portant application. And, to a lesser extent, VPNs may address locations where traditional private network connections cannot be economically justified. Some vendors and service provide
rs are talking up the idea of replacing existing private network links with VPN links.
But VPNs (and IP tunneling, one of the underlying technologies) raise several challenges. Foremost, how do you deal with issues of QoS? How do you handle non-IP traffic? How do you authenticate and assign IP addresses? And how secure are they?
How Does It Work?
There are two main architectures for setting up a tunnel: client-initiated or client-transparent. Client-initiated tunneling requires tunneling software both for clients and for tunnel servers (or gateways). The latter typically reside at the corporate central site, though they could reside at the ISP point of presence (POP) that serves the central site. With client software to initiate the tunnel, and the tunnel server at the corporate site to terminate the tunnel, the ISP doesn't have to support tunneling in any way. The client and the tunnel server simply establish the tunnel, using authentication based on a user ID and passwo
rd and perhaps on a digital certificate. The client and the tunnel server may also negotiate encryption. Once the tunnel is established, communications proceed as if the ISP were not mediating the connection.
On the other hand, if you want tunneling to
be transparent
to the client, the ISP's POPs must have tunnel-enabled access servers and perhaps routers. The client first dials in to the access server, which has to recognize (based on a user ID, for instance, or on the user's choice from a menu) that this connection should be tunneled to a particular remote location. The access server then establishes the tunnel with the tunnel server, typically using the user ID and password for authentication. The client then establishes a session directly with the tunnel server via the tunnel, just as if the two were directly attached. While this has the advantage that no special software is required on the client, the client can dial only into properly equipped access servers.
During 199
6, two tunneling protocols competed for users' attention: Microsoft's Point-to-Point Tunneling Protocol (PPTP) and Cisco's Layer Two Forwarding (L2F). The essential technical difference between the two is that PPTP tunnels by wrapping PPP packets in IP, a Layer Three protocol, while L2F, as its name implies, uses Layer Two protocols, such as Frame Relay and ATM, for tunneling.
PPTP can be client-initiated (and transparent to the ISP) or client-transparent. In either case, it is currently NT-only: It requires both an NT client and an NT server. In contrast, L2F requires support in access servers and routers; thus the ISP has to support L2F. In its defense, L2F provides some things PPTP doesn't, such as authentication for tunnel endpoints (i.e., between the access server and the tunnel server).
A major advantage of PPTP is Microsoft's support for it. Both a client and a tunnel server for PPTP were shipped in NT 4.0. A Windows 95 client is planned. Another advantage is PPTP's support for flow control
, keeping clients and servers from getting overwhelmed by traffic and enhancing performance by minimizing dropped packets and thus retransmissions. However, PPTP requires IP (though it can tunnel IPX and NetBEUI, as well as PPP), and it doesn't include authentication for tunnel endpoints. PPTP, leveraging PPP, relies on user authentication. In addition, some analysts think PPTP may not scale as well as hardware-based solutions such as L2F.
Recognizing the merits of each others' protocols, Microsoft and Cisco agreed late last year to merge their competing protocols into Layer Two Tunneling Protocol (L2TP), which is supposed to offer the best of PPTP and L2F. Secure IP, or IPSEC, is expected to be commonly used to coordinate encryption between L2TP endpoints. (Standardized encryption has not been a feature of PPTP or L2F.) L2TP will also support multiple simultaneous tunnels for a single client. Multiple concurrent tunnels may be important in the future, when tunnels support bandwidth reservation and QoS.
These aren't the only tunneling protocols around. For instance, in its BayStream Dial VPN Services, Bay Networks uses Mobile IP for tunneling, avoiding both PPTP and L2F. Bay Networks will support L2TP and IPSEC as those protocols mature. BayStream Dial VPN Services is designed to allow ISPs to offer VPNs to customers, with no modifications of clients or at central sites. Dial VPN Services is a feature of the Bay Networks 5000 Multi-Service Access Switch, Remote Annex remote access concentrator family, and Backbone Node router platform.
As another alternative to PPTP and L2F, NEC has been evolving SOCKS, an authenticated firewall traversal protocol, designed to permit a data stream to cross a firewall based on user authentication rather than on the characteristics of the IP packet. Developed in 1990, SOCKS is now an IETF standard (RFC 1928, 1929, and 1961). Version 5 includes encryption negotiation.
Among SOCKS's advantages are support for Unix and NT, plug-in support for many authenticatio
n and key management methods, and a unidirectional security architecture that allows you to tunnel to another network while minimizing your exposure to attack from that network. In addition, SOCKS operates at the TCP level, making it easier to establish application-specific tunnels for applications associated with a particular TCP port.
