New Architecture and Algorithms for Fast Construction of Hose-Model VPNs

Hose-model virtual private networks (VPNs) provide customers with more flexibility in specifying bandwidth requirements than pipe-model VPNs. Many hose-model VPN provisioning algorithms have been proposed, and they focus on the bandwidth efficiency in the construction of a single hose-model VPN. In practice, however, VPNs come and go and the dynamics will affect the performance of these VPN provisioning algorithms. If the frequency of adding and deleting VPNs is high, these algorithms will have a scalability problem. We propose in this paper a new network architecture for dynamic VPN construction. In the proposed architecture, adding a new VPN is much simpler and faster, and all that is required is to check if the edge routers have enough bandwidth. There is no need to check the bandwidth left on each internal link because the architecture guarantees that as long as the edge routers have enough capacities to accept the VPN, the internal links will never experience overflow caused by adding the new VPN. We present a linear programming formulation for finding the optimal routing that maximizes the amount of admissible VPN traffic in the network. We then exploit the underlying network flow structure and convert the linear programming problem into a subgradient iterative search problem. The resulting solution is significantly faster than the linear programming approach.     

Algorithms for provisioning virtual private networks in the hose model

Virtual private networks (VPNs) provide customers with predictable and secure network connections over a shared network. The recently proposed hose model for VPNs allows for greater flexibility since it permits traffic to and from a hose endpoint to be arbitrarily distributed to other endpoints. We develop novel algorithms for provisioning VPNs in the hose model. We connect VPN endpoints using a tree structure and our algorithms attempt to optimize the total bandwidth reserved on edges of the VPN tree. We show that even for the simple scenario in which network links are assumed to have infinite capacity, the general problem of computing the optimal VPN tree is NP-hard. Fortunately, for the special case when the ingress and egress bandwidths for each VPN endpoint are equal, we can devise an algorithm for computing the optimal tree whose time complexity is O(mn), where m and n are the number of links and nodes in the network, respectively. We present a novel integer programming formulation for the general VPN tree computation problem (that is, when ingress and egress bandwidths of VPN endpoints are arbitrary) and develop an algorithm that is based on the primal-dual method. Our experimental results with synthetic network graphs indicate that the VPN trees constructed by our proposed algorithms dramatically reduce bandwidth requirements (in many instances, by more than a factor of 2) compared to scenarios in which Steiner trees are employed to connect VPN endpoints.     

An Overview of Virtual Private Network (VPN): IP VPN and Optical VPN

Recently, there has been rapid development and deployment of virtual private network (VPN) services. There are wide varieties of IP-based VPNs and optical VPNs (OVPNs) proposed in the literature and readers could easily get confused with so many different types of VPNs. The purpose of this paper is to present a comprehensive overview of the VPN and discuss the main issues associated with the design of IP VPN and OVPN. We first present a classification of the VPNs including CE-based, network based, customers provisioned, provider provisioned, connection oriented, connectionless oriented, port based, connection based, layer 1 VPN, layer 2 VPN, and layer 3 VPN, and describe different VPN protocols such as IPSec, GRE and MPLS. We then review the recent work on OVPN by different standard bodies, and outline the key requirements for OVPN service providers and customers. Finally, we describe several OVPN architectures appeared in the literature, highlight the future work in OVPN.     

Virtual Topology Design and Reconfiguration of Virtual Private Networks (VPNs) over All-Optical WDM Networks

This paper studies the virtual topology design and reconfiguration problem of virtual private networks (VPNs) over all-optical WDM networks. To support VPN service, a set of lightpaths must be established over the underlying WDM network to meet the VPN traffic demands and this set of lightpaths must also be dynamically reconfigurable in response to changing VPN traffic. To achieve good network performance and meet the service requirements of optical virtual private networks (oVPNs), we formulate the problem as an integer programming problem with multi-objectives and present a general formulation of the problem. In the formulation, we take into account the average propagation delay over a lightpath, the maximum link load, and the reconfiguration cost with objectives to minimize the three metrics simultaneously. The formulated problem is NP-hard and is therefore not practical to have exact solutions. For this reason, we use heuristics to obtain approximate optimal solutions and propose a balanced alternate routing algorithm (BARA) based on a genetic algorithm. To make the problem computationally tractable, we approximately divide BARA into two independent stages: route computing and path routing. At the route computing stage, a set of alternate routes is computed for each pair of source and destination nodes in the physical topology. At the path routing stage, an optimal route is decided from a set of alternative routes for each of the lightpaths between a pair of source and destination nodes. A decision is subject to the constraints and objectives in the formulation. To improve the computational efficiency, we use a genetic algorithm in BARA. Through simulation experiments, we show the effectiveness of BARA and the evolution process of the best solution in a population of solutions produced by the genetic algorithm. We also investigate the impact of the number of alternative routes between each pair of source and destination nodes on the optimized solutions.     

