Resource Management for Virtual Private Networks

Virtual private networks (VPNs) have rapidly emerged as a leading solution for multi-site enterprise communication needs. Provider-managed solutions modeled on RFC 2547 serve as a popular choice for layer 3 VPNs, and the hose model has emerged as a common and simple service specification. It offers a hose of a certain contracted bandwidth to customers. With the growth in size and number of VPNs and the uncertainties in the traffic patterns of customers, providers are faced with new challenges in efficient provisioning and capacity planning for these networks and satisfying customer service level agreements (SLA). We suggest that a set of techniques can be used to help the provider build an adaptively provisioned network. These techniques involve continually processing measurement information, building inferences regarding VPN characteristics, and leveraging them for adaptive resource provisioning. We developed scalable techniques to infer VPN characteristics that are important for provisioning tasks. We demonstrated the feasibility of such provisioning techniques with existing measurement obtained using SNMP infrastructure from a large IP/VPN service provider. Our examination of measurement data yielded interesting new insights into VPN structure and properties. Building on our experience with analyzing VPN characteristics, we articulate an adaptive provisioning architecture that enables providers to effectively deal with the dynamic nature of customer traffic     

New Architecture and Algorithms for Fast Construction of Hose-Model VPNs

Hose-model virtual private networks (VPNs) provide customers with more flexibility in specifying bandwidth requirements than pipe-model VPNs. Many hose-model VPN provisioning algorithms have been proposed, and they focus on the bandwidth efficiency in the construction of a single hose-model VPN. In practice, however, VPNs come and go and the dynamics will affect the performance of these VPN provisioning algorithms. If the frequency of adding and deleting VPNs is high, these algorithms will have a scalability problem. We propose in this paper a new network architecture for dynamic VPN construction. In the proposed architecture, adding a new VPN is much simpler and faster, and all that is required is to check if the edge routers have enough bandwidth. There is no need to check the bandwidth left on each internal link because the architecture guarantees that as long as the edge routers have enough capacities to accept the VPN, the internal links will never experience overflow caused by adding the new VPN. We present a linear programming formulation for finding the optimal routing that maximizes the amount of admissible VPN traffic in the network. We then exploit the underlying network flow structure and convert the linear programming problem into a subgradient iterative search problem. The resulting solution is significantly faster than the linear programming approach.     

Managing Layer 1 VPN services

Control Plane architectures enhance transport networks with distributed signaling and routing mechanisms which allow dynamic connection control. As a result, layer 1 switching networks enabled with a distributed control plane can support the provisioning of advanced connectivity services like Virtual Private Networks (VPNs). Such Layer 1 VPN (L1VPN) service allows multiple customer networks to share a single transport network in a cost-effective way. However, L1VPN deployment still faces many challenges.In this work, we are concerned on configuration management and interdomain provisioning of L1VPN services. We propose an L1VPN management architecture based on the Policy-Based Management (PBM) approach. First, we describe the architecture and how it allows a single service provider to support multiple L1VPNs while providing customers with some level of control over their respective service. Then we explain how the architecture was extended to support interdomain L1VPNs by using the Virtual Topology approach. We also discuss the prototype implementation and evaluation of the proposed architecture. Moreover, this work is a tentative note before raising a more deep discussion related to interdomain provisioning of L1VPN services and implications of a policy-based approach for L1VPN configuration management.     

Algorithms for provisioning virtual private networks in the hose model

Virtual private networks (VPNs) provide customers with predictable and secure network connections over a shared network. The recently proposed hose model for VPNs allows for greater flexibility since it permits traffic to and from a hose endpoint to be arbitrarily distributed to other endpoints. We develop novel algorithms for provisioning VPNs in the hose model. We connect VPN endpoints using a tree structure and our algorithms attempt to optimize the total bandwidth reserved on edges of the VPN tree. We show that even for the simple scenario in which network links are assumed to have infinite capacity, the general problem of computing the optimal VPN tree is NP-hard. Fortunately, for the special case when the ingress and egress bandwidths for each VPN endpoint are equal, we can devise an algorithm for computing the optimal tree whose time complexity is O(mn), where m and n are the number of links and nodes in the network, respectively. We present a novel integer programming formulation for the general VPN tree computation problem (that is, when ingress and egress bandwidths of VPN endpoints are arbitrary) and develop an algorithm that is based on the primal-dual method. Our experimental results with synthetic network graphs indicate that the VPN trees constructed by our proposed algorithms dramatically reduce bandwidth requirements (in many instances, by more than a factor of 2) compared to scenarios in which Steiner trees are employed to connect VPN endpoints.     

