[PDF version]

IP VPN

1 Overview

The traditional private network links together the multiple sites of an organisation with dedicated private circuits. In general it was a solution that only the biggest and richest corporations could afford. A virtual private network (VPN) offers a cheaper solution by providing the equivalent of private circuits using links over the public Internet or an operator’s own network. The VPN uses security features to protect each customer’s traffic so that multiple customers can share the same physical circuit or communicate securely over the Internet. Voice and data are usually carried on separate networks.

The IP VPN takes this development a step further. Bringing all traffic into Internet Protocol (IP) format makes it easier to carry both data and voice on a single network. With an IP VPN, organisations can support data networking and voice over IP (VoIP) applications. They can do this on the same network and therefore cut costs and simplify their network management requirements. The low cost and flexibility of IP means that new sites can be added to the network quickly and easily.

IP-VPNs are increasingly becoming the default networking option for enterprises. Service providers are seeking to differentiate themselves not just in terms of price, but also in terms of network support, including support for a range of applications.

As broadband access becomes more ubiquitous, IP-VPNs are bringing the benefits of networking to smaller businesses and to smaller sites for all businesses, such as teleworkers’ homes. IP VPNs and the hosting services that many providers offer can give businesses a disaster recovery/business continuity capability.

Key issues

1. Overall networking revenue will grow relatively slowly. Whilst IP-VPNs are becoming more widespread in all regions worldwide, they are typically lower cost than the older technologies that they are replacing. So revenue growth will be relatively modest.

2. Mobile access to corporate network. The success of the Blackberry and other mobile email devices means that workers expect to be able to access corporate networks over a wireless connection. This brings some additional security challenges for network managers.

3. More outsourcing of some or all network services. For example, some organisations may choose to operate their own IP VPN but employ someone else to run a VoIP or conferencing service over that network. This approach can make costs more predictable and ensures organisations benefit from expertise in non-traditional areas such as VoIP, especially during planning and set-up.

4. The introduction of VoIP as part of business applications such as customer relationship management (CRM) suites. Even organisations that have not formally deployed VoIP may have to accommodate IP voice in their VPNs. IP VPNs will simplify the gradual transition to full VoIP in the enterprise.

New profile content

This profile has been updated. Section 3.1 now includes a more detailed estimate of the size and value of the IP VPN market at the end of 2006. It also includes results from Point Topic’s October 2007 UK business survey, providing data on how IP VPN usage varies with workforce size. The profile has also been updated to take account of mobile access to IP-VPNs.

2 Key features

2.1 Typical experience

The typical customer for an IP VPN is a business or other organisation that needs to interconnect multiple sites. The customer seeks to reduce costs, improve flexibility, achieve better communications in general and better access to online applications in particular.

A dedicated private circuit network would be too expensive, even if the technology was still appropriate. Service providers now offer virtual private networks instead. What this means in practice is that each site which needs to be interconnected has its own dedicated link to the service provider’s own network, rather than to a ‘sister’ site. The service provider switches and multiplexes each customer’s traffic across its own network, keeping different customers’ traffic separate with appropriate switching and security measures. Thus the customer is provided with interconnection as if it had its own dedicated network when in fact the network is virtual.

The use of IP technology takes the benefits of VPN a stage further. The new generation IP networks have lower costs than those based on ATM or frame relay, although a possible intermediate step involves implementing IP over these technologies. IP networks can combine voice and data traffic more easily and offer more flexibility and more control for different classes of service.

The end result for the customer is that each site can access the IP VPN and all the applications it carries, including both voice and data, over a single connection, at least in principle. At big sites the connection will be provided by fibre, running at 2, 4, 8, 34 or 155Mbit/s. At smaller sites it is more likely to be a conventional private circuit over copper or ISDN PRI (primary rate interface - up to 2Mbit/s), but symmetrical DSL services are steadily replacing them. These offer speed steps from 64kbit/s to 2.3Mbit/s, or even multiples of 2.3Mbit/s if lines are bonded together. The lowest speed connections will be provided by dial up over ISDN (64 or 128kbit/s) or PSTN modems. All these sites will be part of the same network, with all the advantages of security and resource sharing that brings. Sites can be removed or added without changing the architecture of the whole network and at a low marginal cost.

2.2 Customer appeal

When compared to a traditional VPN, the IP VPN has several advantages, in theory.

Cost savings

An IP VPN can use a variety of access methods, rather than relying on expensive leased lines or frame relay. IP VPNs can also be used to carry voice traffic as VoIP, simplifying an organisation’s traffic onto a single network and reducing network management overheads.

The business case for IP-VPNs should not rely on cost alone. The ability to deploy applications like CRM seamlessly is also a major driver. But projected cost savings in both capital expenditure (capex) and operational expenditure (opex) can be useful in selling the project.

Once an organisation has invested in an IP VPN for data, the incremental extra cost of providing voice functionality can be relatively low, even compared to traditional VPN tariffs for off-site calling.

The falling price of IP-VPN equipment is another factor. As legacy voice equipment becomes due for renewal, lower prices make the case for migrating to IP VPNs stronger.

