P1: IXL
Virtual ̇Private WL040/Bidgolio-Vol I WL040-Sample.cls August 14, 2003 17:53 Char Count= 0
588 VIRTUALPRIVATENETWORKS:INTERNETPROTOCOL(IP) BASEDPEPCE
ACE
BPECE
CCE
APEPCE
CCE
APECE
ACE
BPPECE
CCE
BVirtual Router
InstancesPECE
BCE
APer VPN
TunnelsABACC B B AABCAFigure 10: PE-based L3 VPN with virtual routers with tunnels per VPN.DESIGN CONSIDERATIONS
AND EXAMPLE OF VIRTUAL
PRIVATE NETWORKS
This section summarizes some important considerations
when choosing a VPN approach and gives an example of
a CE-based IPsec VPN used for electronic commerce.Considerations When Choosing a Virtual
Private Networks Approach
Establishing a set of goals and establishing a plan to meet
them is critical to success in most human endeavors,
and virtual private networking is no exception (McDysan,
2000). The steps here are similar to that of any large-
scale project. First, researching requirements, drivers,
and needs is necessary to establish goals. Next, develop-
ing several candidate designs and analyzing them in the
harsh light of commercial business reality is a crucial step.
A VPN may not be right for the enterprise under consid-
eration at this time, and timing is important. Finally, a
decision to implement a new type of VPN or to migrate
existing private network applications to a VPN, is but the
first step of many. Detailed planning and a well thought
out migration strategy are essential for an enterprise to
achieve its goals identified in the first step above.
A number of enterprises have already implemented
VPNs of the types described in this chapter. A good start-
ing point is to look at an enterprise that is similar to yours
in some way and to read case studies, papers, and books
about what worked and what did not. However, be aware
that the needs of each enterprise are unique, and there-
fore basing a decision upon another’s experiences, while
helpful, cannot guarantee that goals will be met.
An important area of requirements research is analy-
ses of potential security threats and essential performance
metrics. Formulating a threat model and consideringwhat would happen if important information were stolen,
made public, or corrupted is an essential step. Deter-
mining the performance required by applications is also
important. Consider what would happen if a site were
disconnected for a long period of time. Assess what the
impact of network congestion would be. Discriminate be-
tween what would be nice to have and what is absolutely
necessary in the way of performance—this can make quite
a difference in qualifying network designs and their even-
tual cost.
Although a generic framework may not apply to all en-
terprises, there are some helpful points to consider when
categorizing types of requirements. One way to analyze
VPN requirements is to consider the community of in-
terest and the access methods: cost-effective remote and
mobile user access; an infrastructure for intranets that
keeps resources secure within a single enterprise; an in-
frastructure for extranets for controlling resource sharing
between two or more enterprises.
The economic crossover point regarding enterprise
dial-in versus ISP-provided access services centers around
the number of users that require dial-in access and the
type as well as amount of activities these users conduct.
In general, a remote user population that generates bursty
activity during relatively long duration sessions is a good
candidate for ISP access. As described earlier, most VPN
techniques differ in the degree of traffic separation and
control that an enterprise can have in an intranet context.
On the other hand, if a driving requirement for the enter-
prise is extranet connectivity, then an IPsec-based solution
is one of the few choices available (for more information,
see VPN Consortium, 2003).
Because this is such an important case in the world of
electronic commerce, we now look at an example where a
few large enterprises worked with a number of small-to-
medium-size enterprises to create a successful model for
extranet deployment.