Layer 1 virtual private networks: service concepts, architecture requirements, and related advances in standardization

This article describes service concepts, service requirements, and high-level network architecture requirements for layer 1 virtual private network service. It takes in consideration progress achieved in standardization, mainly inside ITU-T SG 13, which has been very active in this area.     

Layer 1 virtual private networks: driving forces and realization by GMPLS

This article describes an emerging service for next-generation networks, layer 1 virtual private networks. L1VPNs allow customers desiring to connect multiple sites to be supported over a single shared layer 1 network. In the article we first describe the transport network's evolution and the shift in expectations of both service providers and customers. We provide an overview of the motivation for L1VPNs and examples of network usage. We follow by reviewing existing GMPLS mechanisms (addressing, discovery, and signaling) for realizing L1VPN functionality and identifying other work areas.     

International virtual private networks: Background and tariff survey

Carriers have positioned their networks and dedicated databases to help deliver a service which looks and feels like leased lines but is, in reality, delivered over the public switched telephone network (PSTN).     

Scalability implications of virtual private networks

This article gives an overview of the most promising technologies for service providers to offer virtual private network services. The focus is on the analysis of the scalability implications of these virtual private network mechanisms on existing service provider backbone networks. Very often, when deploying VPN services, service providers will be confronted with a trade-off between scalability and security. VPNs that require site-to-site interconnectivity without strong (cryptographic) security can be deployed in a scalable way based on the network-based VPN model, as long as the interaction between the customer and provider routing dynamics are controlled. VPNs that require strong (end-to-end) cryptographic security should be deployed according to the CPE-based VPN model, using the available IPsec protocol suite     

Support for resource-assured and dynamic virtual private networks

This paper describes VServ, a prototype architecture for a virtual private network (VPN) service, which builds and manages VPNs on demand. It allows each VPN to have guaranteed resources and customized control, and supports a highly dynamic VPN service where creation and modification operations can take place on fast timescales. These features are contingent on the automated establishment and maintenance of VPNs. A design process is described that attempts to satisfy the goals of both customer and VPN service provider (VSP). A pruned topology graph and tailored search algorithm are derived from the characteristics of the desired VPN. Although the searching procedure is theoretically intractable, it is shown that the complexity can be mitigated by a multitude of factors, VServ is built over the Tempest, a network control framework that partitions network resources into VPNs. An IP implementation of the Tempest is presented. Resource revocation is a mechanism that the VSP can use to react to violations of service level agreements-a protocol is described to enable graceful adaptation in the control plane to resource revocation events     

Layer 1 virtual private network management by users

The layer 1 virtual private network (LlVPN) technology supports multiple user networks over a common carrier transport network. Emerging L1VPN services allow: L1VPNs to be built over multiple carrier networks; L1VPNs to lease or trade resources with each other; and users to reconfigure an L1VPN topology, and add or remove bandwidth. The trend is to offer increased flexibility and provide management functions as close to users as possible, while maintaining proper resource access right control. In this article two aspects of the L1VPN service and management architectures are discussed: management of carrier network partitions for L1VPNs, and L1VPN management by users. We present the carrier network partitioning at the network element (NE) and L1VPN levels. As an example, a transaction language one (TL1) proxy is developed to achieve carrier network partitioning at the NE level. The TL1 proxy is implemented without any modifications to the existing NE management system. On top of the TL1 proxy, a Web services (WS)-based L1VPN management tool is implemented. Carriers use the tool to partition resources at the L1VPN level by assigning resources, together with the WS-based management services for the resources, to L1VPNs. L1VPN administrators use the tool to receive resource partitions from multiple carriers and partner L1VPNs. Further resource partitioning or regrouping can be conducted on the received resources, and leasing or trading resources with partner LlVPNs is supported. These services offer a potential business model for a physical network broker. After the L1VPN administrators compose the use scenarios of resources, and make the use scenarios available to the L1VPN end users as WS, the end users reconfigure the L1VPN without intervention from the administrator. The tool accomplishes LlVPN management by users     

On the cost of virtual private networks

A virtual private network (VPN) is a private data network that uses a nonprivate data network to carry traffic between remote sites. An “Intranet VPN” establishes network layer connectivity between remote Intranet sites by creating an IP overlay network over the nonprivate network, using various tunneling mechanisms. There are two approaches for establishing such tunnels: a “CPE-based approach” and a “network-based approach.” In the first approach, tunnels are established only between the CPE devices, whereas in the second approach tunnels are also established between the routers of the core nonprivate network. In this paper we address the problem of determining a CPE-based and a network-based layout of VPN tunnels while taking into account two factors: the cost of the links over which the VPN tunnels are established and the cost of the core routers that serve as end points for the VPN. We define related graph algorithm problems, analyze their complexity, and present heuristics for solving these problems efficiently     

虚拟专网VPN技术

随着Internet的广泛应用，虚拟专用网（VPN）技术越来越受到IT界的关注，本文从VPN的概念开始，介绍了VPN的基本原理，主要技术，业务分类及其在Internet中的应用，最后分析了其发展现状及市场前景。     

Secure virtual private networks: the future of data communications

The Internet is an almost ideal means for information retrieval and exchange. It is cost‐effective, easy to use and easily accessible. However, it can also be susceptible to devious practices such as data tempering, eavesdropping and theft. This paper analyses secure virtual private networks (VPNs) and their use in countering the problems of the Internet. Copyright © 1999 John Wiley & Sons, Ltd.     