MTRA: An on-line hose-model VPN provisioning algorithm

Virtual private networks (VPNs) provide customers with a secure and manageable communication environment. The allocation of bandwidth for VPNs to meet the requirements specified by customers is now one of the most important research issues in the field of traffic engineering. A VPN resource-provisioning model called hose-model was developed to provide customers with a flexible and convenient way to specify the bandwidth requirements of a VPN. Several hose-model VPN provisioning algorithms have already been proposed. They focus on the bandwidth efficiency issue in the case of establishing a single hose-mode VPN. However, these algorithms cannot achieve a satisfactory rejection ratio when: (1) the residual bandwidths on links of the network backbone are finite and (2) multiple VPN setup requests are handled on-line. In this paper, we propose a new hose-model VPN provisioning algorithm called MTRA to address the issue. MTRA can process multiple VPN setup requests rapidly and reduce the rejection ratio effectively. Theoretical upper bounds of rejection ratios achieved by several VPN provisioning algorithms are also derived. The experiments verify that MTRA performs better in regards to the rejection ratio than other provisioning algorithms.     

Scalability implications of virtual private networks

This article gives an overview of the most promising technologies for service providers to offer virtual private network services. The focus is on the analysis of the scalability implications of these virtual private network mechanisms on existing service provider backbone networks. Very often, when deploying VPN services, service providers will be confronted with a trade-off between scalability and security. VPNs that require site-to-site interconnectivity without strong (cryptographic) security can be deployed in a scalable way based on the network-based VPN model, as long as the interaction between the customer and provider routing dynamics are controlled. VPNs that require strong (end-to-end) cryptographic security should be deployed according to the CPE-based VPN model, using the available IPsec protocol suite     

Optimal Link Weights for IP-Based Networks Supporting Hose-Model VPNs

From traffic engineering point of view, hose-model VPNs are much easier to use for customers than pipe-model VPNs. In this paper we explore the optimal weight setting to support hose-model VPN traffic in an IP-based hop-by-hop routing network. We try to answer the following questions: (1) What is the maximum amount of hose-model VPN traffic with bandwidth guarantees that can be admitted to an IP-based hop-by-hop routing network (as opposed to an MPLS-based network), and (2) what is the optimal link weight setting that can achieve that? We first present a mixed-integer programming formulation to compute the optimal link weights that can maximize the ingress and egress VPN traffic admissible to a hop-by-hop routing network. We also present a heuristic algorithm for solving the link weight searching problem for large networks. We show simulation results to demonstrate the effectiveness of the search algorithm.     

CATZ: Time-Zone-Aware Bandwidth Allocation in Layer 1 VPNs

The layer 1 virtual private network framework has emerged from the need to enable the dynamic coexistence of multiple circuit-switched client networks over a common physical network infrastructure. Such a VPN could be set up for an enterprise with offices across a wide geographical area (e.g., around the world or by a global ISP). Additionally, emerging IP over optical WDM technologies let IP traffic be carried directly over the optical WDM layer. Thus, different VPNs can share a common optical WDM core, and may demand different amounts of bandwidth at different time periods. This type of operation would require dynamic and reconfigurable allocation of bandwidth. This article evaluates the state of the art in layer 1 VPNs in the context of globally deployable optical networks and cost-efficient dynamic bandwidth usage. While exploiting the dynamism of IP traffic in a global network in which the nodes are located in different time zones, we study different bandwidth allocation methods for setting up a worldwide layer 1 VPN. We propose and investigate the characteristics of a cost-efficient bandwidth provisioning and reconfiguration algorithm, called capacity allocation using time zones (CATZ)     

Support for resource-assured and dynamic virtual private networks

This paper describes VServ, a prototype architecture for a virtual private network (VPN) service, which builds and manages VPNs on demand. It allows each VPN to have guaranteed resources and customized control, and supports a highly dynamic VPN service where creation and modification operations can take place on fast timescales. These features are contingent on the automated establishment and maintenance of VPNs. A design process is described that attempts to satisfy the goals of both customer and VPN service provider (VSP). A pruned topology graph and tailored search algorithm are derived from the characteristics of the desired VPN. Although the searching procedure is theoretically intractable, it is shown that the complexity can be mitigated by a multitude of factors, VServ is built over the Tempest, a network control framework that partitions network resources into VPNs. An IP implementation of the Tempest is presented. Resource revocation is a mechanism that the VSP can use to react to violations of service level agreements-a protocol is described to enable graceful adaptation in the control plane to resource revocation events     

Layer 2 and 3 virtual private networks: taxonomy, technology, and standardization efforts

Virtual private network services are often classified by the OSI layer at which the VPN service provider's systems interchange VPN reachability information with customer sites. Layer 2 and 3 VPN services are currently being designed and deployed, even as the related standards are being developed. This article describes the wide range of emerging L2 and L3 VPN architectures and technical solutions or approaches, and discusses the status of standards work. Some specific L2VPN and L3VPN technologies described here include virtual private LAN service, transparent LAN service, BGP/MPLS-based VPNs (RFC 2547bis), virtual router, and IPSec VPN approaches. We discuss recent and continuing standards efforts in the IETF 12vpn and 13vpn working groups, and related work in the pseudo-wire emulation edge-to-edge working group, as well as in some other standards fora, and describe some mechanisms that provide membership, reachability, topology, security, and management functions.     

