An Overview of Virtual Private Network (VPN): IP VPN and Optical VPN

Recently, there has been rapid development and deployment of virtual private network (VPN) services. There are wide varieties of IP-based VPNs and optical VPNs (OVPNs) proposed in the literature and readers could easily get confused with so many different types of VPNs. The purpose of this paper is to present a comprehensive overview of the VPN and discuss the main issues associated with the design of IP VPN and OVPN. We first present a classification of the VPNs including CE-based, network based, customers provisioned, provider provisioned, connection oriented, connectionless oriented, port based, connection based, layer 1 VPN, layer 2 VPN, and layer 3 VPN, and describe different VPN protocols such as IPSec, GRE and MPLS. We then review the recent work on OVPN by different standard bodies, and outline the key requirements for OVPN service providers and customers. Finally, we describe several OVPN architectures appeared in the literature, highlight the future work in OVPN.     

Toward IP virtual private network quality of service: a service provider perspective

To complement classical enterprise wide area network infrastructures, IP (based) virtual private networks have been gaining ground, with the capability of offering cost-effective, secure, and private-network-like services. In order to provision the equivalent quality of service of legacy connection-oriented layer 2 virtual private networks (VPNs), IP VPNs have to overcome the intrinsically best effort characteristics of the Internet in this multimedia era. This article discusses the IP VPN quality of service (QoS) issue from a service provider point of view, where QoS guarantees are carried out at the network level as well as at the node level. It presents the whole picture by highlighting and stitching together various QoS enabling technologies from previous research and engineering work.     

Resource Management for Virtual Private Networks

Virtual private networks (VPNs) have rapidly emerged as a leading solution for multi-site enterprise communication needs. Provider-managed solutions modeled on RFC 2547 serve as a popular choice for layer 3 VPNs, and the hose model has emerged as a common and simple service specification. It offers a hose of a certain contracted bandwidth to customers. With the growth in size and number of VPNs and the uncertainties in the traffic patterns of customers, providers are faced with new challenges in efficient provisioning and capacity planning for these networks and satisfying customer service level agreements (SLA). We suggest that a set of techniques can be used to help the provider build an adaptively provisioned network. These techniques involve continually processing measurement information, building inferences regarding VPN characteristics, and leveraging them for adaptive resource provisioning. We developed scalable techniques to infer VPN characteristics that are important for provisioning tasks. We demonstrated the feasibility of such provisioning techniques with existing measurement obtained using SNMP infrastructure from a large IP/VPN service provider. Our examination of measurement data yielded interesting new insights into VPN structure and properties. Building on our experience with analyzing VPN characteristics, we articulate an adaptive provisioning architecture that enables providers to effectively deal with the dynamic nature of customer traffic     

传统VPN与MPLS VPN对VPN网络可扩展性的比较

基于IP的虚拟专用网络（VPN）正逐步成为未来基于IP网络传送各种服务的基础，许多的SP在他们的VPN传输网络中提供各种增值应用。在过去多年的发展中，总共有不同的VPN模型被建议：覆盖模型（基于加密隧道技术的VPN）和对等模型（基于MPLS的VPN）。文中主要对两种模型的VPN技术作一简单的介绍并且对他们的可扩展性进行比较，从理论上得出结论：基于MPLS的VPN有着非常优良的可扩充性，就可扩充性而言是未来VPN服务中最有前途的一种。     

Layer 2 and 3 virtual private networks: taxonomy, technology, and standardization efforts

Virtual private network services are often classified by the OSI layer at which the VPN service provider's systems interchange VPN reachability information with customer sites. Layer 2 and 3 VPN services are currently being designed and deployed, even as the related standards are being developed. This article describes the wide range of emerging L2 and L3 VPN architectures and technical solutions or approaches, and discusses the status of standards work. Some specific L2VPN and L3VPN technologies described here include virtual private LAN service, transparent LAN service, BGP/MPLS-based VPNs (RFC 2547bis), virtual router, and IPSec VPN approaches. We discuss recent and continuing standards efforts in the IETF 12vpn and 13vpn working groups, and related work in the pseudo-wire emulation edge-to-edge working group, as well as in some other standards fora, and describe some mechanisms that provide membership, reachability, topology, security, and management functions.     

