Contents: The Case for Frame Relay The Case for IP VPNs Conclusion
Frame Relay vs. IP VPNs
2002
02089 9/02 Contents:
Table of Contents
Introduction 2
Definition of Terms 2
“Virtual” Privacy and 3 the Value of Shared Networks
The Three Definitions 3 or Distinctions of VPN
The Case for Frame Relay 4
The Case for IP Virtual Private Networks 6
Conclusion 8
1 02089 9/02 Introduction:
Introduction Definition of Terms Welcome to one in a series of white papers The following definitions will be used in this brought to you by Sprint. We believe it is white paper: important to inform you on issues in the industry and to keep you updated on our VPN — Virtual Private Network is a private current endeavors. communications network that uses a shared network as its Wide Area Network (WAN) A major challenge in today’s data transport backbone, thereby offering the appearance market is that businesses wanting to and functionality of a dedicated private implement a Virtual Private Network (VPN) network at a reduced price. are faced with a dizzying array of options and have few guidelines from which to make IP VPN — An IP Security (IPSec)-based VPN an educated decision. The sheer breadth of that uses encryption and authentication to available VPN offerings can be overwhelming, offer the appearance and functionality of a especially for those unfamiliar with the relative private data network over a shared IP network merits and capabilities of all the alternatives. such as the Internet. In this paper, IP VPN will be discussed in terms of both Sprint CPE- To answer this challenge, Sprint has based IP VPNs and Network-based IP VPNs. It developed this series of VPN white papers will not be discussed in relation to IP-enabled designed to help customers and prospects frame relay or MPLS VPNs. navigate the VPN decision-making process. Each paper in the series compares and QoS — Quality of Service refers to the contrasts different types of VPN solutions consistent performance of a network as and highlights the various communications supported by the network Service Level needs they can — and cannot — address. Agreements (SLAs). This white paper not only identifies the communications needs that can be solved CoS — Class of Service refers to traffic by VPNs, but also examines the relative differentiation. CoS provides the ability to capabilities of frame relay and IP VPNs in treat packets differently based on the packet’s delivering solutions. importance.
Sprint has extensive knowledge and experience in this industry category. In fact, Sprint and Cisco are currently working together to develop, market and deliver nationwide IP and broadband solutions. The joint effort combines Cisco Systems’ best-in-class networking technology and equipment with Sprint state-of-the art network infrastructure and customer service capability. The companies are initially focused on dedicated Internet access, IP VPN, IP Telephony solutions, content delivery networks and metro Ethernet solutions. By joining forces on this project, Sprint and Cisco intend to define and establish IP industry standards.
2 02089 9/02 Virtual Definitions:
“Virtual” Privacy and the Value of The Three Definitions or Shared Networks Distinctions of VPNs It wasn’t long ago that dedicated leased At the most basic level, all VPNs serve the lines were the only viable option for same purpose — they permit organizations to businesses requiring secure data transmission securely share data with key stakeholders. among multiple remote locations. At the This includes: time, this solution addressed most organizations’ • Sharing a particular subset of data with all communications needs; but the associated costs and complexities could be considerable stakeholders — especially for businesses with geographically • Sharing all data with a particular subset of dispersed employees or a large number of stakeholders branch offices. •Sharing a particular subset of data with a With the advent of Layer 21 technologies particular subset of stakeholders like frame relay, more cost-effective shared networking solutions became available. The following table shows which stakeholder Such solutions were seen as breakthroughs groups are served by each of the three because they allowed businesses to leverage fundamental types of VPNs. a service provider’s shared network resources • Intranet — employees at fixed locations to build “virtually” private networks. These (HQs, branch offices, small offices/home networks could mimic the appearance and offices, etc.) functionality of leased line services at a fraction of the cost. • Remote Access — employees “on the go” (telecommuters, mobile users, business Currently, most companies run at least a travelers, etc.) portion of their WAN over shared facilities. The key advantage is seen in the potential • Extranet — key business partners cost savings. With the rise of Internet and (suppliers, distributors, resellers, etc.) IP usage for business applications, the role of shared networks has accelerated in today’s corporate data networking environment.
