Managing Layer 1 VPN services

Control Plane architectures enhance transport networks with distributed signaling and routing mechanisms which allow dynamic connection control. As a result, layer 1 switching networks enabled with a distributed control plane can support the provisioning of advanced connectivity services like Virtual Private Networks (VPNs). Such Layer 1 VPN (L1VPN) service allows multiple customer networks to share a single transport network in a cost-effective way. However, L1VPN deployment still faces many challenges.In this work, we are concerned on configuration management and interdomain provisioning of L1VPN services. We propose an L1VPN management architecture based on the Policy-Based Management (PBM) approach. First, we describe the architecture and how it allows a single service provider to support multiple L1VPNs while providing customers with some level of control over their respective service. Then we explain how the architecture was extended to support interdomain L1VPNs by using the Virtual Topology approach. We also discuss the prototype implementation and evaluation of the proposed architecture. Moreover, this work is a tentative note before raising a more deep discussion related to interdomain provisioning of L1VPN services and implications of a policy-based approach for L1VPN configuration management.     

Layer 1 virtual private networks: driving forces and realization by GMPLS

This article describes an emerging service for next-generation networks, layer 1 virtual private networks. L1VPNs allow customers desiring to connect multiple sites to be supported over a single shared layer 1 network. In the article we first describe the transport network's evolution and the shift in expectations of both service providers and customers. We provide an overview of the motivation for L1VPNs and examples of network usage. We follow by reviewing existing GMPLS mechanisms (addressing, discovery, and signaling) for realizing L1VPN functionality and identifying other work areas.     

Resource Management for Virtual Private Networks

Virtual private networks (VPNs) have rapidly emerged as a leading solution for multi-site enterprise communication needs. Provider-managed solutions modeled on RFC 2547 serve as a popular choice for layer 3 VPNs, and the hose model has emerged as a common and simple service specification. It offers a hose of a certain contracted bandwidth to customers. With the growth in size and number of VPNs and the uncertainties in the traffic patterns of customers, providers are faced with new challenges in efficient provisioning and capacity planning for these networks and satisfying customer service level agreements (SLA). We suggest that a set of techniques can be used to help the provider build an adaptively provisioned network. These techniques involve continually processing measurement information, building inferences regarding VPN characteristics, and leveraging them for adaptive resource provisioning. We developed scalable techniques to infer VPN characteristics that are important for provisioning tasks. We demonstrated the feasibility of such provisioning techniques with existing measurement obtained using SNMP infrastructure from a large IP/VPN service provider. Our examination of measurement data yielded interesting new insights into VPN structure and properties. Building on our experience with analyzing VPN characteristics, we articulate an adaptive provisioning architecture that enables providers to effectively deal with the dynamic nature of customer traffic     

基于MPLS骨干网络的VPN解决方案

现有的虚拟专用网(VPN)方案大多基于IP协议,这种结构的VPN在数据包转发速度、扩展性、服务质量等方面都存在欠缺,所以本文提出了基于多协议标记交换(MPLS)骨干网络的VPN解决方案.由于MPLS和IPSec在身份认证方面都没有定义,所以我们在方案中把认证中心(CA)的证书管理引入进来.该方案的核心思想是:利用MPLS在传输效率上的优势,通过CA进行身份认证、IKE协议^[1]进行密钥协商以及IPSec协议^[2]进行数据包加密,从而在MPLS骨干网络上建立一个安全高效的VPN.本文对实现MPLS VPN的每个关键部件都做了进一步的描述.     

MTRA: An on-line hose-model VPN provisioning algorithm

Virtual private networks (VPNs) provide customers with a secure and manageable communication environment. The allocation of bandwidth for VPNs to meet the requirements specified by customers is now one of the most important research issues in the field of traffic engineering. A VPN resource-provisioning model called hose-model was developed to provide customers with a flexible and convenient way to specify the bandwidth requirements of a VPN. Several hose-model VPN provisioning algorithms have already been proposed. They focus on the bandwidth efficiency issue in the case of establishing a single hose-mode VPN. However, these algorithms cannot achieve a satisfactory rejection ratio when: (1) the residual bandwidths on links of the network backbone are finite and (2) multiple VPN setup requests are handled on-line. In this paper, we propose a new hose-model VPN provisioning algorithm called MTRA to address the issue. MTRA can process multiple VPN setup requests rapidly and reduce the rejection ratio effectively. Theoretical upper bounds of rejection ratios achieved by several VPN provisioning algorithms are also derived. The experiments verify that MTRA performs better in regards to the rejection ratio than other provisioning algorithms.     

