VPN

InternetConnect: Joining IP and ATM with MPLS
—continued

Security is in the eye of the beholder

Readers who are familiar with IPsec VPNs will ask: "yes, but is it secure?" According to Staats, VPNplus offers a level of security similar to that associated with traditional Frame Relay. "In Frame Relay, you assign a DLCI [ definition ]and use this to forward customer traffic [over a shared backbone]," said Staats. "We use a similar process at layer 3 with MPLS tags. Security is ensured by isolating customer traffic so that no customer can receive any other customer's data. Each customer also has its own private virtual routing table."

Backbone access is controlled on a per-interface basis. "Typically, DSL access occurs through an ATM PVC anyway," said Staats. "We map that PVC onto a virtual interface, then move traffic from that interface onto the backbone with an MPLS tag. For Frame access, we do the same thing at the sub-interface level, based on DLCI. We also handle T1 access in the same way, as a virtual interface." But switched access requires VPNplus Remote (see below).

In effect, the "VPN" created by VPNplus enables site-to-site connectivity to members of a closed user group. However, VPNplus does not authenticate or encrypt packets, or even authenticate tunnel endpoints, except with VPNplus Remote. Is physical security sufficient? That depends on a customer's security policy. For example, customers that require end-to-end non-repudiation can always apply IPsec at the desktop.

VPNplus Remote
VPNplus Remote adds switched (remote user) access to VPNplus. With this service, dial users tunnel into a VPN concentrator by running IPsec over the public Internet. A second (provider-initiated) IPsec tunnel links the VPN concentrator into the MPLS VPN. By concatenating secure tunnels, VPNplus Remote enables secure (authenticated, encrypted) access by dial users into the customer's VPN. User-level authentication is performed at the VPN concentrator using RADIUS.

According to Staats, VPNplus Remote is currently based on Nortel Contivity concentrators. "We are also considering Cisco 3000 and 5000 series," said Staats. "The 5000 series is attractive to us because it has native MPLS support. This would allow us to tie directly into the MPLS network with the second tunnel."

Performance vs. Frame Relay, IPsec
So, how does performance compare? According to Staats, "In a traditional Frame network, you'd see similar throughput. But one of the problems with Frame Relay is uncontrolled latency. Because our backbone is ATM, we can better control QoS across the backbone."

Another issue with Frame Relay is scalability. Frame PVCs are point-to-point. Many networks use a hub-and-spoke architecture because a full mesh would require too many site-to-site PVCs. "In our approach, all the intelligence is at the core of the network," said Staats. "Customers only need one PVC per location, because the core provides full-mesh connectivity."

Comparing VPNplus to IPsec is more complex, because IPsec VPN performance varies greatly, depending upon the customer premises equipment (CPE). According to Staats, "Low-end CPE with software-based encryption can introduce 80-100 ms of latency, and this can hurt performance of voice and video applications. More expensive IPsec CPE can overcome this. But our target market is small-to-medium enterprise, and these companies don't want to spend a lot of money on equipment. Our approach lets them use a less-expensive access router and still have high performance suitable for applications like video conferencing."

InternetConnect backs VPNplus with written service level agreements (SLAs). "One of our biggest advantages is our private network," said Staats. "Many competitors use the public Internet and cannot guarantee QoS. Because we use a private backbone, we can offer SLAs." InternetConnect's standard SLA promises 99.9% network availability premise-to-premise, 85 ms latency across the backbone (edge-to-edge), and 120 ms latency premise-to-premise. These metrics exclude ADSL local loops. Service credits are offered in the event of non-compliance, up to 35% of the monthly recurring charge.

The price/performance payoff
MPLS is intended to provide the speed of switching at a cost that more closely approaches that of routed IP. How well does it fulfill that objective?

VPNPlus pricing depends upon the number of customer sites, the bandwidth required, and how close each site is to the CO. Staats described one customer, a nationwide wholesaler of airline seats. "This customer previously faxed prices to offices each day," said Staats. "They priced out Frame Relay but found that, because their locations were distributed across the country, VCs would run them over $18K/month. We were able to provide them with comparable network capability at a tenth of the price."

In fact, InternetConnect supplied sample prices for a five-location business with offices in New York, Chicago, Dallas, Los Angeles, and San Francisco. Full-mesh Frame would run $18,744/month. Private T-1 circuits shave the price to $13,885/month. Hub-and-spoke Frame cuts the price (and performance) to $7,244/month. But VPNPlus does the job for just $1,495/month.

InternetConnect intends to satisfy the low-end business market by integrating DSL access with their ATM backbone. "AT&T's IP-enabled ATM and Frame Relay services are conceptually similar to VPNplus, but serve a higher-end market," said Staats. "We can do the same thing with ATM and Frame access, but we can also leverage DSL for lower cost."

—End

 

Related articles:
	[Dec 22, 2000]	Tunneling at Layer Two
	[June 15, 2000]	IP Security and NAT: Oil and Water?
	[Dec. 2, 1999]	Network-Based VPN Platforms: Sneak Preview

Back to page 1