Algebra and algorithms for QoS path computation and hop-by-hop routing in the Internet

Prompted by the advent of quality-of-service routing in the Internet, we investigate the properties that path weight functions must have so that hop-by-hop routing is possible and optimal paths can be computed with a generalization of E.W. Dijkstra's algorithm (see Numer. Math., vol.1, p.269-71, 1959). We define an algebra of weights which contains a binary operation, for the composition of link weights into path weights, and an order relation. Isotonicity is the key property of the algebra. It states that the order relation between the weights of any two paths is preserved if both of them are either prefixed or appended by a common, third, path. We show that isotonicity is both necessary and sufficient for a generalized Dijkstra's algorithm to yield optimal paths. Likewise, isotonicity is also both necessary and sufficient for hop-by-hop routing. However, without strict isotonicity, hop-by-hop routing based on optimal paths may produce routing loops. They are prevented if every node computes what we call lexicographic-optimal paths. These paths can be computed with an enhanced Dijkstra's algorithm that has the same complexity as the standard one. Our findings are extended to multipath routing as well. As special cases of the general approach, we conclude that shortest-widest paths can neither be computed with a generalized Dijkstra's algorithm nor can packets be routed hop-by-hop over those paths. In addition, loop-free hop-by-hop routing over widest and widest-shortest paths requires each node to compute lexicographic-optimal paths, in general.     

Routing Optimization in IP Networks Utilizing Additive and Concave Link Metrics

Routing optimization provides network operators with a powerful method for traffic engineering. Its general objective is to distribute traffic flows evenly across available network resources in order to avoid network congestion and quality of service degradation. In this paper we consider routing optimization based on conventional routing protocols where packets are forwarded hop-by-hop in a destination-based manner. Unlike other work in this area, we consider routing protocols, which are able to take into account concave routing metrics in addition to additive ones. The concave link metric introduces an additional degree of freedom for routing optimization, thus, increasing its optimization potential. We present and evaluate a mixed-integer programming model, which works on these metrics. This model unifies the optimization for single-metric and dual-metric routing concepts and also includes the consideration of multipath routing. Furthermore, we propose a heuristic algorithm usable for larger network instances. Numerical results indicate that employment of both the dual-metric concept and multipath routing can achieve considerably better utilization results than default-configured single-metric routing. A significant finding is that metric-based routing optimization with two link metrics often comes close to the results obtainable by optimization of arbitrarily configurable routing.     

Selective survivability with disjoint nodes and disjoint lightpaths for layer 1 VPN

This paper deals with the problem of survivable routing and wavelength assignment in layer 1 virtual private networks (VPNs). The main idea is routing the selected lightpaths by the layer 1 VPN customer, in a link-disjoint manner. The customer may freely identify some sites or some connections, and have their related lightpaths routed through link-disjoint paths through the provider’s network. This selective survivability idea creates a new perspective for survivable routing, by giving the customer the flexibility of selecting important elements (nodes or connections) in its network. This study is different from previous studies which aim to solve the survivable routing problem for the whole VPN topology. The proposed scheme is two-fold: disjoint node based, and disjoint lightpath based. In disjoint node scheme, all lightpaths incident to a node are routed mutually through link-disjoint paths. In disjoint lightpath scheme, a lightpath is routed in a link-disjoint manner from all other ligthpaths of the VPN. We present a simple heuristic algorithm for selective survivability routing. We study the performance of this algorithm in terms of resources allocated by the selective survivability routing scheme compared to shortest path routing with no survivability. The numerical examples show that the amount of used resources by the selective survivability scheme is only slightly more than the amount used in shortest path routing, and this increase is linear. The extra resources used by the new scheme are justified by better survivability of the VPN topology in case of physical link failures, and the simplicity of the implementation.     