3 02089 9/02 The Case for Frame Relay:
The Case for Frame Relay Frame relay networks are considered private because each customer’s individual traffic is 1 Frame relay is a Layer 2 communications separated into a predetermined path, the PVC. protocol that enables the establishment of Unintended recipients cannot view traffic multiple independent circuits, or data links, that is not deliberately sent to them. In fact, over a single physical connection. The there is no way to misdirect traffic without protocol accomplishes this by packaging physical access to network facilities. In order data into variable length frames at their to intercept or corrupt traffic traveling on a source location, and then merging these frame network, an individual would need to frames into a single data stream for physically tap into the transport medium in transmission over a shared network resource. question — an intrusion that is easily detected This merging process, called statistical using widely available monitoring tools. multiplexing, ensures efficient use of capacity on the shared facilities and minimizes the Key Strengths end-to-end delay of frame delivery. Ability to support multiple Layer 3 In a frame relay network, each individual protocols. Frame relay is a Layer 2, or data logical connection is called a Permanent link, technology, and thus can support any Virtual Circuit (PVC). Beyond cost savings, Layer 3 protocol. Businesses running PVCs have two distinct advantages over applications based on non-IP protocols, such leased lines: as IPX, SNA or AppleTalk, should strongly consider implementing — or sticking with — • PVCs are software defined, so they can be a frame relay network. For companies created, altered or dismantled in a matter of running purely IP-based applications, this hours. This represents a tremendous time isn’t a key decision factor. savings over leased lines, which require Ability to address Internet security days, weeks or even months to deploy the concerns with a single firewall. Many physical components. corporate frame relay networks are built in a hub-and-spoke arrangement with a single Internet connection at the hub site. This • Every PVC has an associated Committed architecture requires all remote (spoke) offices Information Rate (CIR) that defines the to access the Internet via the central (hub) amount of bandwidth a customer is site. In this scenario, the company can protect provided on the shared network facility. their entire network from unauthorized access However, customers have the ability to via the Internet by using only one firewall transmit data on their PVC at rates up located at the hub site. The upside to such to the full port speed. This means a configuration is the need to pay for and customers can “burst” above standard manage no more than one firewall, which can be a significant benefit for customers capacity as needed for certain bandwidth- looking to save money and headaches on intensive applications. Sprint is one of Internet security. However, businesses whose the service providers that offers 0-CIR employees send and receive a considerable PVCs, which provide SLA guarantees on all traffic transmitted.
4 02089 9/02 The Case for Frame Relay:
amount of Internet traffic should think twice question. For businesses with many sites, a about this type of configuration. The inefficient large number of PVCs can be required to use of bandwidth as Internet traffic traverses achieve this type of meshed configuration. the frame network to and from the hub site Since more PVCs translate to additional cost could end up costing more than deploying and complexity, companies interested in Internet connections and firewalls at each enabling direct communications between remote location. multiple locations should consider alternatives to frame relay networking. Ability to provide predictable performance for delay-sensitive traffic. Since the frames Potentially high network delay. Depending that carry data in frame relay networks are on the topology of a customer’s frame relay variable in length, network congestion network, packets traveling over a frame problems can arise when larger data blocks relay network may experience high latency queue up ahead of delay-sensitive traffic, relative to IP networks with any-to-any such as voice. To help alleviate this problem, connectivity. For example, in a hub-and- the Frame Relay Forum has ratified spoke configuration, traffic must first travel procedures to break down larger frames into to a hub site before reaching its final a series of smaller ones. While such methods destination. This added distance can slow are not official CoS protocols, they can the delivery of data. Once again, customers provide predictable delay patterns and looking for fast, direct connections among therefore maintain the integrity of many remote locations may be better served delay-sensitive traffic. Companies concerned by solutions other than frame relay. about the quality of any delay-sensitive traffic sent over their network may feel more Limited interoperability. Frame relay comfortable with a frame relay (as opposed backbones in existence today are managed to IP) solution. However, frame relay does by different carriers and are restricted in not guarantee true traffic prioritization. This their abilities to interoperate with one is important because frame relay may not another. While providers can interconnect offer better performance for delay-sensitive their networks using Network to Network traffic versus IP solutions backed by Interfaces (NNIs), PVCs across NNIs are competitive SLAs. complex and can be difficult to manage. Another complication is that many carriers Key Limitations do not have NNIs with their competitors, which means customers are rarely free to High cost and complexity of meshed mix frame relay from multiple transport configurations. Businesses that want to providers. This restriction should be of allow their remote or spoke locations to greatest concern for businesses considering communicate with each other without implementing an extranet, since it is highly connecting through a hub site must have unlikely that third-party businesses will PVCs between each pair of remote sites in all have networking solutions from the same provider.
