IP VPNs: migration by integration - Internet Protocal Virtual Private Networks

IP VPNs provide flexible connectivity but the QoS advantages of existing networking technologies like ATM cannot be ignored. A hybrid network of both old and new will be the best solution towards migration to IP VPNs.

Most enterprises now have a wide range of data communication requirements tasked with supporting or serving a growing diversity of functions -- both in the profile of the sites that need to be connected and the traffic that flows between them. Locations are increasingly varied, ranging from corporate headquarters to regional, branch and home offices, to mobile workers with PDAs and mobile phones. Traffic varies from relatively predictable host-to-host batch transfer, to highly sporadic and variable downloads of web-based information via the corporate intranet. There is also growing use of video streaming and multicast TV -- imposing new strains on network capacity and QoS support.

There is growing conviction that IP VPNs will provide the best way of catering for these different requirements within a single coherent range of networking services. Already, 80 per cent of electronic communication is in the form of IP packets, and this will rise towards 100 per cent over the next five-to-ten years as voice and video services migrate to IP-based packet transmission. In the meantime, the remaining 20 per cent will typically represent vital applications that cannot simply be turned off.

Investment concerns

Most large enterprises have already made some investment in VPNs, although these are more likely at present to use ATM or frame relay transmission than direct IP packet-switched transport. Such VPNs enable enterprises to provide secure and reliable access for the growing population of remote and mobile users -- without having to manage the connections themselves which is increasingly impractical and uneconomic.

Therefore, IP VPNs make sense by combining both technologies within a single hybrid VPN capable of meeting current and future QoS requirements in the most cost-effective way. But there is one big problem. The eternal riddle of how to migrate to a new networking solution without wasting all the investment in existing technologies. Organisations do not wish to invest unnecessarily in new equipment or incur avoidable 'down time' and disruption when changing physical infrastructure.

In any case, IP VPNs at present do not provide the best solution for every single application requirement. In many cases, existing technologies such as ATM, frame relay, dial-up networking, or SMDS (switched multimegabit data service) still provide the required cost/quality balance and will continue to do so for the next few years. In many ways, IP VPNs represent a simplification of existing services sharing some of the essential ingredients.

Slow migration

It is undeniable that IP VPNs are ideal for a growing number of web-based services and applications requiring any-to-any connectivity (the ability to access information stored anywhere from anywhere without the need for pre-configured links). It is also true that the technology trends for high-speed transmission within the core are leading towards direct transmission of IP over optical, with existing protocols such as ATM, frame relay and SDH/SONET eventually being phased out once IP can be shown to fully meet the QoS and CoS (class of service) requirements of all applications.

It is important to emphasise that this technology transition will happen slowly, and not until IP can be shown to meet fully all the QoS needs of data traffic, including real time applications. Meanwhile, many providers will continue to support and indeed enhance services based on technologies such as ATM. However, these trends do mean that enterprises should soon if they have not already, adopt a strategy for migrating to IP VPN services, without jettisoning existing services that are still performing well.

It is almost certain that over time there will be a progressive migration of data traffic towards IP-based VPN services, just as there has already been to the IP protocol itself. But this should be as painless as possible, avoiding unnecessary disruption by enterprises on the physical infrastructure. The objective should be migration of use --not of physical infrastructure.

Integrating technologies

To support this flexible migration, a service provider needs to allow existing ATM, frame relay and dial-up services to be mixed seamlessly with the new IP VPN. This imperative has underlined BT Ignite's strategy of developing new switched IP services based on the MPLS (multiprotocol label switching) protocol, which will eventually become the standard mechanism for providing QoS over connectionless IP backbones.

The fundamental move was to connect together the networks supporting the existing frame relay and ATM services with the new IP infrastructure. This makes it possible to mix any combination of the products within an overall service tailored to the needs of each customer. Therefore, an application at one site accessing ATM services can communicate seamlessly with another on the IP service. This can be taken a step further by allowing existing frame relay or ATM users to access the IP routing infrastructure without having to change any of their software or equipment. This has been accomplished by adding a new IP-enabled CoS to existing ATM and frame relay services.

It is true that many ATM or frame relay services already support IP. As noted before, IP accounts for up to 80 per cent of the total traffic but until now it has only been possible to transport the IP traffic over the PVCs (permanent virtual circuits) configured for ATM or frame relay services. With the new IP enabled CoS (comprising an IP PVC at each access), IP traffic can be routed through frame relay or ATM access circuits to an IP network, taking advantage of the 'any-to-any' connectivity of IP.

Access points

The advantages of ATM or frame relay PVCs for highly reliable site-to-site data transmission can be maintained and combined with access to an IP network from the existing ATM or frame relay access circuits. No configuration changes are necessary; other than the creation of an additional PVC at each site. New sites can be connected to frame relay or ATM services, or simply to the IP service, which is capable of meeting most IP related communication requirements. A smooth and cost-effective process of migration can be set in motion -- preserving and exploiting existing investments.