Support for resource-assured and dynamic virtual private networks

This paper describes VServ, a prototype architecture for a virtual private network (VPN) service, which builds and manages VPNs on demand. It allows each VPN to have guaranteed resources and customized control, and supports a highly dynamic VPN service where creation and modification operations can take place on fast timescales. These features are contingent on the automated establishment and maintenance of VPNs. A design process is described that attempts to satisfy the goals of both customer and VPN service provider (VSP). A pruned topology graph and tailored search algorithm are derived from the characteristics of the desired VPN. Although the searching procedure is theoretically intractable, it is shown that the complexity can be mitigated by a multitude of factors, VServ is built over the Tempest, a network control framework that partitions network resources into VPNs. An IP implementation of the Tempest is presented. Resource revocation is a mechanism that the VSP can use to react to violations of service level agreements-a protocol is described to enable graceful adaptation in the control plane to resource revocation events     

Layer 1 virtual private networks: driving forces and realization by GMPLS

This article describes an emerging service for next-generation networks, layer 1 virtual private networks. L1VPNs allow customers desiring to connect multiple sites to be supported over a single shared layer 1 network. In the article we first describe the transport network's evolution and the shift in expectations of both service providers and customers. We provide an overview of the motivation for L1VPNs and examples of network usage. We follow by reviewing existing GMPLS mechanisms (addressing, discovery, and signaling) for realizing L1VPN functionality and identifying other work areas.     

Layer 1 virtual private network management by users

The layer 1 virtual private network (LlVPN) technology supports multiple user networks over a common carrier transport network. Emerging L1VPN services allow: L1VPNs to be built over multiple carrier networks; L1VPNs to lease or trade resources with each other; and users to reconfigure an L1VPN topology, and add or remove bandwidth. The trend is to offer increased flexibility and provide management functions as close to users as possible, while maintaining proper resource access right control. In this article two aspects of the L1VPN service and management architectures are discussed: management of carrier network partitions for L1VPNs, and L1VPN management by users. We present the carrier network partitioning at the network element (NE) and L1VPN levels. As an example, a transaction language one (TL1) proxy is developed to achieve carrier network partitioning at the NE level. The TL1 proxy is implemented without any modifications to the existing NE management system. On top of the TL1 proxy, a Web services (WS)-based L1VPN management tool is implemented. Carriers use the tool to partition resources at the L1VPN level by assigning resources, together with the WS-based management services for the resources, to L1VPNs. L1VPN administrators use the tool to receive resource partitions from multiple carriers and partner L1VPNs. Further resource partitioning or regrouping can be conducted on the received resources, and leasing or trading resources with partner LlVPNs is supported. These services offer a potential business model for a physical network broker. After the L1VPN administrators compose the use scenarios of resources, and make the use scenarios available to the L1VPN end users as WS, the end users reconfigure the L1VPN without intervention from the administrator. The tool accomplishes LlVPN management by users     

SOME TRAFFIC ISSUES IN THE DESIGN OF VIRTUAL PRIVATE NETWORKS OVER ATM

The emergence of broadband technologies such as ATM gives rise to new developments in the domain of virtual private networks (VPNs). In this paper, a target broadband VPN (B-VPN) service is proposed, which combines the cost savings of classic VPN services and the powerful features of private corporate networks (service integration, statistical multiplexing, etc.) enlarged by the use of ATM. To reach this B-VPN service, some architectural issues related to the network supporting the B-VPN service are discussed. The traffic implications of the possible architectural choices are then examined, and from this discussion some basic principles for a VPN architecture are drawn. Finally, target VPN architectures are proposed.     

