services and pass their business traffic between each of these networks.
Network-based IP VPNs are synonymous with multiprotocol label switching (MPLS), a must-have for enterprise-focused carriers. Many larger CLECs with tight budgets have also made the upgrade from ATM backbones to IP/MPLS, both for cost purposes and to be buzzword-compliant with customers. Behind the scenes, it is not unusual to see another protocol, L2TP, quietly running alongside MPLS to power network-based IP VPN services. MPLS provides security and dedicated bandwidth features similar to those of frame relay and ATM, while supporting quality of service (QoS) controls.
Frame relay and ATM services and IP VPNs have a complex relationship; the services compete with each other, and frame relay/ATM product managers have seen business demand dropping off, while demand for IP VPNs continues to grow. However, the services also are complementary. Unlike most business-class IP VPNs, frame relay and ATM have built-in QoS, and interworking gateways with Internet and/or business IP access are just about universal. Many carriers have gateways connecting the two types of services, and most use IP’s DiffServ marking feature to translate frame relay/ATM QoS levels into IP/MPLS equivalents.
CPE-based IP VPNs can simply be layered on top of any IP network including plain old dedicated Internet access. Therefore, corporate customers with strong internal IT departments will question the merit of outsourcing IP VPNs, arguing that the service could be designed, built, and managed in-house at less cost. However, for complex enterprise IP VPN needs, large meshes of point-to-point IPSec tunnels can become as big a management burden as the PVC-based networks they often replace. If an enterprise needs to connect IP VPNs across network platforms and add hosted services inside the carrier cloud, it may be more amenable to handing off the business to a carrier.
Large carriers such as AT&T, Verizon Business and Sprint Nextel maintain separate IP networks; one carries public Internet traffic, while the other carries business/government-class private IP traffic. In theory, it is enough for an IP network to offer logically separated services – private virtual routing tables that do not touch IP addresses on the public Internet, and vice versa. However, some holdout customers still require physical separation as a guarantee that their sensitive data traffic cannot be compromised by attacks originating from the public Internet; these businesses are candidates for newer carrier Ethernet services.
Some providers – tw telecom, the Broadwing business acquired by Level 3, Yipes, and Masergy among them – came early to virtual private LAN services (VPLS), a wide area, Layer 2 Ethernet/MPLS pseudowire networking service. Verizon Business and AT&T have since launched VPLS networks of their own, and Qwest has committed to the technology. Some enterprise customers say they prefer to stick to Ethernet Layer 2 network services that, such as frame relay and ATM, let them control Layer 3 routing and keep their carrier(s) out of their routing tables. Sprint Nextel, Verizon Business and AT&T each also offer IP-based virtual transport services, which let customers control their own Layer 3 routing exclusively, though these types of services lack the Layer 2 mesh networking flexibility of Ethernet.
Some carriers have added two MPLS access options to their lists – 3G wireless access and DSL that supports MPLS CoS differentiation. Combination wireline/wireless providers Sprint Nextel, AT&T, and Verizon were first to add 3G wireless support for their respective IP VPN services, while aggregators including New Edge Networks and MegaPath added network support enabling CoS support for DSL. The two groups are tapping each others’ evolved IP/MPLS access options: New Edge and Megapath have turned to resell 3G wireless access from wireless providers, while New Edge has begun signing major wholesale carriers for its MPLS CoS support for DSL.
One principal application that drives customers to migrate from frame relay and ATM to IP services is voice over IP (VoIP). Due to scaling issues, most frame/ATM networks are configured in hub-and-spoke configurations, which are fine for data centers and headquarters locations. However, inter-office calling requires any-to-any mesh connectivity for reasonable performance. As enterprises adopt various network-hosted and premises-based VoIP services, IP VPNs become a desirable complementary service. Carriers with extensive IP portfolios are working to pull together all their IP VPN and IP telephony offers to make sure they can mix and match converged services in any combination the customer prefers.
Premises-based managed IP VPN services are still a cheap and easy way for carriers offering IP services to launch a new business network service, requiring no major new construction or infrastructure investment. No CLEC, ISP, or NSP should be without premises-based IP VPN and managed firewall services by now, seeing as even small service providers can launch IP VPN support starting with just a couple of qualified network engineers.
A hallmark of IP VPNs is their flexibility and compatibility with other services; they are relatively easily interconnected to existing carrier ATM/frame relay networks as well as metro Ethernet access and xDSL on the business services front. Both network-hosted and premises-based IP VPNs can share the access link with dedicated Internet access, and carriers can extend their services off-net across Internet links supplied by third-party ISPs.
PoP-to-PoP and end-to-end network performance is one of the great differentiators between IP VPN service providers. Major carriers now offer both jitter and latency service level guarantees for their IP networks; they issue both on-network PoP-to-PoP and end-to-end guarantees to show customers that their IP networks are ready to handle video and voice over IP, plus other real-time streaming and priority transaction services. However, for customers, the real measure is how the network actually performs in the real world, how many service-affecting “events” are likely to occur in any given month, and what sort of credits the carrier is willing to provide to backup the SLA promises.
Just as with frame relay and ATM years ago, IP/MPLS has matured, from single-carrier pockets of networking to common network-to-network interconnection (NNI) agreements between carriers. IP/MPLS NNIs are a sensible choice; as with any network technology, there just is not enough of a market for each carrier to build its own local, national and global networks. However, it also means that carriers need to normalize their IP VPN differences, such as quality of service and applications, and hammer out standard back office billing and customer service arrangements.
While IP VPN links are generally secure, the endpoints – where the VPN link terminates and the corporate network begins – present an attractive target to network crackers, especially on links that run Internet and IP VPN applications alongside each other. Carriers have opportunities to package managed IP VPNs with managed router, managed firewall services, and additional security monitoring and consulting services (such as vulnerability assessments and intrusion detection/prevention) for customers, under the banner of security services.
Increasingly, businesses are looking for ways to bring better traffic control to their enterprise networks without having to rely solely on IP/MPLS. For complex networking, enterprises can turn to managed applications optimization, offered by carriers such as Orange Business Services, BT Global Services and Verizon Business via specialized gear from vendors such as Riverbed and Ipanema Technologies, as well as Juniper WXC and Cisco WAAS.
The concern about eventual IP address exhaustion, and the need for IPv6 as a solution, has been around since the 1990s. In 2008, RFPs issued by the U.S. government are putting pressure on major carriers to support dual-stack IPv4/IPv6 implementations in their core networks. Mere lengthening of an IP address header seems simple enough, but the impact across these “networks of networks” is complex and far-reaching. Carriers have much work ahead if they wish to incorporate IPv6 support across infrastructure, external and internal network interconnections, portfolios of managed network services including IP-VPNs, and hosted and professional services – all while the payback for their investments outside public sector contracts is vague.
