Analysys reports that although IP-based Virtual Private Networks (IP—VPNs) have a broad appeal, service providers will face various difficulties in selling these services to businesses of all sizes. The market for large corporations will go to the largest providers, while small businesses will check out all providers.

by Tim Hills and Margaret Hopkins of analysys [July 26, 2001]

The findings of the report are supported by a market survey of 51 companies that were drawn from Denmark, Finland, Germany, Norway, Sweden, the UK and the USA, and comprise both current users of IP—VPNs and those actively considering their use. A wide range of industries is represented, and the companies span the range from small businesses of 50 staff to major multinationals. All were multi-site organisations that were technology aware and made heavy use of telecom.

IP—VPNs have very wide appeal
IP—VPNs are being (or will be) used across a very wide spectrum of user types in terms of industry sector, company size, geographical location, the number and distribution of company sites, communications environment, and spending on communications. Further, there appears to be an almost natural fit for some types of IP—VPN use for some purposes for the communications-aware companies that formed the survey sample - even if only to provide secure remote access for travelling salesmen. Communications managers are evidently well aware of IP's potential for networking applications, and also have freedom to experiment through combinations of own or managed provision.

IP—VPNs also have the general characteristic of being able to appeal to almost any dispersed organisation by creating the sense of community that comes through simple and improved communications between staff, partners and even customers.

In parallel with the wide appeal of IP—VPNs runs a wide range of end-user applications and network uses to which IP—VPNs can, and will, be put. However, there is an evident tendency to emphasise a relatively small number of basic applications and uses - such as email, Web browsing, remote database access, remote network access and intranets (see Figure 0.3 and Figure 0.4, overleaf). The picture that arises is of a small common core of basic applications and uses, surrounded by a larger periphery from which users will select according to their particular requirements and circumstances. Further, voice and data integration is given a very low priority, with many users not being convinced of the maturity of this technology or its benefits. Extranets, despite the substantial attention given to them by the telecom industry, also appear as a minority interest.

Service providers failing to market IP—VPNs
The influence of service providers in promoting users' interest in IP—VPNs appears to be almost negligible. Instead, users are strongly influenced by internal considerations, such as cost-effectiveness, company requirements and strategy, the dynamics of their own industry and technological attractiveness. Further, part of the appeal of IP—VPNs is that self-provision—if only in a very limited form—is possible, and this may be weakening the influence of service providers to some degree.

The users surveyed are most concerned with two immediate and basic aspects of IP—VPN performance: security and reliability/availability (see chart below). Other, more advanced aspects (especially QoS and network latency) are also important, but good security alone can be rated as essential, with reliability/availability not far behind. Security tends to be an area in which users have serious reservations, about both the capabilities of the systems and in their usability.

IP-VPN user applications for all companies surveyed,
now and within two years. Source: Analysys

User expectations may be too high
Compared with the many positive aspects of IP—VPNs that were noted by the users surveyed, the overall satisfaction expressed was somewhat low, with many expectations not being entirely fulfilled. Less than 60% of companies surveyed believed that they had realised the cost benefits that they had expected. There is an evident tension between the perceived virtues of IP by users - such as universality, de facto standardisation, user friendliness, low costs and so on - and the realities of business networking and IP service provision. The expectations of users may therefore be too high compared with the current state and direction of service offerings. There is evidence of some mismatch between broad user requirements and service offerings, exemplified in particular by the strong emphasis that service providers currently place on QoS, although this is of much less overall concern to users than security.

Developing the market
Technology has now developed sufficiently for IP—VPNs to start to become an essential part of both corporate and carrier data networks. However, there are three key areas where technical development is necessarily continuing:

• improving encryption speed in IPSec
• standardising MPLS and virtual routers to provide performance guarantees
• providing network management.

Technology exists to meet users' security concerns
Security is the main concern that is driving the development of IP—VPNs. IPSec is used to provide secure IP—VPNs across a carrier's backbone because it supports user authentication, content authentication, hashing, encryption and tunneling. Edge equipment will usually terminate an L2TP or PPTP tunnel as well. IPSec introduces delay into the connection, and vendors are working to reduce this.

Standardization work is still needed on MPLS and virtual routers
MPLS is universally seen as the way to provide frame-relay functionality using IP and to give QoS guarantees for the connections. The exact architecture for using MPLS to support IP—VPNs is still being debated, and a common approach to labeling policy, for supporting MPLS across several autonomous systems to provide end-to-end guarantees, is currently being thrashed out.

IP network management needs to become more sophisticated
Management is an important issue in VPN services. Users need to be able to see their own VPN and manage it alongside their corporate network; VPNs are likely to require large numbers of moves, adds and changes compared with the lower transmission layers. Sophisticated Web- or GUI-based management tools are necessary, as the complexity of IP network management is drastically increased compared with that required for a basic best-effort service.

