The latest in virtual private networks: part I

Virtual private networks (VPNs) are discrete network entities configured and operated over a shared network infrastructure. An intranet is a VPN in which all the sites (the customer locations that are part of a VPN) belong to a single organization. An extranet is a VPN with two or more organizations wishing to share (some) information. In the business world, VPNs let corporate locations share information over the Internet. VPN technology is being extended to the home office, providing telecommuters with the networking security and performance commensurate with that available at the office. Service providers are looking at their geographic footprints and their network routing expertise to create and deliver new revenue-generating VPN services. Looking ahead, these provider-provisioned and managed VPNs are intended to emulate whatever local- or wide-area network connectivity customers desire.     

The latest in VPNs: part II

We describe the lastest in VPN. Virtual private networks (VPNs) can be configured and operated across a network provider's shared network infrastructure. The layer-2 VPN (L2VPN) is generating much interest and activity in the industry; it's defined as a VPN that transports native L2 frames across a shared IP network. Network providers will be able to reduce infrastructure and operation costs by taking traffic from L2-specific networks and running it over L2VPNs. An L2VPN transports native L2 frames across a shared IP or multiprotocol label-switching (MPLS) packet-switch network (PSN). The L2 frames can be frame-relay (FR) protocol data units, ATM cells, or even Ethernet frames; they're carried across the PSN using one of several different tunnel-encapsulation schemes. An L2VPN essentially provides the same set of services that native L2 LAN and WAN infrastructures support. We also discuss L2VPNs architecture and components.     

Resource optimization algorithms for virtual private networks using the hose model

Virtual private networks (VPNs) provide a secure and reliable communication between customer sites over a shared network. With increase in number and size of VPNs, service providers need efficient provisioning techniques that adapt to customer demands. The recently proposed hose model for VPN alleviates the scalability problem of the pipe model by reserving for aggregate ingress and egress bandwidths instead of between every pair of VPN endpoints. Existing studies on quality of service guarantees in the hose model either deal only with bandwidth requirements or regard the delay limit as the main objective ignoring the bandwidth cost. In this work we propose a new approach to enhance the hose model to guarantee delay limits between endpoints while optimizing the provisioning cost. We connect VPN endpoints using a tree structure and our algorithm attempts to optimize the total bandwidth reserved on edges of the VPN tree. Further, we introduce a fast and efficient algorithm in finding the shared VPN tree to reduce the total provisioning cost compared to the results proposed in previous works. Our proposed approach takes into account the user preferences in meeting the delay limits and provisioning cost to find the optimal solution of resource allocation problem. Our simulation results indicate that the VPN trees constructed by our proposed algorithm meet maximum end-to-end delay limits while reducing the bandwidth requirements as compared to previously proposed algorithms.     

Edge Provisioning and Fairness in VPN-DiffServ Networks

Customers of Virtual Private Networks (VPNs) over Differentiated Services (DiffServ) infrastructure are most likely to demand not only security but also guaranteed Quality-of-Service (QoS) in pursuance of their desire to have leased-line-like services. However, expectedly they will be unable or unwilling to predict the load between VPN endpoints. This paper proposes that customers specify their requirements as a range of quantitative services in the Service Level Agreements (SLAs). To support such services Internet Service Providers (ISPs) would need an automated provisioning system that can logically partition the capacity at the edges to various classes (or groups) of VPN connections and manage them efficiently to allow resource sharing among the groups in a dynamic and fair manner. While with edge provisioning a certain amount of resources based on SLAs (traffic contract at edge) are allocated to VPN connections, we also need to provision the interior nodes of a transit network to meet the assurances offered at the boundaries of the network. We, therefore, propose a two-layered model to provision such VPN-DiffServ networks where the top layer is responsible for edge provisioning, and drives the lower layer in charge of interior resource provisioning with the help of a Bandwidth Broker (BB). Various algorithms with examples and analyses are presented to provision and allocate resources dynamically at the edges for VPN connections. We have developed a prototype BB performing the required provisioning and connection admission.     