Measurement-Based Characterization of IP VPNs

Virtual private networks (VPNs) provide secure and reliable communication between customer sites. With the increase in number and size of VPNs, providers need efficient provisioning techniques that adapt to customer demand by leveraging a good understanding of VPN properties. In this paper, we analyze two important properties of VPNs that impact provisioning: (1) structure of customer endpoint (CE) interactions and (2) temporal characteristics of CE-CE traffic. We deduce these properties by computing traffic matrices from SNMP measurements. We find that existing traffic matrix estimation techniques are not readily applicable to the VPN scenario due to the scale of the problem and limited measurement information. We begin by formulating a scalable technique that makes the most out of existing measurement information and provides good estimates for common VPN structures. We then use this technique to analyze SNMP measurement information from a large IP VPN service provider. We find that even with limited measurement information (no per-VPN data for the core) we can estimate traffic matrices for a significant fraction of VPNs, namely, those constituting the ldquoHub-and-Spokerdquo category. In addition, the ability to infer the structure of VPNs holds special significance for provisioning tasks arising from topology changes, link failures and maintenance. We are able to provide a classification of VPNs by structure and identify CEs that act as hubs of communication and hence require prioritized treatment during restoration and provisioning.     

Resource Management for Virtual Private Networks

Virtual private networks (VPNs) have rapidly emerged as a leading solution for multi-site enterprise communication needs. Provider-managed solutions modeled on RFC 2547 serve as a popular choice for layer 3 VPNs, and the hose model has emerged as a common and simple service specification. It offers a hose of a certain contracted bandwidth to customers. With the growth in size and number of VPNs and the uncertainties in the traffic patterns of customers, providers are faced with new challenges in efficient provisioning and capacity planning for these networks and satisfying customer service level agreements (SLA). We suggest that a set of techniques can be used to help the provider build an adaptively provisioned network. These techniques involve continually processing measurement information, building inferences regarding VPN characteristics, and leveraging them for adaptive resource provisioning. We developed scalable techniques to infer VPN characteristics that are important for provisioning tasks. We demonstrated the feasibility of such provisioning techniques with existing measurement obtained using SNMP infrastructure from a large IP/VPN service provider. Our examination of measurement data yielded interesting new insights into VPN structure and properties. Building on our experience with analyzing VPN characteristics, we articulate an adaptive provisioning architecture that enables providers to effectively deal with the dynamic nature of customer traffic     

Scalability implications of virtual private networks

This article gives an overview of the most promising technologies for service providers to offer virtual private network services. The focus is on the analysis of the scalability implications of these virtual private network mechanisms on existing service provider backbone networks. Very often, when deploying VPN services, service providers will be confronted with a trade-off between scalability and security. VPNs that require site-to-site interconnectivity without strong (cryptographic) security can be deployed in a scalable way based on the network-based VPN model, as long as the interaction between the customer and provider routing dynamics are controlled. VPNs that require strong (end-to-end) cryptographic security should be deployed according to the CPE-based VPN model, using the available IPsec protocol suite     

Managing Layer 1 VPN services

Control Plane architectures enhance transport networks with distributed signaling and routing mechanisms which allow dynamic connection control. As a result, layer 1 switching networks enabled with a distributed control plane can support the provisioning of advanced connectivity services like Virtual Private Networks (VPNs). Such Layer 1 VPN (L1VPN) service allows multiple customer networks to share a single transport network in a cost-effective way. However, L1VPN deployment still faces many challenges.In this work, we are concerned on configuration management and interdomain provisioning of L1VPN services. We propose an L1VPN management architecture based on the Policy-Based Management (PBM) approach. First, we describe the architecture and how it allows a single service provider to support multiple L1VPNs while providing customers with some level of control over their respective service. Then we explain how the architecture was extended to support interdomain L1VPNs by using the Virtual Topology approach. We also discuss the prototype implementation and evaluation of the proposed architecture. Moreover, this work is a tentative note before raising a more deep discussion related to interdomain provisioning of L1VPN services and implications of a policy-based approach for L1VPN configuration management.     

