DOC PREVIEW
UConn CSE 3300 - Scalability Implications of Virtual Private Networks

This preview shows page 1-2 out of 7 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

IEEE Communications Magazine • May 2002151Scalability Implications ofVirtual Private Networks0163-6804/02/$17.00 © 2002 IEEEABSTRACTThis article gives an overview of the mostpromising technologies for service providers tooffer virtual private network services. The focusof this article is on the analysis of the scalabilityimplications of these virtual private networkmechanisms on existing service provider backbonenetworks. Very often, when deploying VPN ser-vices, service providers will be confronted with atrade-off between scalability and security. VPNsthat require site-to-site interconnectivity withoutstrong (cryptographic) security can be deployed ina scalable way based on the network-based VPNmodel, as long as the interaction between the cus-tomer and provider routing dynamics are con-trolled. VPNs that require strong (end-to-end)cryptographic security should be deployed accord-ing to the CPE-based VPN model, using theavailable IPsec protocol suite.INTRODUCTIONVirtual private networks (VPNs) have existed fora long time, but until now have been either veryexpensive or limited in functionality and inten-sive to manage.Cost reduction (connectionless instead of con-nection-oriented networking), new technologies(e.g., multiprotocol label switching, MPLS) andmore powerful provider edge devices (e.g., capa-ble of context separation and virtual routing) haveenabled service providers (SPs) to build VPNs fortheir customers in an efficient way. These newcost-effective VPN services are actually oftenseen as the largest (future) profit generators forIP (converged data and voice) networks.Although these VPN services seem verypromising and have benefited from very opti-mistic market forecasts, many specialists haveserious concerns with regards to the scalabilityand security of these VPN techniques. This arti-cle will give a short overview of the differentVPN models that are considered today, and willdiscuss them in terms of scalability and security.The deployment of VPNs affects the scalabili-ty of the provider networks in terms of memoryconsumption (amount of code, number of routesto maintain, etc.), processing power (signalingtunnel establishment, updating routing informa-tion, etc.) and configuration and managementload (upon VPN topology changes, etc.).As such, a solution is considered “more scal-able” than an alternative solution when, for thedeployment of the same set of VPNs, fewerdevices are affected, memory consumption issmaller, the requested additional processingpower is more restricted (resulting in a higherperformance), and/or the configuration andmanagement load is smaller.The question with which SPs are confrontedis whether a VPN solution in a specific environ-ment will enable the SP to support enough satis-fied VPN customers to justify the investment.Next to an analysis of VPN solutions on thebasis of scalability considerations, the securityproperties of VPN solutions are analyzed. Itshows clearly that strong security has an impor-tant cost, and that a trade-off should be madebetween security and scalability.SCOPEVPNs are networks that are perceived as beingprivate networks by the customers using them,but are built over a shared infrastructureowned by an SP. The shared infrastructureconsists of the shared backbone and theprovider edge devices (PEs). A VPN typicallyconsists of a number of geographically dislocat-ed (private) customer sites that are attached toPEs through customer edge (CE) devices andcommunicate with each other using a sharedbackbone (Fig. 1).THE OLD DAYSTraditional VPNs exist in two flavors: leased lineVPNs and customer-premises-based secure VPNs.With traditional leased line VPNs, the cus-tomer sites are interconnected via static (perma-nent) virtual channels such as asynchronoustransfer mode (ATM) or frame relay private vir-tual connections (PVCs) through a layer 2 back-bone network.The individual sites are connected to the edgesof the SP network, and the SP establishes theJeremy De Clercq and Olivier Paridaens, AlcatelTOPICS ININTERNET TECHNOLOGYIEEE Communications Magazine • May 2002152necessary layer 2 connections. This is a veryexpensive architecture, in terms of both provision-ing as well as configuration and management.The establishment of a leased-line VPN typi-cally takes a long time, and requires a lot ofmanpower.With customer premises equipment-based(CPE-based) VPNs, all the VPN functions areimplemented at the customer premises. The SP’sinfrastructure is not involved with any particularVPN function: the routers in the SP’s networkdo not treat VPN IP packets differently from,say, Internet access IP packets.Customers can buy and deploy dedicated VPNequipment or import software engines on existingrouters, gateways, or even personal computers.Since different VPN sites are typically intercon-nected through the Internet, an unknown and dis-trusted interconnection of networks, CPE-basedVPNs often make use of cryptographic security toprotect their intersite traffic.A drawback of CPE-based VPNs is that theyrequire customers to acquire, configure, andmaintain expensive VPN gateways. This impliesthe presence of highly qualified IT staff.THE NEW WAVEIn the last couple of years, different equipmentvendors have proposed a new type of VPNs, andsince then, these network-based IP VPNs havegained important market interest and an increas-ing market share. Network-based IP VPNsenable SPs with an IP backbone to offer VPNservices to a large number of customers over thesame backbone, in a scalable and manageableway, without affecting the existing customer net-works. These VPN connectivity services are thenoften offered in combination with other IP ser-vices (e.g., Internet access, firewalls, and IPquality of service, QoS).With network-based IP VPNs, the customer’srouters need not implement VPN-specific func-tions such as tunneling. Customer sites are con-nected to PEs that are IP routers (Fig. 1). ThesePEs need to maintain separate (IP) contexts(with separate IP routing and forwarding tables)for every supported VPN, ensure the distribu-tion of the IP reachability information betweendistant sites belonging to the same VPN, andintelligently forward the VPN traffic.The creation and consistent maintenance ofseparate contexts for different VPNs (as depict-ed for PE 1 in Fig. 2) makes it possible that:• Traffic from one specific VPN will not beinjected into sites belonging to a differentVPN.• Customer sites can use private addressing,independent of each


View Full Document

UConn CSE 3300 - Scalability Implications of Virtual Private Networks

Download Scalability Implications of Virtual Private Networks
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Scalability Implications of Virtual Private Networks and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Scalability Implications of Virtual Private Networks 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?