High-performance routing for hose-based VPNs in multi-domain backbone networks

By utilizing Layer-1 Virtual Private Networks (L1VPN), a single physical network, e.g., an optical backbone network, can support multiple virtual networks, which form the basic infrastructure for cloud computing and other enterprise networks. The L1VPN hose model is an elegant and flexible way to specify the customers’ bandwidth requirements, by defining the total incoming and outgoing demand for each endpoint. Furthermore, multi-domain physical infrastructures are common in L1VPNs, since these are usually deployed on a global scale. Thus, high-performance Routing for Multi-domain VPN Provisioning (RMVP) for the hose model is an important problem to efficiently support a global virtual infrastructure. In this paper, we formulate the RMVP problem as a Mixed Integer Linear Program (MILP). Also, we propose a Top-Down Routing (TDR) strategy to compute the optimal routing for the hose model L1VPN in a multi-domain backbone network. Results indicate that TDR approaches the minimum routing cost when compared to the ideal case of single-domain routing.     

Easy VPN技术及其应用

Easy VPN是Cisco为远程用户和分支办公室提供的一种远程访问VPN解决方案,提供了集中的VPN管理和动态的策略分发,降低了远程访问VPN部署的复杂程度,增加了可扩展性及灵活性。论述了Easy VPN的组件和原理,并在此基础上分析了Easy VPN的特性,针对企业分支机构及移动办公人员访问内部资源所面临的问题,分析了Easy VPN的部署方案。通过部署Easy VPN,企业的分支机构通过Internet可以同总部建立点到点的VPN,移动或在家办公用户可以在接入Internet的任何地方方便、安全地访问内部资源,这有助于提高企业生产力,降低企业的管理和维护成本。     

A distributed resource management model for Virtual Private Networks: Tit-for-Tat strategies

In this paper, we address the autonomic resource management problem for Virtual Private Networks (VPNs) in the presence of stochastic and selfish VPN operators. Resource management is one of the most important problems that faces Internet Service Providers. In the literature, the Autonomic Service Architecture is proposed to provide a resource management model that allows systems to manage themselves and aiming to utilize optimally the unused resources. Unfortunately, this model suffers from two major limitations. First, unused resources from underloaded VPNs (lenders) are utilized over the overloaded ones (borrowers) without considering the unexpected changes of the VPNs’ state, which may often happen in the case of multimedia transmissions. This may affect negatively the Quality-of-Service (QoS) of the lenders while improving the QoS of the borrowers. Second, underloaded VPNs’ operators might behave selfishly and refuse to lend their unused (spare) resources to other overloaded VPNs. To overcome these limitations, we propose a distributed autonomic resource management, which is modeled as a repeated non-cooperative game with stochastic and selfish players. The classical Tit-for-Tat strategy is modified to cope with VPN operators who are not always able to lend some resources to others. Four different strategies are derived from Tit-for-Tat to motivate VPN operators to lend their resources to others. As far as we know, our work is among the first efforts that uses repeated non-cooperative game theory to motivate selfish participants to cooperate and to distinguish between stochastic and purely selfish VPNs’ operators. In our setting, this results in cooperative sharing of unused resources among VPNs. Simulation results show that Tit-for-Tat strategy leads to deadlocks, while our strategies assure good gains to cooperative VPN operators and punish the selfish ones.     

Towards integration of service and network management in TINA

The Telecommunications Information Networking Architecture (TINA) defines a framework to support the rapid and flexible deployment and management of a wide range of multi-media, multi-party services in a multi-vendor telecommunications environment. The TINA approach applies opendistributed processing (ODP) and object-oriented design techniques to specify the control and management of the telecommunications services and infrastructure. Management in TINA is applied to the different components of the architecture, services and resources, and to thedistributed processingenvironment (DPE) that provides distribution transparencies and communication capabilities among TINA components. Management in TINA is based on TMN and extended with ODP concepts, as TINA is not concerned with just network management, but also systems management. TINA management architecture addresses aspects of distribution, interoperability, dynamic manager/managed roles, and integration with service control functions. TINA service management concerns different activities of the service life-cycle, from four main aspects: access session management, service session management, user session management and communication session management. The TINA network resource model supports requirements from both network management activities and service connectivity needs.     

群组密码的对等VPN系统及多播密钥分发协议

互联网经济的发展,使得企业在大范围内建立连接各种分支机构网络的需求日益强烈,原有采用集中式网关模式的VPN逐渐转向采用对等技术的VPN系统.现有采用两方密钥交换方法的对等VPN技术更适用于两两通信,而在多节点通信中,由于隧道密钥相互独立,不同隧道加密的累计延迟将增加消息同步接收的困难.针对这一问题,提出一种被称为GroupVPN的对等VPN框架,通过设计具有非中心化、高扩展性的多播密钥分发协议,提高对等VPN中的多播通信效率.该框架在安全隧道层的基础上新增了便于动态群组管理、高效密钥分发的群组管理层,结合公钥群组密码下的广播加密方案,实现具有选择和排除模式的高效密钥分发,保证协议在SDH假设下满足数据私密性、数据完整性、身份真实性这3方面安全性要求.实验分析结果表明：该协议的通信耗时和密钥存储开销与群组规模无关,可将通信延迟限制在会话密钥共享阶段,提高系统性能.     