Any firewall can be configured to pass SOCKS traffic transparently. Native SOCKS support allows a firewall to originate and terminate a SOCKS data stream. Although none of the three top firewalls -- Trusted Information Systems' Gauntlet, Check Point's FireWall-1, or Raptor Systems' Eagle -- supports SOCKS natively today, analysts at the Gartner Group predict that all the leading firewalls will support it by 1998. Aventail's MobileVPN and PartnerVPN use client-initiated SOCKS tunnels.
So far, IPSEC and L2TP have captured the market's attention far more than SOCKS has. "I don't know of anyone trying to create interoperable VPNs based on SOCKS," says Ira Machefsky, an
analyst with the Giga Information Group. On the other hand, it was only with the recently introduced SOCKS version 5 that it became easy to "socksify" clients. Before, the client code had to be recompiled to support SOCKS. With SOCKS v5 and technology such as Aventail's Autosocks, unmodified clients can be instantly socksified. "If SOCKS had had this capability two years ago, it would have been a slam dunk [for SOCKS to gain widespread success as a VPN standard]," says Michael Zboray, an analyst with the Gartner Group. "Now, only time will tell whether the technical advantages of SOCKS will be sufficient to overcome the momentum of IPSEC and L2TP."
Quality of Service
The technologies for low-cost, Internet-based VPNs are maturing. But you still may have trouble finding an ISP willing and able to manage your VPN for you. There are still many outstanding questions. How do you guarantee the quality of service? And how are ISPs to charge for VPN traffic?
Right now, few ISPs support QoS. New
technologies such as Resource Reservation Protocol (RSVP) address the QoS problem, but they can't undo this basic reality. RSVP enables users to manage QoS, but RSVP only requests guaranteed bandwidth or a given delay/latency or error rate; it's up to the ISP to fulfill the request, and many ISPs can't handle RSVP. Even if they could, ISPs must be able to charge more for high-priority packets than for low-priority packets before they will roll out the service.
"We may have to start charging for usage," says Vint Cerf, senior vice president of data architecture at MCI Communications, a major carrier of Internet traffic. "As the system becomes bigger, it gets more difficult to make things flat-rate. In addition, we might well have different charges based on quality of service. Ideally, charges should reflect the amount of resource consumed to deliver a service."
And this is just intra-ISP QoS. Even when ISPs have direct network connections among themselves in order to speed traffic flows, they typic
ally have no agreements covering reliability, availability, or QoS. Eric Paulak, senior analyst with the Gartner Group, expects such "network interface" agreements for private networks, such as Frame Relay networks, early in 1998, along with the introduction of switched virtual circuits (SVCs) that make it easy to connect Frame Relay networks from different carriers. Network interface agreements for Internet services may come later in 1998, says Paulak.
However, such agreements will require billing arrangements and perhaps protocols that do not yet exist. "If ISP 'A' carries high-priority traffic for ISP 'B,' ISP 'A' needs to get remunerated for allocating those resources," says John Coons, director and principal analyst of wide-area networking at Dataquest. It could be mid-1999 before ISPs have the protocols and billing arrangements in place to make that possible, Coons thinks. Right now, he points out, ISPs typically don't even have mechanisms to bill for classes of service within their own domains.
For now, if you want end-to-end service guarantees, you'll probably have to stick with a single ISP. Even at that you'll have to choose your ISP carefully since many offer little or nothing in the way of service guarantees. And even with service guarantees, having to stick to one ISP discourages the use of VPNs because a company may have little influence over the ISP selected by its suppliers, customers, or partners. Even if a company does have such influence, a single ISP cannot offer the ubiquitous access associated with the entire Internet. (Some, such as CompuServe, UUNet, and MCI, come closer than others.)
Dial-In Cost Savings
But even with QoS questions outstanding, many companies are interested in Internet-based VPNs. As well they should be: The cost of a VPN may be less than half that of a private dial-in access solution.
Today, companies typically use in-house communications servers, modem banks, and toll-free numbers to support dial-in access. It works, but there are some c
atches. The equipment is frequently being upgraded to faster modems, ISDN, or even digital subscriber line (DSL). Furthermore, carrier offerings and tariffs change continually. These changes cost both money and management effort. Even in stable configurations, dial-in connections are notoriously finicky.
Economies of scale make it more cost- effective for ISPs to maintain all the dial-in connections at the POP rather than each company maintaining its own. Similarly, it's more economical for ISPs to maintain huge, highly utilized backbone pipes than for each company to maintain a smaller, less fully utilized pipe. The way Internet services are packaged may be more efficient in terms of sales and operations.
Using a VPN, companies can off-load most of the expense and hassle associated with dial-in connectivity: Users simply dial in to the closest ISP POP. The ISP manages the modem banks and communications servers and thus makes the bulk of the investment in access technologies. The ISP forwards the
dial-in traffic to a central corporate site via the VPN. At the central site, the corporation maintains a single connection to the Internet, usually via a high-speed digital line such as a T1. Dial-in traffic looks like ordinary Internet traffic coming in on the high-speed digital access line. Functionally, remote users have the same connection to the corporate network as if they were sitting at their desks at the central site.
