|
Archive
Flanagan Consulting
Network Analysts and Consultants
"We Have the Experience"
---------------------------------------------------------------------------
ViewsLetter on Provisioning
5 May 2003
#22
---------------------------------------------------------------------------
A fortnightly look at provisioning automation--chips to business software.
IN THIS ISSUE:
-- Automating IP VPNs: What's Involved?
-- This issue sponsored by [information, links at end]:
= Primal Technologies automated phone conferencing platform
for carriers
= MPLScon--The Enterprise-Focused MPLS Event, NYC, 19-22
May 2003
>>Analysis
AUTOMATING IP VPN DEPLOYMENT:
DEPENDS ON WHAT YOU MEAN BY 'VPN'
--By William A. Flanagan, Editor and Publisher
Much of the hope for automated provisioning of "services" lies on the assumption
that the carrier's network will be "IP-based." One such service enthusiastically
embraced by many is the "IP Virtual Private Network" (IP VPN). By generally
accepted definition, a VPN is part of a public (shared) network; the
concept doesn't apply to a private network used by a single entity.
"Privacy" on a public net derives from encryption, operational methods (or
technology) that isolates one user's traffic from all others', or both.
Carriers and hardware vendors have sold the VPN concept heavily. Enterprise
users often see VPNs as a way to outsource the headaches of running a private
network. Unfortunately, vendors don't always ensure that prospective
users understand fully the service they get. To prepare for more detailed
discussions on provisioning VPNs, let's look first at types of VPNs and their
variations.
An ideal IP VPN supports many connections and offers a choice of characteristics
for each, in addition to privacy, on one high-capacity access circuit (local
loop). For example, a "VPN" on an IP network managed by a single carrier
might be able to give certain connections higher priority than others.
Configuring the access device might guarantee throughput to a certain level,
cap it at some limit, or both. Ideally, subscribers are willing (even
eager) to pay for specific characteristics, generating more revenue for the
carrier than it could charge for commodity Internet access. The generic
Internet, to date, offers no such options that go beyond privacy.
ENCRYPTION VPNs
The middle name of VPN is private. Historically, people have relied
on encryption for privacy--still do. Encryption makes a portion of
a public network private for each VPN subscriber. Saying that, a question
remains: where on the user's connection does encryption start and end?
Two answers commonly apply (drawing 1 at http://www.flanagan-consulting.com/FigsVL22.html):
1. End-to-End: the encryption devices are
on the subscriber's premises; the service provider (SP) transports
IP packets without knowing (or caring) if they are encrypted.
2. On-Net: the SP maintains encryption devices
in its Points of Presence (POPs) and encrypts information while it is on
the network; access links are in the clear.
In neither case does the subscriber have to manage the encryption function;
the SP handles that as part of a managed router service (1), or in maintaining
its own network hardware (2).
When privacy is the only attribute wanted from a VPN, the customer is free
to install encryption on any Internet access, resulting in a "customer-provided"
VPN (still on a public network). Several vendors (Nortel Networks,
Encore Networks, Cisco, Alcatel, NetScreen, Quarry, Sonus, others) offer
equipment optimized for this function in two broad categories; encryption
may also be done in software. Which leads to four broad product categories
(drawing 2 at http://www.flanagan-consulting.com/FigsVL22.html):
1. Remote site hardware: typically designed
for 2 Mbit/s or less and up to about 35 encrypted IP security (IPsec) sessions
at a time on an Ethernet port; may have integral CSU and a variety
of other features.
2. Remote software client: encryption for
web sites is almost always based on Secure Sockets Layer (SSL) performed
by the browser (indicated by the "s" in https://...); access to other
applications on internal or non-public enterprise servers tends to use IPsec
handled in a separate client that also authenticates the user.
3. Central site hardware: capable of maintaining
thousands of encrypted sessions, SSL or IPsec, with total throughput of at
least hundreds of megabits per second.
4. Server encryption software: web servers
may support SSL as well as deliver content.
TOO MANY CHOICES
Of all the security measures available, SSL between a browser and web server
is the easiest to deploy. Today, most operating systems and browsers
include SSL, so there is no additional effort required to make sure each
computer has the capability to encrypt. However, the level of protection
varies widely, depending largely on the size of (number of bits in) the encryption
key.
IPsec presents several options (meaning more work). The main concern
is what type of encryption algorithm to use (DES, 3DES, AES, etc.), the size
of the key (varies from less than 128 to more than 1024 bits), and the management
method for issuing and withdrawing keys (private "shared secrets" or "public
keys"). No room here to go into the details--many books and web sites
cover the topics. In (very) short form, private keys are simpler on
small networks; public keys require more infrastructure but scale up
to very large networks.
Deployment of services on public networks requires scalability. That
points to public keys, certificates, and similar encryption technologies.
Getting keys into the proper devices or software clients (and keeping them
out of the wrong hand) may be the larger challenge than physically installing
encryption capability on a network.
More next time.
This Issue's Sponsors:
============ + ===== + ===== + ===== + ============
SELF-SERVICE CONFERENCING LETS CARRIERS GENERATE NEW REVENUE;
PRIMAL TECHNOLOGIES' PLATFORM BILLS FOR IT WITH STANDARD CDRs
Can't bill? Why bother! Primal understands
carriers' needs
to generate revenue as well as provide a service. The family of
Primal Service Node products not only supports multiple applications,
it generates Call Detail Records for your existing billing system.
Flexible conferencing has dial in and out, prepaid, toll free access--
all under real-time control of each conference chairman.
All PSN models give each customer a unique conference
bridge number,
And a choice of many other applications, including voice mail, Prepaid,
IVR, unified messaging, and voice over IP.
Get details at http://www.primaltech.com/ConferencingASP.php
============ + ===== + ===== + ===== + ============
MPLScon - May 19-22, 2003 - New York City
MPLScon brings together service providers, end-users,
and industry experts to explore the present, and future of MPLS and MPLS-based
services. Hear from organizations including AT&T, EDS, WorldCom,
Cisco, Juniper, Equant, Infonet, Sprint, Savvis, HP, Alcatel, Lucent, The
MPLS Forum, The VPN Consortium, NTT, British Telecom, Greenwich Technology
Partners, SBC, Deloitte Consulting, Nortel, Extreme, and more.
The complete program is now on-line at:
http://www.mplscon.com/attend/conf_at_a_glance.html
MPLScon is focused on bringing enterprises the information they need to evaluate
MPLS services as well as MPLS for use in their own networks. Make your plans
today to join us for this event. Register today at and take advantage of
early bird pricing: http://www.mplscon.com/attend/register.html
============ + ===== + ===== + ===== + ============
MORE LINKS
-- Visit www.flanagan-consulting.com when you need independent review
and verification of network architecture, product positioning,
or
your marketing message.
-- The archive of past ViewsLetters is available from the web site.
-- Special thanks to www.webtorials.com for hosting ViewsLetter.
"Flanagan Consulting" and "ViewsLetter" are
Service Marks of W. A. Flanagan, Inc.
Updated: 7 July 2003
|
