P1: IXL
Virtual ̇Private WL040/Bidgolio-Vol I WL040-Sample.cls August 14, 2003 17:53 Char Count= 0
INTRODUCTION TOIP-BASEDVIRTUALPRIVATENETWORKS 581Braden, Clark, & Shenker, 1994) that uses the resource
reservation protocol (RSVP) (RFC 2210, Wroclawski,
1997). Intserv/RSVP allows a host to request one of sev-
eral levels of QoS at a specified level of capacity for a flow
of packets specified by the IP address, transport protocol
port numbers, and/or protocol type. The RSVP messages
normally follow the same hop-by-hop routed path as other
packets, and if the reservation is successful, then the net-
work provides the requested QoS for the level of capacity
reserved. However, because RSVP signaling occurs at the
individual flow, there is a significant scalability issue in a
provider’s backbone network due to the signaling load for
a large number of flows. For this reason, Intserv/RSVP is
not supported in service provider networks and has seen
only limited use in enterprise networks.
In responses to these issues, the IETF defined an-
other approach, which addresses the scalability issues of
Intserv/RSVP by treating only aggregates of flows using a
convention called differentiated services (Diffserv) (RFC
2475, Blake et al., 1998). Diffserv redefines the type-of-
service (TOS) byte in the IP packet header in terms of a
small number of Diffserv code points (DSCPs), which in-
dicate the type of QoS the packet should receive. Capacity
reservation at the individual flow level of Intserv/RSVP is
avoided altogether and replaced by classification and traf-
fic conditioning (e.g., policing) performed only at the edge
of a DiffServ domain, for example a customer network or
a provider network. Furthermore, because Diffserv oper-
ates only on fields within the IP packet header, it can coex-
ist with IP security protocols whereas Intserv/RSVP may
not, because it may rely on higher-layer protocol fields
(e.g., transport protocol port numbers) to identify an in-
dividual flow.
Most backbone IP networks will likely use DiffServ,
possibly using a so-called bandwidth broker, which incor-
porates policy server functions and also deals with cus-
tomer traffic contract and network resource allocation.
A bandwidth broker maps service level specifications to
concrete configurations of edge routers of a DiffServ do-
main. However, Intserv/RSVP or next-generation reserva-
tion signaling protocols still might have a role to play in
signaling reservations in enterprise networks and at theedge of a service provider network, especially for such ap-
plications as digital audio and video, which would benefit
from reservations for relative long-lived, high-bandwidth
flows (Braun, 2001).Introduction to Virtual Private
Networks Technologies
A VPN attempts to draw from the best of both the public
and the private networking worlds. Such a network is pri-
vate in the sense that the data an enterprise transfers over
the VPN is separated and/or secure from that of other en-
terprises or the public. It is virtual in the sense that the un-
derlying public infrastructure is partitioned to have some
level of service for each enterprise. A VPN is communica-
tion between a set of sites making use of a shared network
infrastructure, in contrast to a private network, which has
dedicated facilities connecting the set of sites in an en-
terprise. To a great extent, the intent is that the logical
structure of the VPN, such as topology, addressing, con-
nectivity, reachability, and access control, is equivalent to
part or all of a conventional private network.
A good VPN has the low-cost structure of a ubiqui-
tous public network but retains the capacity guarantees,
quality, control, and security of a private network. How
can a network design achieve these apparently contradic-
tory goals? The answer lies in software-defined network-
ing technology, sophisticated communications protocols,
and good old-fashioned capitalism.
FR, ATM, multiprotocol label switching (MPLS), and
the Ethernet are all forms of layer 2 (L2) label-switching
protocols (McDysan, 2000). A label is the header field of
a packet, frame, or cell. Labels are unique only to an in-
terface on a device, such as enterprise user equipment or
a network switch. Figure 1 illustrates a simple example
of the operation of a simple two-port label switch. A label
switch uses the label header from the packet received on
an interface (left side of figure) as an index into a lookup
table in the column marked “In,” which identifies a spe-
cific row. From this row, the lookup table returns the out-
going label from the column marked “Out” and the out-
going physical interface from the column marked “Port.”A D
In Out Port
AC2
BA1
CE1
DF 1B A
In Out Port
AB1
BD2
C- -
DA1Label Switch B FD CPor t 1Por t 2Figure 1: Illustration of layer 2 label switching.