Load balance in hierarchical routing network

In this article, the problem of load balance in hierarchical routing network is studied. Since conventional shortest path first (SPF) algorithm over aggregated topology in hierarchical routing network may result in worse routing performance, a traffic sharing path selection algorithm and a variable weight scheme are put forward for hierarchical routing network, which can equilibrate the utilities of link resources and reduce the blocking probability of connections with the improvement on survivability. Simulations are conducted to evaluate proposed variable weight and traffics balance (VWTB) algorithm, which combines traffic sharing and variable weight. From the simulation results, it can be found that the proposed VWTB algorithm can balance the traffics and equilibrate the utilities of link resources significantly.     

CATZ: Time-Zone-Aware Bandwidth Allocation in Layer 1 VPNs

The layer 1 virtual private network framework has emerged from the need to enable the dynamic coexistence of multiple circuit-switched client networks over a common physical network infrastructure. Such a VPN could be set up for an enterprise with offices across a wide geographical area (e.g., around the world or by a global ISP). Additionally, emerging IP over optical WDM technologies let IP traffic be carried directly over the optical WDM layer. Thus, different VPNs can share a common optical WDM core, and may demand different amounts of bandwidth at different time periods. This type of operation would require dynamic and reconfigurable allocation of bandwidth. This article evaluates the state of the art in layer 1 VPNs in the context of globally deployable optical networks and cost-efficient dynamic bandwidth usage. While exploiting the dynamism of IP traffic in a global network in which the nodes are located in different time zones, we study different bandwidth allocation methods for setting up a worldwide layer 1 VPN. We propose and investigate the characteristics of a cost-efficient bandwidth provisioning and reconfiguration algorithm, called capacity allocation using time zones (CATZ)     

Support for resource-assured and dynamic virtual private networks

This paper describes VServ, a prototype architecture for a virtual private network (VPN) service, which builds and manages VPNs on demand. It allows each VPN to have guaranteed resources and customized control, and supports a highly dynamic VPN service where creation and modification operations can take place on fast timescales. These features are contingent on the automated establishment and maintenance of VPNs. A design process is described that attempts to satisfy the goals of both customer and VPN service provider (VSP). A pruned topology graph and tailored search algorithm are derived from the characteristics of the desired VPN. Although the searching procedure is theoretically intractable, it is shown that the complexity can be mitigated by a multitude of factors, VServ is built over the Tempest, a network control framework that partitions network resources into VPNs. An IP implementation of the Tempest is presented. Resource revocation is a mechanism that the VSP can use to react to violations of service level agreements-a protocol is described to enable graceful adaptation in the control plane to resource revocation events     

Configuring Traffic Grooming VPλNs

A VPN is an optical virtual private network (oVPN) built of wavelength paths within a multihop wavelength routing (WR) dense wavelength division multiplexing (DWDM) network. An efficient and general graph-theoretic model (the wavelength-graph (WG)) has been proposed along with an integer linear programming (ILP) formulation of setting up VPNs with given traffic requirements over a given WR-DWDM network with two protection scenarios. Here, we have exploited the advantages of traffic grooming, i.e., numerous traffic streams of a VPN can share a wavelength path. We have also generalized the model for setting up VPNs over a WR-DWDM system where multiple VPNs can share a single wavelength path. The objective of the optimization is in all cases to reduce resource usage at upper (electrical) layers (i.e., to reduce the load of the virtual routers), subject to constrained amount of capacity of each wavelength channel and limited number of wavelengths. Here, we propose and compare three basic methods for configuring oVPNs and investigate various parameter settings.     

Optimal backpressure routing for wireless networks with multi-receiver diversity

We consider the problem of optimal scheduling and routing in an ad-hoc wireless network with multiple traffic streams and time varying channel reliability. Each packet transmission can be overheard by a subset of receiver nodes, with a transmission success probability that may vary from receiver to receiver and may also vary with time. We develop a simple backpressure routing algorithm that maximizes network throughput and expends an average power that can be pushed arbitrarily close to the minimum average power required for network stability, with a corresponding tradeoff in network delay. When channels are orthogonal, the algorithm can be implemented in a distributed manner using only local link error probability information, and supports a “blind transmission” mode (where error probabilities are not required) in special cases when the power metric is neglected and when there is only a single destination for all traffic streams. For networks with general inter-channel interference, we present a distributed algorithm with constant-factor optimality guarantees.     