Flexibility

Added flexibility includes the ability to deploy new applications easily over the IP network. It is easy to deploy voice and video conferencing to a desktop using an IP network, rather than a traditional voice-only network in tandem with a data LAN or WAN. In theory, it should also be easier to provide unified messaging or video messaging over IP infrastructure. Whilst many organisations do not need (or want) to deploy video conferencing to every desktop, IP VPNs should improve the ease of integrating voice services with IT applications.

Security

Some organisations use the public Internet for part of their networking needs. For example, Web access allows mobile workers to access email on the move. But this very flexible access is not secure enough for permanent networking connections. IP VPNs provide an acceptable level of security for most organisations.

Service level agreements

A fully developed IP VPN can support the service level agreements (SLAs) that enable the service provider to monitor and deliver the right level of service. Client organisations can choose the level of reliability to suit their business needs.

These customer benefits must be traded off against continuing corporate wariness about the security and reliability of IP voice. Voice is considered mission critical to almost every organisation. Customers also expect connections to be at least as secure as a leased line.

The reliability of current VoIP implementations has improved to the level where many organisations are comfortable with using packet voice. Although reliability and security concerns are still present, many large organisations have signed substantial three-year contracts for IP VPN services. As blue chip organisations move to IP VPNs, the technology becomes increasingly mainstream.

2.3 Variations

Private network evolution

Before examining the variations of IP VPN, it is worth explaining the evolution of private networks to date, from private lines, through frame relay, to IP VPN.

In the private line solution the customer rents permanent fixed circuits between different sites. The lines are expensive so the network is designed to use as few as possible of them, which usually results in a star network focusing on the organisation’s head office. The solution is expensive, inflexible and relatively unreliable because the communications to all sites depend on the performance of the central switch. Its use is confined to large organisations.

Figure 1 Evolution of the IP VPN

Frame relay services allow more flexibility. Instead of renting dedicated lines the customer can purchase ‘virtual circuits’, which effectively reserve capacity on the telecoms supplier’s own network. The telco sets up permanent virtual circuits over fixed routes between whichever sites the customer chooses. It is much easier to add or remove sites on the network and charges can be more closely related to actual usage. This kind of solution has brought the benefits of data networking to a wider range of organisations, but it is still relatively expensive and not entirely flexible. For example, frame relay networks are usually dedicated to specific types of data traffic. They generally have relatively narrowband access, often 64kbps and they do not generally carry voice traffic or Internet access.

IP VPNs offer complete flexibility. Traffic across the network is carried as IP packets. New high-level protocols, particularly MPLS (multi-protocol label switching), ensure that different types of traffic, such as voice, business critical data and other broadband applications, can all be combined on the network and each receive the security, type of service and priority that they need. Logical virtual circuits are established to carry traffic between sites as required, providing optimum use of the network’s capacity.

In addition to a ‘basic’ IP VPN provided by a single operator, there are several variations and extensions.

Internet VPN

Many organisations already provide remote access to corporate servers over the Internet. This type of access uses VPN security techniques and is often described as VPN. It falls short of the full IP VPN application in many ways and it usually does not carry voice.

Mobile VPN

Mobile access to corporate networks is now commonplace. Mobile workers need to access data and email via Backberry handsets, mobile phones, laptops equipped with a mobile network Internet connection or via WiFi. Vendors provide both client and server software to provide the authentication required for secure access.

Corporate VoIP

VoIP providers offer companies with an IP VPN the ability to bypass the PSTN for calls made outside the organisation. The VoIP provider takes the IP voice from the client’s network over a broadband connection to its own IP network. From here, the client’s voice traffic is carried over the provider’s IP network for as far as possible, until it has to be handed over to a conventional PSTN operator for termination.

Interprovider VPN

No single operator can provide a network to cover all the sites of an international customer, and many operators do not have complete national coverage either. Interprovider VPN solutions interconnect the networks of different operators in order to provide a VPN service across multiple regions and countries, but with a single bill for the customer.

In-house VPN

Most organisations with many sites will choose a managed VPN, with a service provider taking responsibility for communications links and, usually, CPE. This profile covers these managed VPNs. But organisations can also undertake their own VPNs. Software from Citrix or the Microsoft Windows Terminal Server enables IT departments to connect remote workers or offices to the corporate network. Connectivity is often via the public Internet using broadband DSL connections, or mobile/cellular data cards for remote workers ‘on the road’.

Another choice for companies adopting IP VPNs for internal networks and remote users is to outsource management of the services, or both the services and the CPE, to the VPN provider.

Voice and multimedia IP-based conferencing

Video conferencing, supported by data communication and ‘whiteboarding’, is already used by some large corporates within their own private IP networks. Uses include dispersed meetings or remote training. From 2004, many conferencing providers and users migrated some or all of their conferencing capacity to IP. Much of this traffic would previously have been carried on multiple ISDN lines. For more information, see the Videoconferencing and Voice over IP profiles in Broadband Money Makers.