Measurement-Based Characterization of IP VPNs

Virtual private networks (VPNs) provide secure and reliable communication between customer sites. With the increase in number and size of VPNs, providers need efficient provisioning techniques that adapt to customer demand by leveraging a good understanding of VPN properties. In this paper, we analyze two important properties of VPNs that impact provisioning: (1) structure of customer endpoint (CE) interactions and (2) temporal characteristics of CE-CE traffic. We deduce these properties by computing traffic matrices from SNMP measurements. We find that existing traffic matrix estimation techniques are not readily applicable to the VPN scenario due to the scale of the problem and limited measurement information. We begin by formulating a scalable technique that makes the most out of existing measurement information and provides good estimates for common VPN structures. We then use this technique to analyze SNMP measurement information from a large IP VPN service provider. We find that even with limited measurement information (no per-VPN data for the core) we can estimate traffic matrices for a significant fraction of VPNs, namely, those constituting the ldquoHub-and-Spokerdquo category. In addition, the ability to infer the structure of VPNs holds special significance for provisioning tasks arising from topology changes, link failures and maintenance. We are able to provide a classification of VPNs by structure and identify CEs that act as hubs of communication and hence require prioritized treatment during restoration and provisioning.     

IP VPN—基于IP网络的虚拟专用网

ＩＰ ＶＰＮ能为用户在ＩＰ网络之上构筑一个安全可靠、方便快捷的企业专用网络，并为企业节省资金。本文从ＩＰ ＶＰＮ的概念、分类、组建ＩＰ ＶＰＮ的隧道技术，以及在ＶＰＮ上传送的数据的安全性保证等几个方面介绍了ＩＰ ＶＰＮ技术。     

Layer 3 VPN Services over IPv6 Backbone Networks: Requirements, Technology, and Standardization Efforts

Layer 3 virtual private networks (L3VFN) enable organizations to connect geographically dispersed sites to one another across the packet switched network of a service provider. The most popular form of L3VPN is based on BGP/MPLS (border gateway protocol/multiprotocol label switching) technology in which the service provider offers a network-based IP VPN routing and forwarding service to its customers across its own IPv4-based MPLS backbone network. With the deployment of IPv6-based backbone networks underway, there is an emerging requirement to support these same L3VPN services across a native IPv6 backbone network. This introduces a requirement to provide routing and tunneling of IPv6 VPN (and IPv4 VPN) packets across an IPv6 backbone network. Softwires is an Internet Engineering Task Force (IETF) Working Group chartered to address the requirement of providing a generalized, network-based, multi-address family, IP routing and tunneling capability across native IP backbone networks pursuant to IPv6 transitions. Elements of the softwires work can form the basis of an L3VPN over IPv6 solution. After providing a brief overview of how L3VPN works in various topologies, this article presents the requirements for L3VPN services over an IPv6 backbone network and discusses a possible solution set that builds over the softwire technology and related IETF standards. Finally, we outline future directions and how the softwire technology can support new services and improved scalability     

Managing Layer 1 VPN services

Control Plane architectures enhance transport networks with distributed signaling and routing mechanisms which allow dynamic connection control. As a result, layer 1 switching networks enabled with a distributed control plane can support the provisioning of advanced connectivity services like Virtual Private Networks (VPNs). Such Layer 1 VPN (L1VPN) service allows multiple customer networks to share a single transport network in a cost-effective way. However, L1VPN deployment still faces many challenges.In this work, we are concerned on configuration management and interdomain provisioning of L1VPN services. We propose an L1VPN management architecture based on the Policy-Based Management (PBM) approach. First, we describe the architecture and how it allows a single service provider to support multiple L1VPNs while providing customers with some level of control over their respective service. Then we explain how the architecture was extended to support interdomain L1VPNs by using the Virtual Topology approach. We also discuss the prototype implementation and evaluation of the proposed architecture. Moreover, this work is a tentative note before raising a more deep discussion related to interdomain provisioning of L1VPN services and implications of a policy-based approach for L1VPN configuration management.     

虚拟专用网络（VPN）技术

虚拟专用网指的是依靠ISP（Internet服务提供商）和其它NSP（网络服务提供商）,在公用网络中建立专用的数据通信网络的技术。在虚拟专用网中,任意两个节点之间的连接,并没有传统专用网所需的端到端的物理链路,而是利用某种公众网的资源动态组成的。VPN利用公共网络基础设施,通过一定的技术手段,达到类似私有专网的数据安全传输。     

《使用虚拟专用网的跨网通信安全保护》国家标准解读

介绍了VPN的概念,详细解读了我国正在制定的<使用虚拟专用网的网间通信安全保护>国家标准,该标准综述了VPN的安全目标和安全要求,以及安全VPN的选择指南和实施指南,适用于技术和管理人员,其指南为选择和实现适当的虚拟专用网提供相应的指导.     