Layer 1 virtual private network management by users

The layer 1 virtual private network (LlVPN) technology supports multiple user networks over a common carrier transport network. Emerging L1VPN services allow: L1VPNs to be built over multiple carrier networks; L1VPNs to lease or trade resources with each other; and users to reconfigure an L1VPN topology, and add or remove bandwidth. The trend is to offer increased flexibility and provide management functions as close to users as possible, while maintaining proper resource access right control. In this article two aspects of the L1VPN service and management architectures are discussed: management of carrier network partitions for L1VPNs, and L1VPN management by users. We present the carrier network partitioning at the network element (NE) and L1VPN levels. As an example, a transaction language one (TL1) proxy is developed to achieve carrier network partitioning at the NE level. The TL1 proxy is implemented without any modifications to the existing NE management system. On top of the TL1 proxy, a Web services (WS)-based L1VPN management tool is implemented. Carriers use the tool to partition resources at the L1VPN level by assigning resources, together with the WS-based management services for the resources, to L1VPNs. L1VPN administrators use the tool to receive resource partitions from multiple carriers and partner L1VPNs. Further resource partitioning or regrouping can be conducted on the received resources, and leasing or trading resources with partner LlVPNs is supported. These services offer a potential business model for a physical network broker. After the L1VPN administrators compose the use scenarios of resources, and make the use scenarios available to the L1VPN end users as WS, the end users reconfigure the L1VPN without intervention from the administrator. The tool accomplishes LlVPN management by users     

An Overview of Virtual Private Network (VPN): IP VPN and Optical VPN

Recently, there has been rapid development and deployment of virtual private network (VPN) services. There are wide varieties of IP-based VPNs and optical VPNs (OVPNs) proposed in the literature and readers could easily get confused with so many different types of VPNs. The purpose of this paper is to present a comprehensive overview of the VPN and discuss the main issues associated with the design of IP VPN and OVPN. We first present a classification of the VPNs including CE-based, network based, customers provisioned, provider provisioned, connection oriented, connectionless oriented, port based, connection based, layer 1 VPN, layer 2 VPN, and layer 3 VPN, and describe different VPN protocols such as IPSec, GRE and MPLS. We then review the recent work on OVPN by different standard bodies, and outline the key requirements for OVPN service providers and customers. Finally, we describe several OVPN architectures appeared in the literature, highlight the future work in OVPN.     

Layer 1 virtual private networks: driving forces and realization by GMPLS

This article describes an emerging service for next-generation networks, layer 1 virtual private networks. L1VPNs allow customers desiring to connect multiple sites to be supported over a single shared layer 1 network. In the article we first describe the transport network's evolution and the shift in expectations of both service providers and customers. We provide an overview of the motivation for L1VPNs and examples of network usage. We follow by reviewing existing GMPLS mechanisms (addressing, discovery, and signaling) for realizing L1VPN functionality and identifying other work areas.     

因特网流量矩阵的流形结构

当前,流量矩阵已经被广泛应用于异常检测、流量预测、流量工程等领域,但是现有研究仅仅发现流量矩阵存在线性结构。为了寻找流量矩阵中可能存在的非线性结构,构建流量矩阵模型并从实际因特网骨干网Abilene中采集流量矩阵数据集,应用经典的流形学习算法进行实测数据分析,发现这些高维(81维或121维)的流量矩阵数据集实际上是嵌入的固有维度为5维的低维流形,且其受采样密度和噪声数据等各种因素的影响呈现出不同的结构。     

Configuring Traffic Grooming VPλNs

A VPN is an optical virtual private network (oVPN) built of wavelength paths within a multihop wavelength routing (WR) dense wavelength division multiplexing (DWDM) network. An efficient and general graph-theoretic model (the wavelength-graph (WG)) has been proposed along with an integer linear programming (ILP) formulation of setting up VPNs with given traffic requirements over a given WR-DWDM network with two protection scenarios. Here, we have exploited the advantages of traffic grooming, i.e., numerous traffic streams of a VPN can share a wavelength path. We have also generalized the model for setting up VPNs over a WR-DWDM system where multiple VPNs can share a single wavelength path. The objective of the optimization is in all cases to reduce resource usage at upper (electrical) layers (i.e., to reduce the load of the virtual routers), subject to constrained amount of capacity of each wavelength channel and limited number of wavelengths. Here, we propose and compare three basic methods for configuring oVPNs and investigate various parameter settings.     

