IP VPNs come down the pipe

Virtual private networks (VPNs) are alive and well, but living in relative obscurity in Canada.

Since the concept of VPN was introduced in an IP flavour some two or three years ago, both the service and technology have lived a relatively modest existence. First conceived as an Internet-based secure communication service, IP VPN has been positioned as one of three things: a remote access service, a site-to-site communications link, and as an extranet technology specifically suited to business-to-business (B2B) e-commerce.

Success has been seen in remote access, somewhat to a lesser extent as a site-to-site link and hardly at all as an extranet technology.

Awareness by most Canadian business customers of what IP-based VPN is and can do has been among the greatest challenges for those who would look to sell it as both a service and technology solution. Among the burning questions for those who have little more than a cursory understanding are: How exactly does the technology of VPN work and what is the value proposition offered?

Weighing the costs

When the notion of VPN-enabled by IP technology came to the forefront some two years ago, the benefit offered was fairly straightforward. VPN was positioned as a lower-cost alternative to private line communication services such as dedicated T-1, T-3, Frame Relay, ISDN and other telecommunication offerings.

But as the price of data communication services has plummeted in the past two years, cost has become a less compelling factor, albeit still a meaningful consideration. While still positioned as a cheaper alternative to other dedicated communication services, additional VPN service key value considerations have emerged.

“Sometimes the cost-savings argument is not as persuasive,” said Bob Reason, a senior marketing manager for Nortel Networks in Brampton, Ont. “But (VPN) is more available and flexible and this is the greater value.”

More available means that most Canadian customers may purchase IP VPN services coast to coast from a variety of carriers and other communication service providers. IP VPN is also a communication service that can be scaled on demand. Need higher performance – say, moving to a 10Mbps from a 1Mbps service? Then simply call your service provider and it’s likely that the speed-up can occur almost immediately or soon after. Alternatively, with most other leased-line type services, such a change could conceivably require days, assuming it is possible, since a leased dedicated service change typically requires a physical change to network equipment.

Similarly, if a customer requires a more managed type of communication service, IP VPN offers a range of options specifically tailored to suit a customer’s requirement.

Bell Canada, like other communication service companies in Canada, offers an IP VPN service. It is positioned as a multimedia service, but according to Erone Quek, director of IP technology for Bell Canada, a customer doesn’t have to use the technology that way. “It’s a highly managed service that allows them the ability to attach [quality of service] to application-specific traffic.”

Quek explained that Bell’s IP VPN service has during the past year – since it was introduced – grown a great deal in function richness. He added there are a great many more management features and Bell continues to enhance the QoS and bandwidth-on-demand capabilities.

Creating connections

VPN has existed as a technological solution for many years, first introduced as frame relay and Asynchronous Transfer Mode-based services back in the early ’90s. The value of VPN was initially portrayed as a lower cost communication offering and a means of delivering greater breadth of service to more customers through delivery of telecommunications through shared network infrastructures.

With the explosion of IP technology and its ubiquity as the underpinning for the mass collective that is the Internet, VPN technology has been developed and designed to make the Internet a richer communications network. Approximately three years ago, the concept of IP VPN was introduced in Canada and services began appearing in Canada for about a year or more.

IT market researchers International Data Corp. (IDC) define IP VPN as a partitioned private network constructed over a shared IP-based backbone that utilizes technologies to ensure privacy of data, either self-implemented or provided by an IP-based service provider.

In the simplest terms, IP VPN technology is a method for taking a public communication service or infrastructure and imposing upon it a ranging degree of security and range of performance management. It is essentially the idea of ascribing to a communication service such as cable or DSL levels of security and performance management – turning these traditional low-cost services into much richer and higher performance offerings through the imposition of security and QoS.

QoS for IP VPN can be achieved through Multiprotocol Label Switching (MPLS), an industry standard scheme for identifying and prioritizing packets of IP communication.

Both IP and non-IP VPN have the same characteristics. What differs is the transport protocol used. IP VPN essentially uses the Internet Protocol, which is a more open standard and allows treatment of voice, video, and data as one communication type. IP VPN encapsulates IP traffic types and has the ability to establish priorities around it. Encapsulating packets also means encrypting these packets. This encapsulation is achieved through a process called “tunneling” based on a protocol called IP Sec(urity), a security protocol that provides authentication and encryption over the Internet.

IP VPN exists in Canada today primarily as a lower-cost, secure remote-access service.

“It was the initial value proposition and I would argue that it is still the primary reason why people buy and install VPNs today – and that is to support remote access back to a central site in a more cost-effective way to a leased line service,” said Reason.