2.4 Leading examples

BT gives the example of UK financial institution Friends Provident. It implemented an MPLS IP-VPN to link its head office with 11 regional offices and 2 data centres. Regional offices are linked by 2 Mbps connections, with 100 Mbps connections to the data centres. Cisco equipment routes incoming calls arriving at the organisation’s offices. These are recorded at the local level and stored centrally. IP Telephony has allowed the company to adopt a single non-geographic telephone number, which means that any office can answer calls from any part of the country, creating a ‘virtual contact centre’. This means that inbound calls can be directed to the most appropriate person and call flows managed more effectively.

These service features allow the company to offer a competitive service in its market sector, and give it far greater flexibility in call handling. But Friends Provident has also said that it expects to see a payback period of around 18 months for its IP Telephony investment, demonstrating that cost savings, based on lower call management and training costs.

Another example is the UK-based virtual VPN operator Vanco. This is a leading service provider, responsible for a small number of large implementations. Its 2003 deal with Avis Europe was worth £16 million over five years. The network was to cover 29 large sites and 1755 smaller sites. Some 70% of these smaller sites, such as car hire desks at airports, had fewer than three screens. This combination of a handful of large offices with a large network of small remote offices is typical off many businesses with VPNs, especially in the retail sector.

DSL makes it cost effective to converge voice and data across the whole corporate network. Previously, frame relay tariffs and bandwidth restrictions made it uneconomical to converge communications for the smaller sites. DSL service quality and cost now makes convergence affordable, even for homeworkers or small sites.

2.5 Suppliers

Many operators provide VPNs, and there are several different types of IP VPN supplier. Companies capable of providing a managed global network include AT&T Global Network Services, BT Global, Cable & Wireless, Equant, Global Crossing, Infonet, NTT, Sprint, and WorldCom. These companies tend to target corporate customers. These service providers do not actually have their own networks covering every city and town in the world. Many endpoints will be served by buying in connections. But they have enough points of presence to enable them to provide a managed service to their customers.

National carriers focus on national or regional geographic markets. They are competing with operators such as Colt or Energis in the UK. These competitive carriers operate their own network, although this will usually focus on specific cities or trunk routes. Examples of these VPN providers include Arcor, Cegetel, Completel, Interroute, LambdaNet, MCI, Neuf Telecom, QSC, Sprint, Thus and Viatel.

Competitive local exchange carriers (CLECs) offering business DSL services are starting to work their way up the value chain to offer networking services as well as simple broadband connections. Covad in the US is an example.

Cable operators are also offering IP VPN services, such as Telewest/NTL in the UK.

Savvis provides an example of a global VPN provider specialising in a vertical market. It has created a major business by providing large-scale IP VPNs for financial services companies, and is now diversifying into other market sectors. It’s main customer remains Reuters, for whom it manages a global network carrying news and financial information.

There are also virtual network operators such as Vanco or Sirocom. These specialise in the consulting, design and implementation of VPNs. Vanco owns virtually no network assets itself. Its skills are in designing the VPNs for its clients, and then negotiating with network operators and carriers to buy the bandwidth and other resources needed.

Vanco began in 1988 and currently offers services in over 200 countries. The company claims that traditional incumbent telcos aim to route as much traffic as possible over their own networks, even when this is not in the client’s best interests. Being network agnostic, bringing together the mix of network resources which best meet a client’s needs, is therefore a selling point for Vanco. This is combined, of course, with traditional sales themes such as quality of customer service and local presence coupled with global capability.

Netifice is a US-based company with a similar approach, although it operates its own MPLS network.

In terms of hardware suppliers, the leading VPN vendor from a client perspective is Cisco, by a considerable margin. After Cisco, 3Com, CheckPoint and Nortel are the other main players. There are also some specialised IP VPN suppliers with a small stake in the market, including SonicWALL, WatchGuard, NetScreen and Enterasys.

3 Marketing

3.1 Target markets

The figures in this section refer to managed IP virtual private networks (VPNs). A VPN allows a company to connect computers and/or telephones at different sites and at teleworkers’ home offices so they can work together as if they are on a single local area network. A service provider manages the network. In an IP VPN, data or voice traffic travels as IP packets via the service provider’s ‘IP cloud’.

Some organisations have implemented their own VPN solutions. Typically, they use a Citrix or Microsoft Terminal Server (which together dominate the market) to provide access to the network for remote offices and home workers. Citrix products are essentially about making the corporate network available securely via a Web browser, and can be thought of as customer premises equipment (CPE) software installed and operated by the IT network manager. These ‘in-house’ VPNs are not included here, since they are not service-provider managed.

Our estimates refer to managed VPN services provided by operators and ISPs. ‘Managed’ usually means that the service provider owns or at least manages the CPE.

US-based financial network specialist Savvis has a customer base including many corporates, with the Reuters network as a major client. Savvis’ IP VPN revenue for 2006 was approximately $140 million. Averaging this over its ‘over 5000’ customers gives an ARPU of over $1800 per month for each client company, or over $930 per site if we assume just over 2 sites per company.

Figure 2 IP VPN market estimates