5 02089 9/02 The Case for IP VPNs:
Inability to inherently address remote participants possess, or digital certificates access. Frame relay cannot inherently support issued by a trusted third party. Authentication mobile users who need to connect to the can also verify that data sent between two corporate network while away from the users has not been altered by a third party office. To address the needs of these users, along the way. companies with frame networks must deploy a separate remote access infrastructure, such Encryption — These are coding techniques as dial-up services. While this is a viable and used to make information sent across a acceptable option for many, those companies public network unreadable by anyone other with an increasingly mobile workforce would than the intended recipient(s). Encryption benefit from the “built-in” remote access allows sensitive information to traverse a capabilities of an IP VPN. public network without compromising the confidentiality of the data. The Case for IP Virtual Private Access Control — This third Internet Networks security measure addresses a problem not Since its inception, the Internet has grown fully covered with IPSec. This concept from a private project of the military and focuses on blocking unwanted users from academia to a worldwide communications gaining access to an organization’s or medium that serves up mail, news, individual’s internal network. Access control entertainment, audio, video and other forms is typically achieved through authentication of information to millions of users on a daily for IPSec traffic, or the use of a firewall for basis. The flexibility and ubiquity of the regular Internet traffic. Firewalls can be Internet has made it a logical substitute for implemented independent of an IP VPN, the private lines or other WAN solutions that but are an important component of a secure many companies use today to connect their Internet networking solution. remote locations. One obvious drawback, however, is the fact that a network this Key Strengths widely accessible is not inherently secure. So, how can communication across such Any-to-any connectivity. When a company a network be accomplished without connects its sites to the Internet, each site sacrificing privacy? can directly communicate with every other site without the need to specially provision The answer is to establish an IP VPN using independent connections. Secure IPSec security measures specifically developed for “tunnels” must be established between sites, the Internet. IP VPNs use a protocol known but unlike frame relay, no PVCs must be as IP Security, or IPSec, to ensure the privacy purchased. Although the cost savings over of data traveling over the public Internet. frame PVCs can vary depending on the type The Internet Engineering Task Force (IETF) of the IP VPN solution2, companies looking developed this protocol to authenticate and for maximum flexibility in their network encrypt data within an IP network. communications should explore the various IP VPN options available today. Key terms are defined as follows: Variety and cost-effectiveness of Authentication — This verifies that bandwidth option. Internet access is now network users are who they claim to be. available at speeds from 56k to OC-12 and It can be achieved using passwords, a beyond, while frame relay is only available shared “key,” that only the proper session at speeds from about 56k to DS3. This may
6 02089 9/02 The Case for IP VPNs:
not be of much concern to businesses like high-speed DSL and Internet access sending minimal traffic between their from a wide variety of ISPs when constructing locations, but it’s important to remember their VPNs. It also means that businesses that, as bandwidth requirements grow, high- interested in implementing an extranet do not speed IP port charges are more cost-effective have to ensure every business partner will than high-speed frame relay port and PVC access it using the same service provider. charges. So, even companies whose current bandwidth needs can be met by frame relay, Key Limitations may find IP VPNs the better long-term solution as their business continues to grow. High base costs for certain types of solutions. IP VPN customer premises Inherent ability to connect remote users. equipment (CPE) is complex because of the IP VPN remote users can simply dial into need to provide encryption at high speeds their local Internet Service Provider (ISP) or and any-to-any IPSec tunneling. With a use DSL or cable broadband connections. CPE-based IP VPN solution, customers They then use