Three phases of IP—VPN evolution can be identified
For users, three broad stages of evolution of the IP—VPN role in networking can be envisaged, each adding to the capabilities of the previous stages:

• stage 1—economical wide-area access to basic company applications
• stage 2—provision of key aspects of a data network (for example, global WAN backbone or specific international links)
• stage 3—full-scale communications support through voice and data integration and the ongoing elimination of other networking technologies.

In practice, the divisions between these stages are not likely to be entirely clear-cut, nor is it suggested that a company must progress through them all sequentially, or necessarily fully implement each stage at all the sites throughout its network. Phased and partial implementations will be necessary in any company that faces legacy issues.

Smaller companies will seek convenience and savings
For smaller companies to be persuaded to change to an IP—VPN offering managed by a service provider, it will be crucial to demonstrate that the change will save time and money. Service providers need to offer a managed firewall and IPSec server with virus screening and intruder detection. In addition, they need to provide up-time guarantees at a price demonstrably lower than running an IP—VPN server in house. QoS guarantees are not a big issue for these companies, so up-selling is likely to be in the area of ASP systems services, such as remote back-up.

Corporate users will need a service provider partner
For corporate users, the migration process will be managed in partnership with their service providers. They will initially retain a core FR—VPN while introducing IPSec-based IP—VPNs for dial-up access for small sites, road warriors (travelling staff) and teleworkers.

They will then extend the reach of the VPN by using IP to connect other offices that it was not previously economic to connect with frame relay, possibly trying out a new service provider for this segment. These offices may be using mass-market broadband connections, such as DSL or cable modems, which can connect back to a head office by using IPSec-based VPNs.

It will be some time before there is even the option of using MPLS to provide QoS guarantees for such premises, although there may be some cases where a DSL provider can offer an ATM-based SVC for these users.

IP—VPNs offer service providers potentially significant opportunities and motives to migrate customers to this technology. These include:

• a reduction in network costs from the use of newer technology
• the extraction of additional revenues from existing networks by adding an IP—VPN layer
• the development of value-added offerings, including security enhancements (such as intrusion detection), specialist extranets and ASP offerings
• developing closer relationships and partnerships with customers to aid the process of migration to the new networking technology
• the development of managed IP—VPN packages for SMEs as part of the process of creating new networking markets.

For service providers targeting the corporate market, coverage is an important issue in providing IP—VPNs because the limited standardization of MPLS means that only players that can connect all the company sites directly to their own network can provide comprehensive guarantees. IPSec tunnels can be successfully created across multiple networks, but guaranteed bandwidth and QoS guarantees cannot because these depend on the exchange of prioritized traffic between networks.

Selling IP—VPNs to SMEs is a challenge for service providers
From a service provider's perspective, migrating a corporate user from an FR—VPN to an IP—VPN is a very natural step, and should provide an opportunity to offer some additional value-added services. However, it does not open a new market area in networking. A potentially more radical opportunity for IP—VPNs should be in the SME market. It is users from this market segment that are often enthusiastically adopting the IPSec approach, but they may do so on a do-it-yourself basis because their service providers' managed offerings are too expensive or otherwise inappropriate.

Naturally, demand in the SME market is limited to multi-site SMEs and those with teleworkers or travelling staff. Further, there are evident issues of timing in the offering of IP—VPN services to this segment as a whole, since, as the survey confirms, current and potential users tend to be communications aware and in a business where advanced data networking is essential. Such users are not yet representative of the larger proportion of SMEs (particularly those that are very small) whose communications needs are much simpler.

Broadband is crucial to the SME market
One of the issues for service providers in addressing the SME market is the coverage of broadband access (mainly DSL, cable-modem and fixed-wireless access), because this increases both the demand for managed firewalls and the opportunity to provide more sophisticated IP—VPN services to SME sites. Broadband also makes it economic to connect smaller corporate sites to the main IP—VPN, thus increasing the scope of the opportunity for the service provider and providing one of the main advantages of moving from frame relay to IP—VPNs. The recent slowdown in the roll-out of these broadband technologies in some countries could have a negative effect on the size of the IP—VPN market.

Disclaimer
Figures and projections contained in this report are based on publicly available information only and are produced by Analysys Research Limited independently of any client-specific work within the Analysys Group. The opinions expressed are those of the stated authors only.

Analysys Research Limited recognises that many terms appearing in this report are proprietary; all such trademarks are acknowledged and every effort has been made to indicate them by the normal UK publishing practice of capitalisation. However, the presence of a term, in whatever form, does not affect its legal status as a trademark.

— End