IP VPNs: What’s Killing the Killer App?

Jan 24, 2002 12:00 PM

From a deployment standpoint, Internet-based services are maturing nicely. True, we keep hearing about the implosion of dot-coms, but the negative hype is mainly the backlash of ludicrous expectations. Compare the rise of Internet usage and the availability of high-speed access to the slow rollout of ISDN, and it becomes obvious that Internet protocol has come strong in the past five years.

Still, we keep hearing that service providers aren't seeing returns on their broadband deployments in general. If we agree not to consider speed itself a service, and that arbitrage has peaked, we quickly find ourselves back on the quest for a revenue-generating "killer app" IP service.

What about VPNs? Even after the past two years, industry forecasts for IP VPNs remain strident. Infonetics Research believes worldwide end-user VPN expenditures will grow 275%, from $12.8 billion to $48 billion, between 2001 and 2005. To be sure, simplistic IP VPNs have gained some traction, but are they really the end game? What about the premium IP VPN service that could fetch high margins? Why don't we have secure, network-based IP VPNs?

What is an IP VPN?

First, what is a VPN? For purposes of this discussion, a VPN enables secure and private data communications between multiple entities across the public Internet. A traditional VPN is created with dedicated connections, usually frame or ATM virtual links, established between computers or networks of computers.

With IP, we take this connection-oriented service and run it over a connectionless protocol. The advantage of connecting VPNs at Layer 3 (with IP or MPLS) vs. Layer 2 is that doing so allows carriers to build a common core for services backbones. A potential drawback to Layer 3 is the need to secure the transmission, a challenge MPLS-based VPNs attempt to solve by using labels to isolate traffic and then stacking additional labels to form associate memberships to the VPNs. An advantage of this approach is the ability to hold memberships to multiple VPNs.

In general, moving VPN services to IP will reduce carriers' operating expense by reducing the costs of providing the traditional VPN services that offer customers savings on long-distance bypass. Cost reduction is clearly a good thing, but a far cry from the promise of new premium service revenues being put forth by many "IP services" equipment vendors--i.e., secure, network-based IP VPNs with encryption provided by the carrier instead of within customer premises equipment (CPE), and with performance guarantees, bandwidth floors and provider liability for transactions.

Technologically, IP VPNs are nowhere near being "premium" secure services, but perhaps more important, glaring gaps in the business model call into question whether the industry as a whole should even pursue them:

No real value proposition to the customer: The vendors pushing carriers toward the secure network-based IP VPN market are suggesting that carriers market the services to customers as a means of reducing CPE and administration requirements. The basic appeal in this scenario is that the customer doesn't have to concern itself with encryption, firewalls, configuration and management, among other things.

But these have proved to be empty promises. For one thing, the supposed savings aren't there to be had. Once the CPE for a VPN is in place, providing encryption from the moment the data leaves the building, managing that equipment requires only a small portion of one network administrator's time. The customer gains no real savings here unless the services are priced low, rather than as premium services. The very customers that might be inclined to subscribe to premium-priced services--financial services or healthcare companies, for example--are the least likely to trade control for a slight savings.

Second, the security risk greatly increases. The data is not encrypted until it reaches the providers POP or central office, meaning it is unprotected between the customer site and the provider. This scenario also fails to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1999, which requires data to be encrypted from end to end.

Deployment creates chaos: Besides the fundamental marketing issues, deploying secure network-based VPN services means installing, integrating and managing a new, next-gen IP services platform. Those available today claim to make secure IP VPNs viable by integrating on a single platform Layer 1 and Layer 2 transport technologies with Layer 3 through 7 IP and application functionality. This sounds good, but as with other such convergence efforts to date, it hasn't worked in practice.

A fundamental rift occurs in the service provider's central office. The decision has to be made as to who manages and has access to the equipment. The group that administers central office switches generally lacks experience with configuring IP platforms, firewalls and encryption technology. Typically, a different group is responsible for administering functions associated with Layers 3 and above, so a provider that wishes to expand into these areas may need to expand its operations center and bring in security specialists that fetch higher-than-average salaries.

Scalability issues plague this model as well. Even less complicated, first-generation broadband service aggregation solutions have failed to scale and meet increased customer subscriptions and bandwidth requirements. The further up the model the system goes, the faster performance tops out.