PC software to establish IPSec who do not require high-speed access or tunnels to any of their company’s IP VPN- meshed network configurations will still enabled sites. As a result, no separate dial pay for these capabilities. infrastructure must be deployed or maintained to support remote access capabilities. This Network-based IP VPNs off-load the can be extremely convenient for companies complexity to the carrier’s network, thereby with mobile employees or even very small decreasing the customer’s base equipment branch locations with bandwidth needs that costs to about the same level as a frame can be addressed by remote access solutions. relay. However, customers choosing between a CPE-based IP VPN solution and frame Need for only one connection per site. relay will usually find frame the more An IP VPN allows a company’s employees cost-effective for low speed, hub-and-spoke to use the same connection for both Internet type networks. and WAN connectivity. Combining the two functions in one connection can translate More complex access control options. to lower costs since a single high-speed Connecting each company site to the Internet IP port is more cost-effective than multiple requires that access control to and from lower speed ports. Furthermore, these the Internet must be addressed at each of savings increase with the amount of bandwidth those sites. Corporate policy may dictate that required. This means that businesses looking all Internet-bound traffic traverse the IP VPN to either simplify their networking backbone to one or several hub site(s) and infrastructure or provide their employees’ exit through a single firewall, as with frame access to the Internet could realize significant relay. Or, if acceptable, Internet access may benefits by implementing an IP VPN. be granted at each site. However, this scenario requires that firewalls with Greater connectivity options. IP VPNs appropriate policies be deployed at each based on equipment deployed at the connection. Although firewalls built into IP customer’s premises can run over any carrier’s VPN devices can often be utilized, the Internet connectivity. This allows companies resulting cost and complexity still increase to take advantage of cost-effective options with such an arrangement.
7 02089 9/02 Conclusion:
“Best-effort” nature of the Internet. Traffic About Sprint is transmitted across the public Internet at best effort, meaning that IP VPN throughput Sprint is a global communications company serving more than 26 million is not guaranteed in the same way that CIR is business and residential customers in over 70 countries. With provided over a PVC. However, IP networks approximately 75,000 employees worldwide and more than $26 billion in are rapidly improving in performance. To that point, the Sprint method of creating annual revenues, Sprint is widely recognized for developing, engineering congestion-free networks is resulting in and deploying state-of-the-art network technologies, including the United
performance that is at par with most frame States’ first nationwide all-digital, fiber-optic network. Sprint award- relay networks. IP traffic that stays on the Sprint network receives this premium QoS. winning Tier 1 Internet backbone is being extended to key global markets This high level of performance is provided to provide customers with a broad portfolio of scalable IP products.
through Sprint industry-leading SLAs. Sprint provides local voice and data services in 18 states and operates Nonetheless, some businesses still feel more the largest 100 percent digital, nationwide PCS wireless network in the comfortable with the CIR SLA offered by frame relay PVCs — especially those running United States. a significant amount of mission-critical delay- sensitive traffic. 1 The second of the seven layers within the OSI protocol stack. 2Refer to the upcoming white papers in this series for more Conclusion information on different types of VPN solutions. In order to identify the best communications solution for your company, you must gain a solid understanding of the respective capabilities and advantages of frame relay and IP VPNs. The choice is not always clear, since neither frame nor IP is an inherently “better” WAN solution. Instead, each has its own place in today’s communications networks. Ultimately, those with the greatest knowledge base will be best positioned to realize their organization’s communications goals. This white paper is geared to help you achieve those goals. Please refer to the other white papers in this series for additional information.
8 02089 9/02