IP VPN—基于IP网络的虚拟专用网

ＩＰ ＶＰＮ能为用户在ＩＰ网络之上构筑一个安全可靠、方便快捷的企业专用网络，并为企业节省资金。本文从ＩＰ ＶＰＮ的概念、分类、组建ＩＰ ＶＰＮ的隧道技术，以及在ＶＰＮ上传送的数据的安全性保证等几个方面介绍了ＩＰ ＶＰＮ技术。     

Algorithms for provisioning virtual private networks in the hose model

Virtual private networks (VPNs) provide customers with predictable and secure network connections over a shared network. The recently proposed hose model for VPNs allows for greater flexibility since it permits traffic to and from a hose endpoint to be arbitrarily distributed to other endpoints. We develop novel algorithms for provisioning VPNs in the hose model. We connect VPN endpoints using a tree structure and our algorithms attempt to optimize the total bandwidth reserved on edges of the VPN tree. We show that even for the simple scenario in which network links are assumed to have infinite capacity, the general problem of computing the optimal VPN tree is NP-hard. Fortunately, for the special case when the ingress and egress bandwidths for each VPN endpoint are equal, we can devise an algorithm for computing the optimal tree whose time complexity is O(mn), where m and n are the number of links and nodes in the network, respectively. We present a novel integer programming formulation for the general VPN tree computation problem (that is, when ingress and egress bandwidths of VPN endpoints are arbitrary) and develop an algorithm that is based on the primal-dual method. Our experimental results with synthetic network graphs indicate that the VPN trees constructed by our proposed algorithms dramatically reduce bandwidth requirements (in many instances, by more than a factor of 2) compared to scenarios in which Steiner trees are employed to connect VPN endpoints.     

Optimal Link Weights for IP-Based Networks Supporting Hose-Model VPNs

From traffic engineering point of view, hose-model VPNs are much easier to use for customers than pipe-model VPNs. In this paper we explore the optimal weight setting to support hose-model VPN traffic in an IP-based hop-by-hop routing network. We try to answer the following questions: (1) What is the maximum amount of hose-model VPN traffic with bandwidth guarantees that can be admitted to an IP-based hop-by-hop routing network (as opposed to an MPLS-based network), and (2) what is the optimal link weight setting that can achieve that? We first present a mixed-integer programming formulation to compute the optimal link weights that can maximize the ingress and egress VPN traffic admissible to a hop-by-hop routing network. We also present a heuristic algorithm for solving the link weight searching problem for large networks. We show simulation results to demonstrate the effectiveness of the search algorithm.     

Selective survivability with disjoint nodes and disjoint lightpaths for layer 1 VPN

This paper deals with the problem of survivable routing and wavelength assignment in layer 1 virtual private networks (VPNs). The main idea is routing the selected lightpaths by the layer 1 VPN customer, in a link-disjoint manner. The customer may freely identify some sites or some connections, and have their related lightpaths routed through link-disjoint paths through the provider’s network. This selective survivability idea creates a new perspective for survivable routing, by giving the customer the flexibility of selecting important elements (nodes or connections) in its network. This study is different from previous studies which aim to solve the survivable routing problem for the whole VPN topology. The proposed scheme is two-fold: disjoint node based, and disjoint lightpath based. In disjoint node scheme, all lightpaths incident to a node are routed mutually through link-disjoint paths. In disjoint lightpath scheme, a lightpath is routed in a link-disjoint manner from all other ligthpaths of the VPN. We present a simple heuristic algorithm for selective survivability routing. We study the performance of this algorithm in terms of resources allocated by the selective survivability routing scheme compared to shortest path routing with no survivability. The numerical examples show that the amount of used resources by the selective survivability scheme is only slightly more than the amount used in shortest path routing, and this increase is linear. The extra resources used by the new scheme are justified by better survivability of the VPN topology in case of physical link failures, and the simplicity of the implementation.     