Partner VPNs
After dial-in access, connection to business partners is the major advantage of Internet-based VPNs over private networks. Rather than leasing lines directly to major partners and customers, you can use your existing Internet connections to send VPN traffic to one another.
For intracompany traffic, on the other hand, a VPN typically has no price advantage over Frame Relay for equivalent service, says Gartner's Paulak. The logic behind this assertion works like this: The same basic telecommunications infrastructure provides both Internet and private net
work services, so they have part of their cost structure in common. Beyond that, carriers or ISPs may have to charge for the additional services they offer, including reliability, availability, and QoS.
UUNet's ExtraLink is an example. At one point, ExtraLink, which used UUNet's underlying Frame Relay network, cost about 30 percent more than ordinary Frame Relay, says Paulak. UUNet started with the same basic cost that any carrier has for maintaining a Frame Relay network. Then UUNet added IP routing and security. Naturally, the company had to charge more. Other carriers, such as AT&T, offer "managed" Frame Relay services, which include IP routing and security, for only about a 15 percent premium over ordinary Frame Relay.
Such managed Frame Relay services will not connect you to other companies' Frame Relay networks, however, while UUNet will connect multiple companies to the same ExtraLink network. For connecting to suppliers, business partners, and customers, a service like ExtraLink can ma
ke a lot of sense.
If VPNs help ISPs capture a larger market share, the ISPs may be able to lower their prices. VPNs often support applications with higher duty cycles than typical Internet access, notes Skip Taylor, group manager of remote access services for CompuServe Network Services. Such applications, including work-at-home programs, remote access, nomadic users, and cross-functional teams in different locations, can generate consistent traffic loads that can justify higher-bandwidth backbones. Unit price decreases as volumes increase and backbones are more fully utilized, observes Taylor. In March, CompuServe began testing an IP-based VPN service that will be rolled out in 10 to 15 major metro areas over the year.
Business customers, according to Gartner analysts, are most interested in the tightly controlled VPN services offered by a single ISP, such as CompuServe or UUNet. However, these services are more or less identical, from the customer's point of view, to services that these same IS
Ps have been offering for years. In both cases, the customer dials in over an async line using PPP and is connected securely and reliably to a central site.
Are these ISPs, then, pulling a bait and switch, luring the customer with the term "VPN," which implies more ubiquitous access and lower prices, then delivering business-as-usual access and prices with new terminology? Initially it may look that way. But over time, these services will evolve to provide a level of interoperability beyond what has been possible.
Multiprovider VPNs
As protocols like IPSEC, L2TP, and SOCKS mature, ISPs will be able to interconnect tunnels more easily. With network interface agreements to ensure availability and quality of service, ISPs will be able to offer VPNs that span multiple providers without giving up the service guarantees that are associated with single-provider VPNs today. However, you probably won't see many multiprovider VPNs before 1998.
Meanwhile, organizations can implement their own
multi-ISP VPNs with guaranteed performance by using customer premises equipment if they can get service guarantees from the individual ISPs. For example, customers can:
- Set up client-initiated tunnels via multiple ISPs
- Encrypt those tunnels
- Implement a system of digital keys for authentication and nonrepudiation
- Configure routers and firewalls to prevent unauthorized users from accessing the central site
You can use the PPTP capabilities in Windows NT to initiate and terminate tunnels through multiple ISPs. Alternatively, you can just terminate the tunnels with an NT server and let the ISPs handle the initiation if they're set up for it.
Or you can use MobileVPN or PartnerVPN, from Aventail, to establish client-initiated tunnels via SOCKS. MobileVPN connects a single Windows or Unix client to a Unix or NT server behind the firewall at the central site. PartnerVPN connects two LANs by creating a tunnel between two Unix- or NT-based LAN servers. Aventail's VPN sol
utions are client/server systems. The server starts at $4995, and pricing for the client starts at $69.
Both ISPs and end users can implement
PPTP VPNs
using Check Point Software Technologies' FireWall-1 firewall. The company's $100 SecuRemote client software can be used to set up client-initiated PPTP tunnels, which terminate in FireWall-1 at the ISP's POP or at the corporate central site.
Ascend Communications, the dominant supplier of access switches to ISPs, has supported the protocol in its Ascend MAX WAN access switch since early 1996, allowing ISPs to offer tunneling as a service to its customers. Ascend will support L2TP when that is ready for implementation.