Inter-domain service management of broadband virtual private networks

The emergence of an open market for telecommunication services provides a wide range of opportunities for the provision of value-added services by providers other than public network operators. One service already available today is a Virtual Private Network (VPN) that provides dispersed corporate sites with wide-area data communication capabilities using public network services. The introduction of Broadband ISDN allows for the provision of VPN services in a more integrated fashion. However, any effective VPN service must be able to deal with the technological and organizational heterogeneities that are present when providing a high level of service functionality over an arbitrary number of administrative and technological domains. This paper presents a management service for a VPN service that addresses some multi-domain and network heterogeneity issues. It outlines how a design based on the ITU-T's Telecommunications Management Network (TMN) Recommendation was developed and how working prototypes were implemented over real broadband networks.     

A generic architecture for autonomic service and network management

As the Internet evolves into an all-IP communication infrastructure, a key issue to consider is that of creating and managing IP-based services with efficient resource utilization in a scalable, flexible, and automatic way. In this paper, we present the Autonomic Service Architecture (ASA), a uniform framework for automated management of both Internet services and their underlying network resources. ASA ensures the delivery of services according to specific service level agreements (SLAs) between customers and service providers. As an illustrative example, ASA is applied to the management of DiffServ/MPLS networks, where we propose an autonomic bandwidth sharing scheme. With the proposed scheme, the bandwidth allocated for each SLA can be automatically adjusted according to the measured traffic load and under policy control for efficient resource utilization, while SLA compliance over the network is always guaranteed.     

On virtual private networks security design issues

The concept of virtual private networks (VPNs) provides an economical and efficient solution on communicating private information securely over public network infrastructure.In this paper, we discuss two issues on the design of VPN. We first propose the VPN services, the mandatory VPN operations for each VPN service and the design on VPN protocol stack.Afterwards, we propose a list of protocol modules to be used to support the VPN operations and co-relate the mandatory VPN operations to the appropriate VPN protocols. We then propose the design of VPN software that provides guarantees on security, connectivity and quality of service. We also discuss the message processing sequence by the VPN software.     

Highly reliable architecture using the 80/20 rule in cloud computing datacenters

Cloud datacenters host hundreds of thousands of physical servers that offer computing resources for executing customer jobs. While the failures of these physical machines are considered normal rather than exceptional, in large-scale distributed systems and cloud datacenters evaluation of availability in a datacenter is essential for both cloud providers and customers. Although providing a highly available and reliable computing infrastructure is essential to maintaining customer confidence, cloud providers desire to have highly utilized datacenters to increase the profit level of delivered services. Cloud computing architectural solutions should thus take into consideration both high availability for customers and highly utilized resources to make delivering services more profitable for cloud providers. This paper presents a highly reliable cloud architecture by leveraging the 80/20 rule. This architecture uses the 80/20 rule (80% of cluster failures come from 20% of physical machines) to identify failure-prone physical machines by dividing each cluster into reliable and risky sub-clusters. Furthermore, customer jobs are divided into latency-sensitive and latency-insensitive types. The results showed that only about 1% of all requested jobs are extreme latency-sensitive and require availability of 99.999%. By offering services to revenue-generating jobs, which are less than 50% of all requested jobs, within the reliable subcluster of physical machines, cloud providers can make their businesses more profitable by preventing service level agreement violation penalties and improving their reputations.     

基于VRF和RT实现BGP／MPLS VPNs中的VPN拓扑发现

在RFC 2547中定义的BGP／MPLS VPNs允许服务提供者使用他们的IP骨干提供VPN服务，使用BGP对骨干网络的路由器分发VPN路由信息，使用MPLS转发VPN流量。BGP／MPLS VPNs允许服务提供者在VPN内定义拥有任意数量结点的任意拓扑。服务提供者能建立使用相同核心网络的多个VPN。目前大多数服务提供者手工地或通过使用配置的数据库实现BGP／MPLS VPNs。本文描述的算法使VPN拓扑发现过程自动化。使用该算法，服务提供者能使用当前网络配置信息自动地发现VPN拓扑。     

A generic architecture for VPN configuration management

This paper describes the specification of a management architecture allowing virtual private network (VPN) customers to dynamically modify the configuration of their VPN. The specification has been structured according to the ODP viewpoints. A special emphasis has been laid on how changes in the logical VPN configuration affect or are reflected in the underlying physical networks. As a result, an informational and a computational VPN configuration management architecture have been developed illustrating how processing and data can be distributed between the different layers and domains composing the architecture.     