IP VPN—基于IP网络的虚拟专用网

ＩＰ ＶＰＮ能为用户在ＩＰ网络之上构筑一个安全可靠、方便快捷的企业专用网络，并为企业节省资金。本文从ＩＰ ＶＰＮ的概念、分类、组建ＩＰ ＶＰＮ的隧道技术，以及在ＶＰＮ上传送的数据的安全性保证等几个方面介绍了ＩＰ ＶＰＮ技术。     

Selective survivability with disjoint nodes and disjoint lightpaths for layer 1 VPN

This paper deals with the problem of survivable routing and wavelength assignment in layer 1 virtual private networks (VPNs). The main idea is routing the selected lightpaths by the layer 1 VPN customer, in a link-disjoint manner. The customer may freely identify some sites or some connections, and have their related lightpaths routed through link-disjoint paths through the provider’s network. This selective survivability idea creates a new perspective for survivable routing, by giving the customer the flexibility of selecting important elements (nodes or connections) in its network. This study is different from previous studies which aim to solve the survivable routing problem for the whole VPN topology. The proposed scheme is two-fold: disjoint node based, and disjoint lightpath based. In disjoint node scheme, all lightpaths incident to a node are routed mutually through link-disjoint paths. In disjoint lightpath scheme, a lightpath is routed in a link-disjoint manner from all other ligthpaths of the VPN. We present a simple heuristic algorithm for selective survivability routing. We study the performance of this algorithm in terms of resources allocated by the selective survivability routing scheme compared to shortest path routing with no survivability. The numerical examples show that the amount of used resources by the selective survivability scheme is only slightly more than the amount used in shortest path routing, and this increase is linear. The extra resources used by the new scheme are justified by better survivability of the VPN topology in case of physical link failures, and the simplicity of the implementation.     

对IPSec VPN进行运营管理的若干问题的研究

网络管理系统是IPSec(IP security,IP安全)VPN(virtual private network,虚拟专用网络)作为一种电信运营业务的关键组成部分.VPN节点设备部署在运营商网络的边缘,这种网络模式使得对节点的管理不同于对传统网络的管理,其中,VPN业务网络拓扑的自动发现和对私有网络中的设备进行管理是两个关键的问题.本文通过在网络管理系统中指定根节点,然后利用根节点中的SA(security association,安全联盟)信息来获得其他VPN节点的地址信息,从而实现VPN拓扑的自动发现;针对私有网络中的设备地址不可达的问题,本文提出了主动注册的技术,并利用主动注册同网络管理代理转发技术相结合的方法实现了对私有网络中设备的管理.     

《使用虚拟专用网的跨网通信安全保护》国家标准解读

介绍了VPN的概念,详细解读了我国正在制定的<使用虚拟专用网的网间通信安全保护>国家标准,该标准综述了VPN的安全目标和安全要求,以及安全VPN的选择指南和实施指南,适用于技术和管理人员,其指南为选择和实现适当的虚拟专用网提供相应的指导.     

Security performance analysis and the parameters simulation of quantum virtual private network based on IPSec protocol

Traditional virtual private networks (VPNs) are conditional security. In order to ensure the security and confidentiality of user data transmission, a model of quantum VPN based on Internet protocol security (IPSec) protocol is proposed. By using quantum keys for key distribution and entangled particles for identity authentication in the network, a secure quantum VPN is relized. The important parameters affecting the performance of the VPN was analyzed. The quantitative relationship between the security key generation rate, the quantum bit error rate (QBER) and the transmission distance was obtained. The factors that affect the system throughput were also analyzed and simulated. Finally, the influence of the quantum noise channel on the entanglement swapping was analyzed. Theoretical analysis and simulation results show that, under a limited number of decoy states, with the transmission distance increased from 0 to 112.5 km, the secure key generation rate was reduced from 5.63×10^-3 to1.22×10^-5 . When the number of decoy states is fixed, the QBER increases dramatically with the increase of the transmission distance, and the maximum reaches 0.393. Analysis shows that various factors in communication have a significant impact on system throughput. The generation rate of the effective entanglement photon pairs have decisive effect on the system throughput. Therefore, in the process of quantum VPN communication, various parameters of the system should be properly adjusted to communicate within a safe transmission distance, which can effectively improve the reliability of the quantum communication system.