Cognitive functionality in next generation wireless networks: standardization efforts [cognitive radio communications]

This article discusses recent standardization efforts related to cognitive radio focusing on the work of IEEE Standards Coordinating Committee 41, formerly known as IEEE 1900. Some important tasks to be performed by the CR standardization community also are presented. These tasks will expedite the introduction of CR devices to the market while promoting a fair use of scarce radio resources. Some avenues for using the currently available standards for rapid deployment of CR devices, such as ISO standards, also are discussed.     

IP/ MPLS over WDM网中考虑QoS的VPN业务设计

本文研究了在IP／MPLS over WDM网络中支持不同QoS要求的VPN业务的逻辑拓扑设计问题。对于给定的网络物理拓扑和业务需求矩阵，本文提出，基于不同时延要求的VPN业务逻辑拓扑设计可以运用两种方法加以解决。一为基于迭代的线性规划方法，适合于规模较小的网络。另一个为启发式算法，可运用于网络规模较大的环境。对比仿真结果表明，启发式算法不但较好地解决了不同QoS要求的VPN业务的选路和波长分配问题，还较好地降低了链路的最大负载。     

Building identity-based security associations for provider-provisioned virtual private networks

Provider-provisioned virtual private networks are nowadays well-established networking concepts. They are envisaged as an extension of the basic VPN concept to securely network low-capacity nodes in large-scale personal networks, with the help of network providers. This article presents an adaptation of the Internet Key Exchange (IKEv2) protocol to the context of dynamic tunneling in personal networks. It relies on the providers’ infrastructure to build identity-based security associations. Results of a preliminary security analysis are also provided.     

Algorithms for provisioning virtual private networks in the hose model

Virtual private networks (VPNs) provide customers with predictable and secure network connections over a shared network. The recently proposed hose model for VPNs allows for greater flexibility since it permits traffic to and from a hose endpoint to be arbitrarily distributed to other endpoints. We develop novel algorithms for provisioning VPNs in the hose model. We connect VPN endpoints using a tree structure and our algorithms attempt to optimize the total bandwidth reserved on edges of the VPN tree. We show that even for the simple scenario in which network links are assumed to have infinite capacity, the general problem of computing the optimal VPN tree is NP-hard. Fortunately, for the special case when the ingress and egress bandwidths for each VPN endpoint are equal, we can devise an algorithm for computing the optimal tree whose time complexity is O(mn), where m and n are the number of links and nodes in the network, respectively. We present a novel integer programming formulation for the general VPN tree computation problem (that is, when ingress and egress bandwidths of VPN endpoints are arbitrary) and develop an algorithm that is based on the primal-dual method. Our experimental results with synthetic network graphs indicate that the VPN trees constructed by our proposed algorithms dramatically reduce bandwidth requirements (in many instances, by more than a factor of 2) compared to scenarios in which Steiner trees are employed to connect VPN endpoints.     

Implementation of multiple secure virtual private networks over passive optical networks using electronic CDMA

An optical layer solution for implementing multiple secure virtual private networks (VPNs) over a passive optical network (PON) using electronic code-division multiple access is proposed. The multiple virtual private networking capability is experimentally demonstrated with 40-Mb/s data multiplexed with a 640-Mb/s electronic code that is unique to each of the VPNs in the PON, and the transmission of the electronically coded data is carried out using Fabry-Pe/spl acute/rot laser diodes. Experimental results show that this technique can potentially support high data rate traffic while imposing minimal penalty resulting from optical beat interference.     

WDM-PON中基于AWG的新型OVPN研究

在波分复用无源光网络(WDM-PON)中,提出了一种基于阵列波导光栅(AWG)的新型光虚拟专用网(OVPN)。OVPN采用环形结构,在不同光网络单元(ONU)之间使用波长通道直接通信,不仅保证了ONU之间通信的安全性,而且提高了网络生存性。分别从光功率损耗和系统误码率(BER)进行了数值分析,结果表明,本文结构不仅增加了通信的安全性,而且仅使用4个波长就能实现16个ONU的相互联接,从而节省了波长资源,且具有很强的抗串扰能力。     

An optimal dynamic resources partitioning auction model for virtual private networks

In this paper, we consider the problem of optimizing the Internet Service Provider (ISP) profit by providing a periodic Dynamic Partitioning (DP) model for utilizing network resources in the context of Virtual Private Networks (VPN). In literature, Complete Sharing (CS), Complete Partitioning (CP), and Bandwidth Borrowing (BR) techniques have been proposed for resource allocation where the following limitations can be noticed: VPN operators can exaggerate about their required resources, resources might be underutilized, and optimal bandwidth utilization is not guaranteed. To overcome the above limitations, we propose to dynamically partition the resources over different QoS classes through periodic auctions that can reduce the reasoning of exaggeration and maximize the ISP profit. Thus, we formulate our problem based on the Integer Linear Programming (ILP) that allows us to maximize the ISP profit and provides the optimal: (1) set of profitable VPN connections, (2) bandwidth division of each network link among QoS classes, and (3) routing scheme for the accepted demand. Furthermore, the proposed ILP model allows us to study the sensitivity of the ISP profit to a targeted revenue objective.     

3G技术演进及标准化进展

介绍世界两大移动通信标准组织3GPP和3GPP2研究3G技术演进工作的情况,着重说明3G演进的需求和关键技术.     

Object-oriented specification of a bandwidth management system for ATM-based virtual private networks

This paper describes the specification of a bandwidth management system for ATM-based virtual private networks (vpn). Such a system allows a vpn customer to dynamically modify the bandwidth allocated to vpn connections. The analysis process focuses on the service management information model and interfaces required to provide that service to the customer. The specification work is performed according to a second generation object-oriented development method called Fusion. The vpn service and management architectures as well as the different actors involved are also described in detail.