基于4G网络的配电自动化系统通信子系统

为了实现基于4G宽带技术的配电自动化系统DAS的通信服务子系统,采用4G LTE技术实现配电馈线终端FTU的网络接入.针对用户需求,在其与移动运营商之间物理专线的基础之上,利用运营商提供的集团客户VPDN业务,采用L2TP over IPSec技术实现了DAS与FTU之间的VPN网络通道,达到配电自动化信息安全传输的目的.基于所构建的通信网络,进行DAS通信服务器软件的设计,实现了DAS系统数据采集和输出控制的通信功能.实验结果表明,所构思实现的通信子系统达到了通信功能和网络安全的指标要求.     

Secure DACS Scheme

When customers with different membership and position use computers as in the university network systems, it often takes much time and efforts for them to cope with the change of the system management. This is because the requirements for the respective computer usage are different in the network and security policies. In this paper, a new destination addressing control system scheme (DACS Scheme) for the university network services is shown. The DACS Scheme performs the network services efficiently through the communication management of a client. As the characteristic of DACS Scheme, only the setup modification is required by a system administrator, when the configuration change is needed in the network server. Then, the setup modification is unnecessary by a customer, which shows a merit for both a system administrator and a customer. However, there is a problem to be solved. In existing DACS Scheme, it is assumed that DACS Client for controlling the communication must be implemented on all clients. If the client without DACS Client is connected to the network, each network server can be accessed from the client. Therefore, in this paper, secure DACS Scheme with the function to prevent the communication from the client without DACS Client is proposed and examined.     

Toward the automation of a QoS-driven SLA establishment in the Cloud

Composite software as a service (SaaS)-based SOA offers opportunities for enterprises to offer value-added services. The cornerstone for such a business is service level agreements between Cloud customers and Cloud providers. In spite of the hype surrounding composite SaaS, standardized methods that enable a reliable management of service level agreements starting from the SLA derivation from the customer requirements to the SLA establishment between the two stockholders are still missing. To overcome such a drawback, we propose a method for SLA establishment guided by QoS for composite SaaS. Our method provides: (1) a requirement specification language for the Cloud customer to define the composition schemas of the requested services along with its QoS constraints; (2) a Cloud provider offer specification language and method to help in identifying the services and resources that satisfy the customer requirements; and (3) an SLA document definition language and method to specify a deployable composite SaaS on the Cloud. Our approach for SLA establishment embraces model-driven architecture principles to automate the SLA document generation from the customer requirements document. The automation is handled through model transformations along with enrichment algorithms to ensure the generation of complete SLA documents.     

Exploring Traffic Pricing for the Virtual Private Network

This paper explores the implementation issues of network traffic pricing in Internet-based virtual Private Networks (VPNs). A simplified VPN traffic-pricing formula is derived for optimizing VPN bandwidth service welfare. We provide price formulae for both prioritized first-in-first-out bandwidth scheduling and non-prioritized round-robin bandwidth scheduling. A transaction-level pricing architecture based on proxy server technology is proposed, and a prototype traffic-pricing system, VPN Traffic-Pricing Experiment System (VTPES), has been developed to test the transaction-level pricing architecture and examine the pricing formula. Experiments conducted with VTPES show that the pricing mechanism can effectively improve a VPN's transmission efficiency.     

Multiprotocol label switching and IP. Part 2. Multicast virtual private networks

For pt.1 see ibid., vol.9, no.3, p.68-72 (2005). Part I of this series discussed a solution for running multiprotocol label switching virtual private networks (MPLS VPNs) across a service provider's native IP network. Yet, MPLS VPNs support only unicast routing, whereas many of the enterprise customers that use the service run applications that require IP multicast. This article examines multicastVPN (mVPN), which provides the ability to support IP multicast across MPLS VPNs. Service providers can thus offer IP VPN services that support unicast and multicast applications.