Some enterprises are already taking advantage of access to BT Ignite's IP network directly from their existing ATM or frame relay services. A UK financial institution has for some time been exploiting the facility to mix ATM at its head office sites with lower speed frame relay access from branches. This was ideal for traffic flowing directly between individual branches and the head office. However, it is less suitable for the growing amount of inter-branch traffic created by a new finance application because with the point-to-point star-like structure of the ATM/frame relay combination, this traffic has to flow via the head office, creating congestion on the access circuits there. But the problem will soon be solved with the new IP-enabled CoS, which allows this inter-branch traffic to be diverted onto the any-to-any IP network as soon as it leaves the site. This will be implemented by simply adding an IP CoS PVC at each of the branches. It will also free up the bandwidth on the existing PVCs between branch es and head office where internet traffic has been creating unacceptable congestion.

These IP-enabled developments can also make secure integrated dial-up access available to ATM and frame relay customers for the first time. Dial-up access has been available for some time, but until recently it was necessary to go through a gateway to access a corporate network via public frame relay or ATM services.

Role of SMDS

Later in 2001, BT Ignite will add a similar IP CoS to its connectionless SMDS service, which itself provides high speed any-to-any connections. SMDS is ideal for enterprises that have unpredictable traffic between a variety of sites, with access options in the range l92Kbps-25Mbps. With its any-to-any capability, SMDS is well suited to carry IP traffic and for internet applications, but its current limitation is the maximum access speed of 25Mbps, which can be a constraint for the larger sites. The new IF CoS will provide a solution by giving SMDS customers access to higher access speeds via the IP network.

One long-standing SMDS customer, a government agency, uses SMDS to connect 500 branches to four data centres. But the growing amount of internet traffic is creating bottlenecks at these four main sites. Using the IP VPN access, the agency plans to deploy ATM at the four central sites, interoperating with SMDS at the branches via the IF network. The key point is that disruption of the existing network will be minimal, and the only noticeable impact on users will be a significant improvement in the performance of their intranet applications.

Reasons to migrate

In the cases just discussed, the existing ATM, frame relay or SMDS services are being retained, and this is not just motivated by the desire to avoid disruption. These services are also mature, reliable and able to deliver the highest QoS levels, while the IP services are less proven. The primary motivations for migrating to IP VPN services are the expectation that costs will be lower, and the promise of more flexible any-to-any connectivity without the bandwidth constraints of SMDS, or the scalability and management issues posed by the need to configure PVCs with ATM or frame relay.

The anticipated savings will be achieved, but these will spring from economies of scale caused by the consolidation around a single infrastructure and set of standards, rather than by any inherent advantages of IP And while lip networks do provide the flexible any-to-any connectivity, the big question is whether this can be achieved while delivering the highest levels of QoS.

Inevitably, with a service where there is no constraint, either on where users send their data or the volumes they transmit, it is impossible to provide the absolute guarantee of bandwidth of a point-to-point ATM PVC. But to convince major enterprise customers that it is worth their while migrating from ATM to IP VPNs, the QoS must come so close to an ATM PVC that the difference is almost imperceptible. This is now being achieved through MPLS, which is turning out to be one of the most important protocols in a long list supporting IP. The effect of MPLS is to simulate the operation of a ATM PVC through a connectionless network of IP routers.

Importance of MPLS

The purpose of MPLS is to enable a full range of QoS options to be supported within an IP network no matter how big. To understand how this is being achieved, it is worth considering how IP networks have operated until recently. IP packets were transported through a mesh of routers, each of which calculated the best path forward according to prevailing network conditions. This gave flexibility and resilience because failed links could readily be bypassed by re-calculating a route. But, this was also slow and made it impossible to support the high QoS levels necessary for real time traffic because of the difficulty in predicting what path each packet would take, and therefore what the delay would be.

MPLS overcomes these problems by performing the route calculations at the edge of the network and adding labels to each packet that indicate what this route is. Routers within the network then only have to read the labels and swap them for new ones for the next router in line. This process is similar to how ATM switches work by reading and swapping labels. But unlike ATM, MPLS does not require creation of end-to-end virtual circuits that have to be stored by the end devices. Instead, temporary label switched paths are created with all the information needed held within the labels.

This is highly efficient and scalable and also supports QoS. ATM supports QoS by having dedicated virtual circuits of sufficient bandwidth. With MPLS, it is done by use of labels that designate the required level of QoS. Routers in the network can be configured to ensure that some capacity is always left free for IP traffic with a high-designated QoS. So here too there is some overhead, but the arrangement is more flexible than the dedicated point-to-point arrangement of ATM. The downside is that, with no absolutely guaranteed end-to-end paths, there is a slightly greater risk of congestion affecting even the highest QoS levels. This risk can be more or less avoided by providing sufficient capacity within the network. In practice, MPLS represents the best compromise between the needs for efficient utilisation of network capacity and for comprehensive QoS support.

Within some intranet IP services MPLS is already delivering QoS, but within the broader internet it will take longer as there is still work to be done in defining a universal standard supported by all the major vendors of switches, routers, and edge devices. This is needed to provide interoperability between the various versions of MPLS implemented by different carriers and ISPs providing the backbone of the internet. But within intranets there is no need to wait for such final standardisation because individual IPVPN providers can already implement one of several stable versions of MPLS. Furthermore, service providers offer a coherent roadmap to future global IP VPN services extending the full benefits of MPLS QoS functions.

Steve Taylor, FrameStream product manager, BT Ignite

COPYRIGHT 2001 Horizon House Publications, Inc.
COPYRIGHT 2001 Gale Group