Yves Laliberte, manager of business development for Cisco Systems Canada, explained how it works. Remote access IP VPN comprises two key components: software that resides on a laptop or desktop and a switching or routing device called a controller at the head office end. Using a communication service such as DSL, an IP VPN session provides the data encryption being sent from a laptop or desktop. At the other end, the IP VPN concentrator receives multiple sessions from VPN clients – the tunnels previously mentioned, made up of encrypted packets from various remote sites and sent along the Internet. Tunneling is the key feature of IP VPN: it’s the notion of encrypting the data. Each tunnel has its own encryption key or code.

What’s unique about each tunnel and what makes IP VPN a secure communication method is that there is a unique security association between each end user and the destination site. This association has a unique encryption key used over the secured connection and each tunnel has its own security association.

The concentrator, which authenticates sessions and decrypts packets is also like a controller that initiates a secure handshake and keeps the IP VPN session alive in a secure fashion. The concentrator device provides the entry and process of identification – essentially the authentication.

Most IP VPN services and solutions feature 128-bit encryption, which is considered industry standard.

“For protection against (packet) interception and modification of data, it’s almost iron clad. I think it’s impenetrable from that regard,” Reason explained.

An enterprising fit

IP VPN as a service and adopted technology primarily being marketed to larger enterprise accounts as a remote access replacement.

That said, however, IP VPN services are being driven down to smaller business enterprises, according to Reason. But the challenge remains for customers to recognize the potential cost savings.

Cisco Canada’s Laliberte offers an illustration of savings achieved by his company through 300 Cisco employees in Canada who utilize remote IP VPN connections to the company’s head office. Initially most used an ISDN costing approximately $150 per employee per month for 128Kbps connection. Over the past six months have transitioned from ISDN and moving to IP VPN DSL or cable connection for a cost of $49 a month for a secure 400Kbps connection.

“We do everything – e-mail, e-learning, forecasting and expense management – remotely and online.” Laliberte said.

He added that a dedicated WAN service of approximately 500Mbps might cost $2,000 a month, while a similar performance IP VPN-enabled DSL link may cost $500 a month.

Nortel’s Reason echoes the cost savings assertion. The “rule of thumb,” he said is that a savings of almost $1,000 per user per year can be achieved through the use of IP VPN services vs. the cost of traditional remote access.

“The payback is typically in a matter of months,” Reason said. “It’s almost a no-brainer is what it becomes.”

But communication service providers such as Bell Canada are positioning IP VPN not as a cheap low cost service, but rather a service that offers a wide range of value and function. According to Quek, Bell’s IP VPN Enterprise service customers are using it for “a bit of everything.”

“(For most customers) the main focus is to use IP VPN to deploy future applications that support voice, data and video,” he said. “They want a more flexible communications solution. (Bell’s IP VPN Enterprise service) offers bandwidth on demand and QoS.”

As Bell looks to roll out its voice-over-IP (VoIP) service, IP VPN will become “the foundation for VoIP and managed VoIP” and used as a transport.

Bell’s current IP VPN offering is targeted at high-end large companies, because of its “richness” as a service. However, Quek said an IP VPN targeted at smaller customers will be launched this year.

“It will be a slower-speed service and likely with not feature QoS,” Quek said, explaining most current IP VPN services offered by Bell are customized offerings, with pricing based on access speeds and QoS function. Service speeds range from dial speed, DSL 1Mbps and 2Mbps, ATM-based access all the way up to 10Mbps and 100Mbps Ethernet speeds.

It is offered from Vancouver to Halifax. Initially there were two levels of quality, but Bell has added a third quality of service. The company will continue enhancing QoS, according to Quek.

Much of the future of IP VPN may hinge upon the adoption in Canada of e-business and/or e-commerce. According to Nortel’s Reason, a lot of the hope was that IP VPN would really drive extranet business to business communications because by making the Internet secure.

That hasn’t happened, yet.

“There’s so much more that has to go into businesses communicating with each other,” Reason said. “Ebusiness didn’t take off the way it was expected. We still do hold out that these ebusiness extranet applications will become more popular. VPN is an enabling technology for that.”

All agree that much more needs to be done to educate people to the value of IP VPN beyond cost savings.

As Reason noted, “People are still grappling to understand…what they can do with the technology and what it’s potential is.”

Dan McLean is director of enterprise network services research for IDC Canada Ltd. in Toronto. He can be reached at dmclean@idccanada.com.