Interprovider IP-MPLS services: requirements, implementations, and challenges

With the worldwide success of IP-MPLS [E. Rosen et al., Jan. 2001] networks deployment, inter-connecting multiple provider IP-MPLS networks for global reachability becomes the next important step. Many providers have implemented MPLS interprovider connections. In this article we first briefly describe the drivers behind the need of interprovider IP-MPLS services, such as layer 3 VPNs [E. Rosen and Y. Rekhter, Oct 2004], pseudowire emulation for transporting layer 2 traffic over IP-MPLS, VoIP, and others. We then discuss the general requirements for the interconnections, from end users' and service providers' perspectives, including security, scalability, manageability, QoS, and end-to-end SLAs. We then address the deployment options and challenges faced by service providers. Specifically, we discuss the following areas of interprovider service implementation: protocol implementation options for L3 VPN and their trade-offs, methods for guaranteeing consistent QoS across providers' boundaries, interprovider traffic engineering approaches, and operation challenges: from business to processes, from troubleshooting/monitoring to SLAs. By identifying the issues and challenges, our ultimate goal is to move toward the development of much needed common practices and procedures to assist in the establishment of interprovider IP-MPLS services.     

Service convergence using MPLS multiservice networks

Enterprises are increasingly using virtual private networks to interconnect remote sites. Traditionally, service providers have used ATM core networks to deliver layer 2 services such as frame relay, ATM, or TDM private lines, which enterprise customers have then used to build their corporate network infrastructure. Such services account for the majority of data service revenues today. However, pressure has increased on service providers to combine increased flexibility with reduced costs in the context of a highly dynamic telecommunications market. Service providers also need to generate new revenues from their IP network infrastructure, through new opportunities such as IP VPNs and virtual private LAN services, while simultaneously achieving operational efficiencies through the convergence of all of their services on a common MPLS backbone. New access and metro network technologies, such as Ethernet, are also emerging that can be used to deliver these new services to enterprise customers alongside ATM and frame relay access. This must be achieved while also supporting existing technologies such as ATM, which continue to deliver highly profitable services. This article discusses the technical challenges in meeting the often conflicting requirements of delivering both traditional layer 2 services and new layer 3 services on a converged MPLS network. We show how both network and service interworking are required, and how these must operate at the user, control, and management planes to enable profitable services to be delivered over the new converged network. The different solutions being defined in the standards bodies are described, and the distinct scenarios they address are explained.     

On demand network-wide VPN deployment in GPRS

Mobile Internet requires enhanced security services available to all mobile subscribers in a dynamic fashion. A network-wide virtual private network deployment scenario over the General Packet Radio Service is proposed and analyzed from a security viewpoint. The proposed security scheme improves the level of protection that is currently supported in GPRS and facilitates the realization of mobile Internet. It secures data transmission over the entire network route from a mobile user to a remote server by utilizing the default GPRS ciphering over the radio interface, and by deploying an IP VPN over the GPRS core, as well as on the public Internet. Thus, on-demand VPN services are made available for all GPRS network subscribers and roaming users. The VPN functionality, which is based on the IPsec framework, is outsourced to the network infrastructure to eliminate the potential computational overhead on the mobile device. The VPN initialization and key agreement procedures are based on an Internet Key Exchange protocol proxy scheme, which enables the mobile station to initiate VPN establishment, while shifting the complex key negotiation to the network infrastructure. The deployed VPN operates transparently to the mobile subscribers' movement. The required enhancements for security service provision can be integrated in the existing network infrastructure; therefore, the propose security scheme can be employed as an add-on feature to the GPRS standard.     

Management of quality of service enabled VPNs

New emerging IP services based on differentiated services and the IP security architecture offer the level of communication support that corporate Internet applications need nowadays. However, these services add an additional degree of complexity to IP networks which will require sophisticated management support. The management of enhanced IP services for their customers is thus an emerging important task for Internet service providers. This article describes a potential management architecture service providers will need for that task, considering problems such as multiprovider services and service automation. We focus on a quality-enhanced virtual private network service which is particularly useful for corporate internetworking