VPNs


As a general definition, virtual private network (VPN) refers to a class of applications that use public or shared network resources to emulate the characteristics of private or dedicated network resources. We need such a general definition since the term has been used by both the PSTN and VPN to designate different services.

In the PSTN parlance, the term VPN usually denotes a service by which an enterprise is given its own numbering plan as well as other PBX-like (but network-based) features. [Software-defined network (SDN) is sometimes used in place of VPN.] Initially, corporations leased dedicated permanent switched circuits (reserved by telephone switches) in order to provide to their employees the look and feel of the dedicated private networks. Subsequently, as telephone switches became programmable, the need for the permanency disappeared; the circuits were established on demand. However, all involved switches had to be programmed to support the corporations’ numbering plans, dialing restrictions, and so on. Furthermore, switches have to be reprogrammed every time something changes. Finally, with the advance of IN solutions, establishment and maintenance of the VPN features can be done in only one place—a network database.

With each of these steps, VPN costs were further lowered without any visible impact on the quality of services provided. The IN mechanism is totally independent from the transport mechanism of voice (that is, IP or PSTN lines and trunks); thus, all the PSTN VPN features can be supported with the same mechanism in the IP environment. In a joint PSTN/IP environment, the control of VPN (a classic IN application) can partially reside on an IP host, making the actual service delivery (for example, number translation or administration of restrictions) much more effective compared with the case in which the control belongs only within the PSTN.

In the IP world, the historical use of the term VPN is similar, except that the items being replaced are dedicated private data communications (rather than telephone) lines. With dedicated private data lines, the Internet can be used to transport corporate data. Definitions of the term vary. We will use the one given in Kosiur (1998): “A virtual private network is a network of virtual circuits for carrying private traffic,” where the virtual circuit is defined as “a connection . . . between a sender and a receiver in which both the route for session and bandwidth . . . [are] allocated dynamically.”

The performance, reliability, security, and quality of service of a successfully implemented VPN are comparable with those of dedicated network solutions. The costs of VPNs, however, are at least 50 percent lower than those of dedicated solutions. In the data environment, the VPN supports private IP addresses, differential treatments of traffic inside and outside a particular private network, and management of the firewalls that separate the private network from external networks. The VPN interconnects enterprise networks via a public data network and provides remote on-demand connection to enterprise networks through the PSTN.

We concentrate only on remote on-demand connection to enterprise networks through the PSTN. It is important to stress, however, that regardless of the initial connection (for example, the PSTN dial-in), VPN solutions may allow user traffic to pass through the Internet. Again, the transport of data over a public medium makes security the central issue when providing VPN service. Authorization and authentication are clearly not enough: Data traveling in IP packets over the Internet can be intercepted. One existing scheme, called tunneling, hides the network infrastructure from the VPN application by establishing gateways at borders with the Internet to encapsulate the IP packets destined for travel over the Internet into point-to-point (that is, gateway-to-gateway) protocol packets as shown in Figure 2. The figure depicts the enterprise network connections (via VPN), but the same configuration applies to ISPs. This mechanism demonstrates how remote users (and separate so-called islands of a private IP network) can be connected into one network. Another important attribute of this solution is that it aids in management of the ever decreasing IP address space in the following two ways:


Figure 2: VPN through tunneling.


  1. The dial-in users can be assigned their IP addresses dynamically.
  2. Only gateways need unique IP addresses (as far as the Internet is concerned); the rest of the VPN IP endpoints can be assigned private IP addresses, which are unique only for that VPN. (The numbers could duplicate the addresses used in any other network, including the Internet.)


Tunneling itself supports several applications, a few of which have already been mentioned, including:


  • Remote access outsourcing. A larger service provider offers remote access termination services to customers, with data traveling through tunnels. The customer requires much less equipment (and less capital investment), which, in turn, would allow more focused specialization in services.



  • Feature services. Tunneling enables the delivery of value-added services (such as IP multicasting and low-latency IP service classes), and so supports applications like video conferencing.