Next-generation--or rather, second-generation--IP service provisioning platforms will likely improve in terms of baseline profitability and scalability, but the administrative turf wars will persist. The real deal-breaker for IP VPNs, though, will be whether carriers will put their money where their mouths are.

* Accountability and regulation: During a recent analyst debate, Fearless Venture analyst Fred McClimans alluded to the idea of retail-oriented VPNs as a future improvement to online commerce. But will providers assume responsibility to retailers and financial organizations for securing packets end-to-end, on-net and off?

Is it even possible? Even in intra-company VPNs today, a call from a European office to the U.S. might mean several network provider handoffs, first from a local to a regional carrier, then to a long-haul carrier and back to a local provider on the other end. For the provider offering the VPN service to guarantee performance end-to-end, they would need performance agreements in place with the other carriers that would drive costs way up. From a security standpoint, the original carrier would also be accountable to the customer for data integrity and encryption, which would require further agreements and intricate interoperability between providers' networks.

Accountability also has windows into regulatory issues. Using healthcare as a good example, the HIPAA Act of 1999 mandates that healthcare records must be protected from end to end. This is virtually impossible today unless all the customer sites can be reached without traffic going off-net.

In addition, the Communications Assistance for Law Enforcement Act may require carriers to activate eavesdropping on data circuits for law enforcement agencies. If the carrier network is responsible for encrypting data, or providing encryption keys, it must also be responsible for decrypting data impacting both cost and performance of such solutions.

The quest continues...

In some form or other, IP VPNs will live a long, healthy life, even if they never reach the end of the rainbow with security and performance guarantees. More important, even if we discount secure IP VPNs with performance guarantees as the "killer app," the industry must focus on creating value. So putting the fine points of arguing to rest: Where is incremental value to be had in IP services? What services can carriers offer with assurance that revenues will quickly cost-justify investments in next-generation infrastructures?

Limiting the discussion to VPNs, the challenge is to provide secure transactions across the public Internet infrastructure while at the same time offering service level agreements similar to existing ATM and frame relay solutions. To that effect, next-generation networks need to combine the end-to-end security offered by IPsec, alongside the QoS advantages of emerging standards such as MPLS. Network-based IP VPNs will only emerge as a killer-app when carrier networks eventually extend into the customer premise IP infrastructure.

Today, the most direct solution to secure, high-performance IP VPNs is probably the best-of-breed approach to premium priced services. Rather than become experts on firewalls and encryption, carriers might do well to link up, or request that their platform vendors link up, with security partners and specialists in IP. Let the vendors promoting the idea of secure IP VPNs deliver and guarantee scalable solutions and assume some of the financial responsibility inherent in penetrating many vertical markets.

With many buzzwords like "VPN," "convergence" and "next-generation," we can easily fall into the trap of talking about technology for technology's sake and forget that all the carriers and their customers really want are solutions to business problems.

With VPNs, the business objectives are generally cost reduction and improved performance, with "performance" basically translated into speed. The current talk in the industry is of broadband service creation, and it promises a fundamental shift at the cross-section of "cost" and "performance."

With true service creation, IP-based bandwidth and networking services will enter a new realm of flexibility. Side-stepping the endless debate on whether bandwidth itself will become a commodity, the promise of true service creation is on-demand, pay-as-you-go bandwidth without limits. Users will implement videoconferencing, webcasting and other bandwidth-busting applications without having to overpay for unused bandwidth. They will be able to simply log on and self-provision bigger pipes for the duration of those applications without having to wait for the carrier to send a technician or revise usage contracts. This would apply in the VPN model as well, with links to the service provider's network expandable as customers require. The potential to increase profits from services already in use by customers is enormous.

By eliminating the ongoing financial commitment, long wait times and turn-up costs associated with dynamic bandwidth selection, providers will encourage customers to use more capacity and experiment with more new services. Customers may well end up spending more, but also feeling as though they are deriving much greater value.

Over time, imagination will kick in and value-added services will move beyond self-serve bandwidth.  

Julian Thomas is director of marketing at net.com, a global provider of service creation platforms.

Visit net.com online.