VPN Woes Force Shift At Giant E-Commerce Net

After trying for five years to get lab-tested IP Security equipment to interoperate, organizers of the world’s largest VPN-based e-commerce network, the ANX, are abandoning their multivendor strategy.

“Lab-based compliance with [IP Security] does not ensure real-world interoperability,” said Ford’s Dennis Kirchoff, a founding father of the ANX who spoke about the VPN problems at last week’s AutoTech conference in Detroit.

ANX founders Ford, General Motors and Chrysler (now DaimlerChrysler) once believed that requiring vendors to test their VPN equipment for compliance with the Internet Engineering Task Force’s (IETF) IPSec standard would ensure gateway interoperability. That would, in turn, result in vendor competition and lead to lower prices and better products.

That was the hope. But it hasn’t worked out that way.

Despite extensive testing, VPN interoperability problems remain so intractable that Ford’s Kirchoff is gloomy enough to call the IPSec-testing effort a “mistake.” In an about-face, the ANX will now seek a single-vendor approach to VPNs, even though the 900 companies now subscribing to the network service are using a variety of VPN gear.

Founded in 1995, the ANX (previously known as Automotive Network Exchange, the organization now goes by ANX because other industries have climbed aboard) has led a pioneering effort to create a secure, IP-based network for sharing mission-critical data with manufacturing suppliers in the multibillion-dollar automotive industry.

The ANX is a managed network comprising services from handpicked ISPs. These ISPs have to meet strict ANX latency and bandwidth guidelines. For security, customers have to use ANX-approved VPN encryption-tunnelling equipment that has gained IPSec certification from TruSecure (formerly International Computer Security Association) labs. Cisco, Check Point Software, Symantec, Alcatel and Nortel, among others, offer TruSecure-approved gear.

Alternatively, customers can use one of six ANX-certified VPN service providers, including WorldCom, Equant, AT&T and Ameritech. The ANX strategy for certifying multiple IP service providers has worked out well by providing choice, instead of granting a single ISP the sole right to serve the auto industry for this groundbreaking high-availability IP network.

But the experience with VPN gateways has been less successful. Equipment interoperability woes haven’t faded after five years of effort, and it has proved impossible to get the VPN vendors to work together, according to ANX auto industry founders and ANXeBusiness, which has owned and managed the ANX network service for the past 18 months.

“The interoperability we were depending on wasn’t there in the VPN equipment,” Kirchoff said. “We’ve found that two IPSec vendors may both conform to the IETF specification, but there was no hope of finding interoperability.”

For Ford, which has 589 trading partners using the ANX to share things such as CAD/CAM drawings for new cars, the breaking point came earlier this year in a drawn-out struggle to get two VPN vendors – which Kirchoff declined to name – to enable their VPN gateways to support secure tunnels.

This “hurtful episode” cost Ford in lost time and revenue, Kirchoff said. And it convinced Ford and ANXeBusiness management that it would only be possible to achieve interoperability and develop meaningful service-level agreements using a single equipment vendor.

“Mere compliance with the IETF specification is not sufficient to ensure interoperability in any IPSec product, and it’s difficult to get multiple vendors to work together,” said Erik Naugle, CTO at ANXeBusiness. “The vendors say ‘leave us alone.’ After all, they comply with the standard.” He said vendors are simply refusing to cooperate on interoperability, arguing that passing an IPSec-compliance test should be adequate.

In response, Naugle announced at AutoTech that ANXeBusiness – which authorizes what service providers, equipment and applications are allowed on the ANX – will soon begin offering a managed VPN service based on a single vendor’s equipment.

Though he declined to name the vendor whose equipment will be used for the VPN, Naugle said he expects the service will cost corporate ANX customers about US$300 per tunnel.

He said the idea is to let new ANX users make a Web-based request for a VPN tunnel to another ANX customer, and for ANX to be able to fulfil that request within four hours. Naugle said one problem is that many ANX users now use combined firewall/VPN equipment, which makes it difficult to manage VPNs through the firewalls.

While ANXeBusiness would not make use of the service mandatory, the Big Three automakers – which for decades have made certain technologies mandatory for suppliers – certainly could. It’s too early to say whether they will, but if the service works out to everyone’s liking, the automakers might even subsidize its use, sources say.

Offering a managed VPN service based on a single VPN product will also help the ANX roll out digital certificates for use with VPNs, another long-time goal that has been unfulfilled because of the VPN interoperability problems. It’s not known, as yet, what certificates the ANX will use, but SAIC, ANXeBusiness’ parent company, does have an investment in VeriSign.

VPN Vendors Speak Out

Vendors of the ANX-certified gear say the problems are real and an unavoidable part of interoperability.

Nortel spokespeople had not heard about Kirchoff’s specific complaints, but speculated that his beef might stem from a common challenge in setting up VPNs: security policy. “The two parties need to agree on a security policy. If you don’t, you’ll have difficulty configuring the equipment,” says Simon McCormack, a senior product manager for Nortel’s Intelligent Internet group.

These policies include such things as level of encryption. So, if a VPN device at one end of a link calls for Triple-DES encryption and the one at the other calls for DES, there is no way for the two to pass data.

The problem may also be that too many companies are involved in trying to set up a single VPN, says Bill McGee, security channels development manager for Cisco’s VPN and Security business unit. “When you have a hodgepodge of companies with a mix of skill sets, you are likely to run into problems,” McGee says. “ANX is an experiment. These people are pioneers on the bleeding edge.”

General Motors and DaimlerChrysler, also using the ANX more each year, have had their own VPN problems. They seem inclined to follow Ford’s lead to use a managed VPN service on the ANX.

At DaimlerChrysler, which now supports more than 1,100 IPSec tunnels through its own network arrangement, there have been plenty of VPN interoperability problems to sort out, says Ralph Benman, director of global network planning and operations. “In a couple of months, we hope we’ll solve the problem,” he says.

For other ANX users, however, VPNs aren’t much of a problem.

“We’re using the TimeStep VPN gateway, and we only have a dozen trading partners on the ANX,” says Doug Buchanan, business technology manager at steel manufacturer Dofasco. “If we had hundreds of trading partners, it could be an issue.”