ViewsLetter(SM) on Provisioning

Site Map



 Flanagan Consulting                 Network Analysts and Consultants
                                                  "We Have the Experience"
ViewsLetter on Provisioning                 5 May  2003                #22
A fortnightly look at provisioning automation--chips to business software.

-- Automating IP VPNs:  What's Involved?
-- This issue sponsored by [information, links at end]:
    = Primal Technologies automated phone conferencing platform for carriers
    = MPLScon--The Enterprise-Focused MPLS Event, NYC, 19-22 May 2003


    --By William A. Flanagan, Editor and Publisher

Much of the hope for automated provisioning of "services" lies on the assumption that the carrier's network will be "IP-based."  One such service enthusiastically embraced by many is the "IP Virtual Private Network" (IP VPN).  By generally accepted definition, a VPN is part of a public (shared) network;  the concept doesn't apply to a private network used by a single entity.  "Privacy" on a public net derives from encryption, operational methods (or technology) that isolates one user's traffic from all others', or both. 

Carriers and hardware vendors have sold the VPN concept heavily.  Enterprise users often see VPNs as a way to outsource the headaches of running a private network.  Unfortunately, vendors don't always ensure that prospective users understand fully the service they get.  To prepare for more detailed discussions on provisioning VPNs, let's look first at types of VPNs and their variations.

An ideal IP VPN supports many connections and offers a choice of characteristics for each, in addition to privacy, on one high-capacity access circuit (local loop).  For example, a "VPN" on an IP network managed by a single carrier might be able to give certain connections higher priority than others.  Configuring the access device might guarantee throughput to a certain level, cap it at some limit, or both.  Ideally, subscribers are willing (even eager) to pay for specific characteristics, generating more revenue for the carrier than it could charge for commodity Internet access.  The generic Internet, to date, offers no such options that go beyond privacy.


The middle name of VPN is private.  Historically, people have relied on encryption for privacy--still do.  Encryption makes a portion of a public network private for each VPN subscriber.  Saying that, a question remains:  where on the user's connection does encryption start and end?  Two answers commonly apply (drawing 1 at
    1.  End-to-End:  the encryption devices are on the subscriber's premises;  the service provider (SP) transports IP packets without knowing (or caring) if they are encrypted.
    2.  On-Net:  the SP maintains encryption devices in its Points of Presence (POPs) and encrypts information while it is on the network;  access links are in the clear.

In neither case does the subscriber have to manage the encryption function;  the SP handles that as part of a managed router service (1), or in maintaining its own network hardware (2). 

When privacy is the only attribute wanted from a VPN, the customer is free to install encryption on any Internet access, resulting in a "customer-provided" VPN (still on a public network).  Several vendors (Nortel Networks, Encore Networks, Cisco, Alcatel, NetScreen, Quarry, Sonus, others) offer equipment optimized for this function in two broad categories;  encryption may also be done in software.  Which leads to four broad product categories (drawing 2 at
    1.  Remote site hardware:  typically designed for 2 Mbit/s or less and up to about 35 encrypted IP security (IPsec) sessions at a time on an Ethernet port;  may have integral CSU and a variety of other features.
    2.  Remote software client:  encryption for web sites is almost always based on Secure Sockets Layer (SSL) performed by the browser (indicated by the "s" in https://...);  access to other applications on internal or non-public enterprise servers tends to use IPsec handled in a separate client that also authenticates the user.
    3.  Central site hardware:  capable of maintaining thousands of encrypted sessions, SSL or IPsec, with total throughput of at least hundreds of megabits per second.
    4.  Server encryption software:  web servers may support SSL as well as deliver content.


Of all the security measures available, SSL between a browser and web server is the easiest to deploy.  Today, most operating systems and browsers include SSL, so there is no additional effort required to make sure each computer has the capability to encrypt.  However, the level of protection varies widely, depending largely on the size of (number of bits in) the encryption key. 

IPsec presents several options (meaning more work).  The main concern is what type of encryption algorithm to use (DES, 3DES, AES, etc.), the size of the key (varies from less than 128 to more than 1024 bits), and the management method for issuing and withdrawing keys (private "shared secrets" or "public keys").  No room here to go into the details--many books and web sites cover the topics.  In (very) short form, private keys are simpler on small networks;  public keys require more infrastructure but scale up to very large networks.

Deployment of services on public networks requires scalability.  That points to public keys, certificates, and similar encryption technologies.  Getting keys into the proper devices or software clients (and keeping them out of the wrong hand) may be the larger challenge than physically installing encryption capability on a network.

More next time.

This Issue's Sponsors:
============ + ===== + ===== + ===== + ============

    Can't bill?  Why bother!  Primal understands carriers' needs
to generate revenue as well as provide a service.  The family of
Primal Service Node products not only supports multiple applications,
it generates Call Detail Records for your existing billing system. 
Flexible conferencing has dial in and out, prepaid, toll free access--
all under real-time control of each conference chairman. 
    All PSN models give each customer a unique conference bridge number,
And a choice of many other applications, including voice mail, Prepaid,
IVR, unified messaging, and voice over IP.
    Get details at

============ + ===== + ===== + ===== + ============

MPLScon - May 19-22, 2003 - New York City
    MPLScon brings together service providers, end-users, and industry experts to explore the present, and future of MPLS and MPLS-based services.  Hear from organizations including AT&T, EDS, WorldCom, Cisco, Juniper, Equant, Infonet, Sprint, Savvis, HP, Alcatel, Lucent, The MPLS Forum, The VPN Consortium, NTT, British Telecom, Greenwich Technology Partners, SBC, Deloitte Consulting, Nortel, Extreme, and more. 
    The complete program is now on-line at:
MPLScon is focused on bringing enterprises the information they need to evaluate MPLS services as well as MPLS for use in their own networks. Make your plans today to join us for this event. Register today at and take advantage of early bird pricing:

============ + ===== + ===== + ===== + ============

-- Visit when you need independent review
   and verification of network architecture, product positioning, or
   your marketing message.
-- The archive of past ViewsLetters is available from the web site.
-- Special thanks to for hosting ViewsLetter. 

"Flanagan Consulting" and "ViewsLetter" are Service Marks of W. A. Flanagan, Inc.
 Updated:  7 July  2003

Flanagan ConsultingSM
W. A. Flanagan, Inc.
45472 Holiday Drive, Dulles, VA 20166
Ph:  +1.703.242.8381
Fx:  +1.703.242.8391