New Architecture and Algorithms for Fast Construction of Hose-Model VPNs

Hose-model virtual private networks (VPNs) provide customers with more flexibility in specifying bandwidth requirements than pipe-model VPNs. Many hose-model VPN provisioning algorithms have been proposed, and they focus on the bandwidth efficiency in the construction of a single hose-model VPN. In practice, however, VPNs come and go and the dynamics will affect the performance of these VPN provisioning algorithms. If the frequency of adding and deleting VPNs is high, these algorithms will have a scalability problem. We propose in this paper a new network architecture for dynamic VPN construction. In the proposed architecture, adding a new VPN is much simpler and faster, and all that is required is to check if the edge routers have enough bandwidth. There is no need to check the bandwidth left on each internal link because the architecture guarantees that as long as the edge routers have enough capacities to accept the VPN, the internal links will never experience overflow caused by adding the new VPN. We present a linear programming formulation for finding the optimal routing that maximizes the amount of admissible VPN traffic in the network. We then exploit the underlying network flow structure and convert the linear programming problem into a subgradient iterative search problem. The resulting solution is significantly faster than the linear programming approach.     

L1 VPN业务和网络结构

L1 VPN/OVPN是新一代传送网最具发展潜力的增值业务之一.本文依据ITU-T SG13关于L1VPN的相关标准,介绍了L1 VPN的定义、网络参考模型、业务模型、资源分配方式和结构分类等.     

Layer 1 virtual private network management by users

The layer 1 virtual private network (LlVPN) technology supports multiple user networks over a common carrier transport network. Emerging L1VPN services allow: L1VPNs to be built over multiple carrier networks; L1VPNs to lease or trade resources with each other; and users to reconfigure an L1VPN topology, and add or remove bandwidth. The trend is to offer increased flexibility and provide management functions as close to users as possible, while maintaining proper resource access right control. In this article two aspects of the L1VPN service and management architectures are discussed: management of carrier network partitions for L1VPNs, and L1VPN management by users. We present the carrier network partitioning at the network element (NE) and L1VPN levels. As an example, a transaction language one (TL1) proxy is developed to achieve carrier network partitioning at the NE level. The TL1 proxy is implemented without any modifications to the existing NE management system. On top of the TL1 proxy, a Web services (WS)-based L1VPN management tool is implemented. Carriers use the tool to partition resources at the L1VPN level by assigning resources, together with the WS-based management services for the resources, to L1VPNs. L1VPN administrators use the tool to receive resource partitions from multiple carriers and partner L1VPNs. Further resource partitioning or regrouping can be conducted on the received resources, and leasing or trading resources with partner LlVPNs is supported. These services offer a potential business model for a physical network broker. After the L1VPN administrators compose the use scenarios of resources, and make the use scenarios available to the L1VPN end users as WS, the end users reconfigure the L1VPN without intervention from the administrator. The tool accomplishes LlVPN management by users     

Layer 2 and 3 virtual private networks: taxonomy, technology, and standardization efforts

Virtual private network services are often classified by the OSI layer at which the VPN service provider's systems interchange VPN reachability information with customer sites. Layer 2 and 3 VPN services are currently being designed and deployed, even as the related standards are being developed. This article describes the wide range of emerging L2 and L3 VPN architectures and technical solutions or approaches, and discusses the status of standards work. Some specific L2VPN and L3VPN technologies described here include virtual private LAN service, transparent LAN service, BGP/MPLS-based VPNs (RFC 2547bis), virtual router, and IPSec VPN approaches. We discuss recent and continuing standards efforts in the IETF 12vpn and 13vpn working groups, and related work in the pseudo-wire emulation edge-to-edge working group, as well as in some other standards fora, and describe some mechanisms that provide membership, reachability, topology, security, and management functions.     

