Document Roadmap The layout of the rest of this paper is as follows. In section 2, we lay out some criteria for assessing the suitability of VPN solutions. We then go on to look at the solutions themselves. We break these down into several groups: • In section 3, we look at CE-based solutions, where all of the VPN specific processing takes place in the CE devices. • In section 4, we introduce PE-based solutions, where the VPN specific processing takes place in the PE devices. We divide these PE-based solutions further into layer 2 PE-based solutions (section 5) and layer 3 PE-based solutions (section 6). • In section 7, we describe the properties of various types of tunnels that are used for VPNs. • Section 8 contains a summary of how each of the VPN solutions we have examined matches up to the criteria laid out in section 2. • Section 9 includes further technical details about some of the solutions described earlier in the document. • Section 11 contain a glossary of some of the important terms used in this paper. References are listed in section 12. Copyright © 2003-2004 Data Connection Limited. All Rights Reserved. Page 6 http://www.dataconnection.com2 Criteria for Assessing the Suitability of VPN Solutions There are many different VPN technologies to choose from, and network operators need to put together a list of their requirements and pick a solution that meets these requirements. For a VPN user, such a list will typically include the following criteria. • VPN Service. The VPN service must match the type of service required by the VPN user. Different VPN solutions offer either layer 2 or layer 3 connectivity between VPN sites. As described in section 1.1.3, this choice will depend on the type of traffic that will be sent between customer sites, as well as the layer 2 and layer 3 protocols in use at each individual site. • Quality of Service. The VPN user may require a certain quality of service (QoS) for the connections between VPN sites (for example, the VPN user may require a minimum guaranteed bandwidth). If this is the case, the service provider backbone must support the provisioning of QoS-constrained tunnels, and the VPN solution must be able to make use of these tunnels. • Security. If sensitive data is to be sent across the backbone between VPN sites, then the solution should support encryption, authentication and integrity checking of data in the VPN tunnels. In addition, it is a further advantage if the routing information distributed in the provider network is also protected, to prevent the VPN network topology from being exposed to prying eyes. • Capital Cost (to the VPN user). The VPN user may require a solution that does not involve a costly replacement of their existing hardware. Therefore, any VPN solution offered by a service provider must not require expensive extra function to be added to the customer edge devices. Ideally, the solution will be fully interworkable with the VPN user's existing switches and routers. • Manageability. The VPN user will want a solution that is simple to manage and which minimizes the migration costs. The configuration of the VPN solution should not be so complex that the network management personnel require extensive training. Neither should the solution require a significant overhaul of the VPN user's existing network architecture. Equally, the ongoing day-to-day management should not be too onerous – for example, it should be easy to add new sites to the VPN.