  • Business-to-business services. Tunneling facilitates content hosting for intranets and extranets. With the public key infrastructure in place, support of nonrepudiation will definitely help electronic commerce by making merchants confident about selling over the Internet.

Telecommuting

Telecommuting is a work arrangement that allows an enterprise employee to work from a location other than the company premises on a regular or temporary basis. The employee may travel, work from home, or work from a leased office. The telecommuting application provides a secure means for the employee to reach the company IP network and to access all the network resources and IP services in the same way they would be accessed in the office. Mail servers, file servers, Web servers, databases, and print servers are common examples of network resources; e-mail, the World Wide Web, FTP file transfer, and telnet (that is, virtual terminal) are common IP applications that access these resources. The telecommuter’s computer connects to the enterprise network as an IP host and is treated as though it is located on the enterprise premises (and is connected to the company network by a dedicated link).

As noted before, the telecommuting service is typically provided by way of the dial-up access through the PSTN.

To support telecommuting, an enterprise may set up dedicated remote access servers and operate, manage, and administer them like other customer premises equipment. Alternatively, it can rely on remote access outsourcing to ISPs or the PSTN employing access servers. The motivation for outsourcing is to allow the enterprise to avoid the capital cost of the servers and to avoid having to retain a dedicated staff to maintain the equipment. The enterprise may also share the servers with other companies to further cut costs. Whatever the actual arrangement for supporting telecommuting, security is by far the most important corporate requirement. A telecommuter must be authenticated before he or she is authorized to have access to the network.

Accounting is another essential application. In this case, accounting actually refers to the collection of resource consumption data. This information is useful for capacity and trend analysis, cost allocation, auditing, and billing.

Telecommuting is further complicated by the increasing mobility of telecommuters and their geographic impermanence. A global enterprise typically has its employees calling in from different parts of the world at any given time of the day. If they all dial in to a remote access server in the same country, the expenses can quickly mount to cosmic proportions. If, on the other hand, they dial in to local access servers, dedicated connections of these servers with the local company can be prohibitively expensive, too. Finally, the requirement to provide telecommuters with the same services as employees working in the enterprise office brings up both security and traffic policing issues (addressed by the VPN service).

Security | Remote Access | VPN

There are two essential security issues with remote access: authentication of the user, and the user’s authorization to use particular services. One old and proven way of authorizing dial-in is call-back. In a call-back authorization, the caller dials into a remote access server and enters a log-in name and password. The remote access server then hangs up the modem connection and searches its database to authenticate the user. If the user is authenticated, the access server calls the user back at a predefined number. This method can work for a telecommuter who always works at home, but naturally fails if the worker travels.

Although call-back could be improved (for example, the access server could be reprogrammed to dial a specific hotel telephone based on a preapproved travel itinerary), the industry has agreed on a much more versatile security application: The Remote Authentication Dial-In User Service (RADIUS). RADIUS is an important application by itself; the following example describes how it works:


  • 1. Using a modem, the user’s PC dials in to a modem that is connected to a remote access server.


  • 2. Once this connection is completed, the user is prompted for the log-in name and password.


  • 3. The access server encrypts log-in and password information and sends it to a centralized RADIUS server, which decrypts the data and passes it on to the appropriate security system module. (The encryption and decryption steps are omitted in some networks.)


  • 4. The security system module authenticates (or rejects) the caller; if the caller is authenticated, the RADIUS server checks its database to find out which services the caller is authorized to use. [This includes specific protocols supported by the user’s PC, such as Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP),  If the authentication process fails, the caller is denied access to the network. Otherwise, the authorization and specifics of the applicable services are sent to the access server. The RADIUS server may also send policing information (such as the data rate for carrying user data) to the access server, as well as filtering information, which limits the caller’s access to the enterprise network resources (for example, the caller may be allowed to access e-mail, but not to change or even copy the contents of files). To ensure that requests are not responded to by unauthorized sources, the RADIUS server sends an authentication key identifying itself to the RAS.