VPN技术综述

随着INTERNET访问的增加,传统的INTERNET接入服务已越来越不能满足用户需求,因为传统的INTERNET只提供浏览、电子邮件等单一服务,没有服务质量保证,没有权限和安全机制,界面复杂不易掌握,VPN则能解决这些问题。VPN的组网方式为企业提供了一种低成本的网络基础设施,并增加了企业网络功能,扩大了其专用网的范围。文章介绍了VPN的特点和类型以及几种基于INTERNET组建VPN的技术。     

MPLS VPN技术及其应用

VPN是利用公众网资源为客户定做的一种专用私网.VPN的划分种类较多,建立在IP技术或者二层链路基础之上的MPLSVPN正迅速成为下一代网络增值业务的服务基础.介绍了MPLS VPN的原理、特点、业务支持种类以及主要领域的一些应用,并将MPLS二、三层VPN做了简单比较.     

Toward IP virtual private network quality of service: a service provider perspective

To complement classical enterprise wide area network infrastructures, IP (based) virtual private networks have been gaining ground, with the capability of offering cost-effective, secure, and private-network-like services. In order to provision the equivalent quality of service of legacy connection-oriented layer 2 virtual private networks (VPNs), IP VPNs have to overcome the intrinsically best effort characteristics of the Internet in this multimedia era. This article discusses the IP VPN quality of service (QoS) issue from a service provider point of view, where QoS guarantees are carried out at the network level as well as at the node level. It presents the whole picture by highlighting and stitching together various QoS enabling technologies from previous research and engineering work.     

CATZ: Time-Zone-Aware Bandwidth Allocation in Layer 1 VPNs

The layer 1 virtual private network framework has emerged from the need to enable the dynamic coexistence of multiple circuit-switched client networks over a common physical network infrastructure. Such a VPN could be set up for an enterprise with offices across a wide geographical area (e.g., around the world or by a global ISP). Additionally, emerging IP over optical WDM technologies let IP traffic be carried directly over the optical WDM layer. Thus, different VPNs can share a common optical WDM core, and may demand different amounts of bandwidth at different time periods. This type of operation would require dynamic and reconfigurable allocation of bandwidth. This article evaluates the state of the art in layer 1 VPNs in the context of globally deployable optical networks and cost-efficient dynamic bandwidth usage. While exploiting the dynamism of IP traffic in a global network in which the nodes are located in different time zones, we study different bandwidth allocation methods for setting up a worldwide layer 1 VPN. We propose and investigate the characteristics of a cost-efficient bandwidth provisioning and reconfiguration algorithm, called capacity allocation using time zones (CATZ)     

A network management tool for resource‐partition based layer 1 virtual private networks

A Layer 1 Virtual Private Network (L1‐VPN) has two models for service management: the resource‐partition based model and the domain‐service based model. In this paper, we present a network management tool for resource‐partition based L1‐VPNs. A Transaction Language One (TL1) proxy is designed to achieve resource partitioning at the network element level. Building on top of a TL1 proxy, we implemented a User‐Controlled LightPath (UCLP) system to support physical network brokers to assign and allocate virtually dedicated resources to customers, and to enable customers to directly manage their resources. With such a capability, customers are able to create wide area networks based on their traffic pattern, and to adjust their traffic pattern based on available resources. Copyright © 2008 Crown in the right of Canada. Published by John Wiley & Sons, Ltd.     

Hybrid crosstalk aware Q-Factor analysis for selection of optical virtual private network connection

The presence of physical layer impairments (PLIs) in high-speed optical virtual private network (OVPN) over wavelength-division multiplexing/ dense-wavelength division multiplexing network degrades the connection quality (CQ). The quality can be numerically expressed as the quality factor (Q-Factor) of the connection. The CQ can be further affected by the increasing demand of connections and data speed. It is important to have an efficient OVPN control manager (OVPNCM) to maintain the CQ. OVPNCM can ensure better quality of transmission to the OVPN clients. Traditional routing and wavelength assignment (RWA) algorithms have less regards to the PLIs and cannot provide guaranteed OVPN connection (OVPNC) quality. In order to achieve a guaranteed CQ, we proposed a wavelength assignment (WA) scheme and a hybrid crosstalk model based on linear in-band and nonlinear four-wave mixing crosstalk. The performance of the proposed WA scheme with the hybrid crosstalk model is demonstrated. The results show that the proposed hybrid crosstalk model with WA scheme not only provides a guaranteed OVPNC, but also improves the OVPN performance in terms of blocking probability.