TimeStep offers an IPSEC encryption implementation in its Permit family of VPN products. These products include Permit PC, $99 Windows-based client software; the Security MicroGate, a $1795 box that provides VPN services for a single network node; and the $5495 Security Gateway box, which offers VPN service
s for an entire LAN or subnet. TimeStep also offers SNMP-based management software, the $4995 Secure Network Management System. TimeStep supports X.509 certificates and will support Internet Security Association and Key Management Protocol (ISAKMP)/Oakley when it is ready for deployment (see the sidebar "Security Solutions").
AltaVista Tunnel 97, from AltaVista Internet Software (a subsidiary of Digital Equipment Corporation), is a client-initiated VPN solution. It is based on a proprietary technology, but AltaVista plans to adopt tunneling standards as they firm up. When introduced in 1995, AltaVista Tunnel required a Unix server from Digital. An NT/Intel port was released in October '96 and an NT/Alpha port in May '97. A Solaris port is expected by the end of this year. AltaVista Tunnel supports Windows 95 and NT clients. Tunnel 97 Personal Edition costs $99. The Workgroup Edition is $995.
VPNet's VPLink technology allows you to set up tunnels independent of the ISP. VPLink incorporates real-tim
e data compression along with IPSEC encryption, authentication, and key management. VPNet's $3995 VSU-1000 "VPN service unit" sits between the last router at the edge of an internal network and the outside world. The VSU-1000 manages IPSEC-based VPNs; it encrypts, decrypts, and compresses data, and it manages keys. Because the VSU-1000 offers hardware-based encryption and compression, it can saturate a T1 or E1 line. The compression mitigates the overhead of IPSEC headers, which can otherwise increase packet size to the point where the Internet fragments the packets for transmission, greatly degrading throughput over WAN links. Compression insures better performance and makes VPNet's solution more scalable.
VPNet will support tunneling approaches such as PPTP and L2TP as these standards mature and gain acceptance. The VSU-1000 can communicate with other VSUs or with the $99 VPNremote, IPSEC client software for Windows 95. A Windows NT version is slated to be released later this year. The Java-based $399
5 VPNmanager tool suite configures the system. Through the use of import/export files, VPNmanager can establish intercompany extranets for companies using the VPNet products.
Finding the Balance
Pioneers began last year constructing their own VPNs. For instance, the "big three" U.S. automobile manufacturers (General Motors, Ford, and Chrysler) announced the launch of a pilot of the Automotive Network Exchange (ANX), which will allow the carmakers to exchange information and do business with their suppliers. The pilot, originally announced for late 1996, was rescheduled for Q2 1997. Production rollout is expected to begin in Q3. The ANX is sponsored by the Automotive Industry's Action Group, which consists of representatives of the big three and their tier-one suppliers. An ANX overseer company, which has not yet been selected, will provide centralized network administration and management and will certify ISPs to implement VPNs within the ANX. Bellcore is currently helping design the role of th
e ANX overseer. The ANX will eventually support more than 10,000 partners.
However, multiple-ISP VPNs such as the ANX may be a rarity for some time. Over the next five years, private networks will continue to carry the great majority of corporate traffic, the Gartner Group predicts. Typically, only one company will use such a private network. Fifteen percent of corporate data traffic will be carried by IP networks controlled by a single service provider, such as UUNet or CompuServe Network Services, according to Gartner. Multiple companies may share such a network, and the service provider can still guarantee high levels of security, availability, reliability, and performance. However, customers are limited to access via the points of presence of that service provider. Gartner predicts that only about 5 percent of corporate data traffic will traverse the public Net, which provides the most ubiquitous access but with a lower level of security and no guarantees of performance, reliability, availability, o
r QoS.
Rebecca Wetzel, director of Internet consulting for TeleChoice (Verona, NJ), a telecommunications consulting firm, believes those Gartner numbers may be accurate for large corporations, which invariably have a private data network infrastructure already in place. Large companies, she says, may use Internet-based VPNs mainly to support mobile workers and telecommuters, applications where ubiquitous access is key. They may not use them much for mainstream data networking applications.
In contrast, small to medium-size companies may not currently have any private data network. Internet-based VPNs, because they are so much easier and less expensive to implement, could capture the majority of this growing market over the next five years, says Wetzel.
Internet-based VPNs are not the long-awaited arrival of ubiquitous, secure, high-quality data networking that costs next to nothing. However, VPNs can provide ubiquitous data networking and networking that is better protected than most private
networks from most kinds of attacks (except for denial of service and Ping of Death). VPNs can provide high-quality networking. And they can provide inexpensive networking. Finding the optimal balance between ubiquity, security, quality, and price will require consideration of a range of services and products that will only grow more varied and complex.
Where to Find
Ascend Communications
Alameda, CA
Phone: 510-769-6001
Phone: 800-621-9578
Fax: 510-814-2300
E-mail: info@ascend.com
Internet: http://www.ascend.com
A Virtual Private Affair