Some networks may require multiple levels of passwords for resource access, in which case RADIUS may be involved in authorizing relevant access.

In the preceding description, the seemingly unnecessary references to the security system module (why would RADIUS itself not do that?) are actually essential to understanding of the service: Support of any specific security mechanism is not a function of RADIUS per se; instead, RADIUS interworks with security mechanisms.

Remote Dial-in Access Applications and Virtual Private Networks


Remote dial-in access (or simply remote access) is the way many users access the Internet. It is also used in the telecommuting service whereby corporate road warriors and those who work at home access corporate IP networks. On the surface, both types of access look the same. In fact, the very procedure (dialing a number and entering a password) and the end-user equipment necessary (a telephone line and a modem) to accesses the network are identical. At least one important piece of the underlying technology pertinent—carrying IP packets over PSTN lines—is also present in both types of services. There are significant differences as well, with underlying issues, between accessing the Internet privately (through an ISP) and accessing corporate networks. We treat remote dial-in access simply as part of VPNs, discussed in a section that follows.

One problem inherent to data access from home via a telephone line is that the line will be busy for the duration of the data access session. The busy line has posed a number of problems for households with only one telephone line. One solution, perhaps most typical for many American households, is to have two lines. Another is to have ISDN installed (which is still rather expensive). Yet another solution is to use a special modem that splits the line into data and voice. Then, of course, there are service solutions (such as the Internet call-waiting service). As it becomes more available, the xDSL technology will eliminate the need to dial at all!

With remote access, in its oldest form (See Figure 1), a user simply established a point-to-point link between a terminal (connected to a modem) and a remote computer (also connected to a modem).


Figure 1: Terminal-to-host dial-in access.

As PCs became household appliances, the terminals virtually disappeared. PCs are presently used both as terminals (with so-called shell accounts, provided by both ISPs and corporations) and IP hosts. Even with the shell accounts, users get access to the Internet (including the Web) through a host. However, with shell accounts, the graphical interface that has made the World Wide Web so popular is not available.

To act as a host, a PC typically dials in the remote access server (RAS) of an IP network (as depicted in Figure 2, where the PSTN path happens to traverse three telephone switches). What actually distinguishes a host equipped with a set of modems from an access server? The answer is simple: A RAS is an IP router equipped with a set of modems or digital signal processors capable of terminating a call. Remote access servers are sometimes called remote access concentrators. Although both terms are used interchangeably, some people use the latter term only when referring to large multiservice modules, which have access to asynchronous transfer mode (ATM) networks, X.25-based public data networks (PDNs), and other non-IP networks (hence the term multiservice).


Figure 2: Host-to-host dial-in access.

Having just defined a RAS, we should note that the data network access may be not so remote. First of all, an enterprise or ISP can place several access servers (see Figure 3) so that users in different geographic areas can call local numbers. Second, remote access can also be outsourced. A remote access outsourcing application uses the existing network infrastructure of a larger service provider to offer remote access termination service to enterprise customers. Then, with the Internet offload application (also called Internet call diversion), the very edge (that is, the central office switch) of the PSTN can recognize the call (based on the dialed number, for example) as a data call, and terminate it at a colocated or even internal access server. From there the call is passed to the appropriate ISP (or enterprise) network (Figure 3).


Figure 3: Internet offload.

The Internet offloading application has been created out of urgency. The ever increasing use of Internet access has manifested a serious problem with the PSTN: The duration (or holding time, in telephony parlance) of such data calls far exceeds what telephone companies expected from voice calls (and consequently engineered their network for). As a result, more and more real (voice) calls became blocked throughout the PSTN, and the problem became so serious that specialized solutions to offload the data traffic from telephone switches to data networks, were urgently requested by telephone companies. The problem warrants special attention here if only because it was among the first instances where data-over-voice applications required significant restructuring of the PSTN. What is especially interesting is that even the old PSTN paradigm—the more calls and the longer they are, the better—has changed! The danger of these long data calls blocking voice traffic became so serious that the telephone companies decided they did not want data calls in the voice network. This conflict has created a classic example of PSTN-Internet integration by necessity.