Layer 1 virtual private network management by users

The layer 1 virtual private network (LlVPN) technology supports multiple user networks over a common carrier transport network. Emerging L1VPN services allow: L1VPNs to be built over multiple carrier networks; L1VPNs to lease or trade resources with each other; and users to reconfigure an L1VPN topology, and add or remove bandwidth. The trend is to offer increased flexibility and provide management functions as close to users as possible, while maintaining proper resource access right control. In this article two aspects of the L1VPN service and management architectures are discussed: management of carrier network partitions for L1VPNs, and L1VPN management by users. We present the carrier network partitioning at the network element (NE) and L1VPN levels. As an example, a transaction language one (TL1) proxy is developed to achieve carrier network partitioning at the NE level. The TL1 proxy is implemented without any modifications to the existing NE management system. On top of the TL1 proxy, a Web services (WS)-based L1VPN management tool is implemented. Carriers use the tool to partition resources at the L1VPN level by assigning resources, together with the WS-based management services for the resources, to L1VPNs. L1VPN administrators use the tool to receive resource partitions from multiple carriers and partner L1VPNs. Further resource partitioning or regrouping can be conducted on the received resources, and leasing or trading resources with partner LlVPNs is supported. These services offer a potential business model for a physical network broker. After the L1VPN administrators compose the use scenarios of resources, and make the use scenarios available to the L1VPN end users as WS, the end users reconfigure the L1VPN without intervention from the administrator. The tool accomplishes LlVPN management by users     

Multiple Routing Configurations for Fast IP Network Recovery

As the Internet takes an increasingly central role in our communications infrastructure, the slow convergence of routing protocols after a network failure becomes a growing problem. To assure fast recovery from link and node failures in IP networks, we present a new recovery scheme called Multiple Routing Configurations (MRC). Our proposed scheme guarantees recovery in all single failure scenarios, using a single mechanism to handle both link and node failures, and without knowing the root cause of the failure. MRC is strictly connectionless, and assumes only destination based hop-by-hop forwarding. MRC is based on keeping additional routing information in the routers, and allows packet forwarding to continue on an alternative output link immediately after the detection of a failure. It can be implemented with only minor changes to existing solutions. In this paper we present MRC, and analyze its performance with respect to scalability, backup path lengths, and load distribution after a failure. We also show how an estimate of the traffic demands in the network can be used to improve the distribution of the recovered traffic, and thus reduce the chances of congestion when MRC is used.     

M_CSPF: A Scalable CSPF Routing Scheme with Multiple QoS Constraints for MPLS Traffic Engineering

In the context of multi‐protocol label switching (MPLS) traffic engineering, this paper proposes a scalable constraint‐based shortest path first (CSPF) routing algorithm with multiple QoS metrics. This algorithm, called the multiple constraint‐based shortest path first (M_CSPF) algorithm, provides an optimal route for setting up a label switched path (LSP) that meets bandwidth and end‐to‐end delay constraints. In order to maximize the LSP accommodation probability, we propose a link weight computation algorithm to assign the link weight while taking into account the future traffic load and link interference and adopting the concept of a critical link from the minimum interference routing algorithm. In addition, we propose a bounded order assignment algorithm (BOAA) that assigns the appropriate order to the node and link, taking into account the delay constraint and hop count. In particular, BOAA is designed to achieve fast LSP route computation by pruning any portion of the network topology that exceeds the end‐to‐end delay constraint in the process of traversing the network topology. To clarify the M_CSPF and the existing CSPF routing algorithms, this paper evaluates them from the perspectives of network resource utilization efficiency, end‐to‐end quality, LSP rejection probability, and LSP route computation performance under various network topologies and conditions.     

IP/ MPLS over WDM网中考虑QoS的VPN业务设计

本文研究了在IP／MPLS over WDM网络中支持不同QoS要求的VPN业务的逻辑拓扑设计问题。对于给定的网络物理拓扑和业务需求矩阵，本文提出，基于不同时延要求的VPN业务逻辑拓扑设计可以运用两种方法加以解决。一为基于迭代的线性规划方法，适合于规模较小的网络。另一个为启发式算法，可运用于网络规模较大的环境。对比仿真结果表明，启发式算法不但较好地解决了不同QoS要求的VPN业务的选路和波长分配问题，还较好地降低了链路的最大负载。