Web-Based Service Customization

Service customization is the activity through which a subscriber to a communications service can change a subset of parameters. These parameters typically define the runtime behavior of the service. For example, for the freephone service, subscribers should (at minimum) be able to set the following parameters:


  • The time of day when the calls are to be directed to a particular destination number
  • The day of the week when the calls are to be directed to a particular destination number
  • The destination number where the calls from a certain area code should terminate


Another example is the follow-me service, where customers can prescribe how they wish incoming calls to be directed according to their schedule and availability (by using similar parameters).

Traditionally, to customize a communications service, particularly one that is delivered over the PSTN, a subscriber would need to have a special networking arrangement with his or her service provider to receive direct, secure access to customer records. Before the proliferation of the Internet, there simply was no infrastructure that would allow small customers to access such information. Now, telecommunications companies can move the customizable parameters to (properly secured) IP hosts that are accessible by subscribers.

When it is easy for subscribers to customize the services so that they can be called when they wish, the telephone companies that serve them naturally complete more calls and thereby improve profits. Since services offered are Web-based, the potential customer base extends worldwide.

PINT Services

The basic PSTN/Internet Internetworking (PINT) services (RFC 2458) include click-to-dial-back, click-to-fax, click-to-fax-back, and voice-access-to-content. The common denominator of PINT services is that they combine the Internet applications and PSTN telecommunications services in such a way that Internet applications can request the PSTN telecommunications services. Further, the Internet is used for nonvoice interactions, while voice (and fax) is carried entirely over the PSTN. An example of such a service is the combination of a Web-based Yellow Pages service with the ability to initiate a PSTN call between a customer and a supplier in the manner described later. Note that the word click in some of these services should not be taken literally and construed as a prescribed way for invoking the services. It is rather used to underline that service initiation takes place on the Internet, where pointing and clicking are the most prevalent user actions.

Click-to-Dial-Back
With the click-to-dial-back service, a user requests (through an IP host) that the PSTN call be established with another party. As in several other examples of PSTN/Internet hybrid services, an important prerequisite for using this service is that the user have both voice access to the PSTN (via a telephone terminal) and data access to the Internet (via a PC).

A typical example application of this service is online shopping: A user browsing through an online catalog clicks a button, thus inviting a call from a sales representative. Note that (as is the case with the all-PSTN freephone), flexible billing arrangements can be implemented on behalf of the service provider. In addition, the PSTN can route the call depending on the time of day, day of week, availability of agents in different locations, and so on.

Click-to-Fax
With click-to-fax service, a user at an IP host requests that a fax be sent to a particular fax number. This service is especially meaningful when the fax is to be sent to someone who has only a fax machine but no access to the Internet. Consider as an example a service scenario in which a Web user makes a reservation for a hotel room in Beijing from a travel service page containing hotel information for major cities around the world. Suppose a specific Beijing hotel chosen by the user does not have an Internet connection but has a fax machine. The user fills out the hotel reservation form and then clicks a button to send the form to the service provider, whose equipment then generates a fax request and sends it together with the hotel reservation form to a PSTN node. Upon receiving the request and the associated data, the PSTN translates the data into the proper fax format and delivers it to the Beijing hotel.

Click-to-Fax-Back
With click-to-fax-back service, a user at an IP host can request that a fax be sent to him or her. Now the traveler of the previous example can request confirmation from the Beijing hotel. Another useful application of the service is when the size of the information that a user needs to retrieve is so large that downloading it to the user’s PC over the Internet would require a long time and too much disk space.

Voice-Access-to-Content
With voice-access-to-content service, a user at an IP host requests that certain information on the Internet be accessible (and delivered) in an audio form over the PSTN, using the telephone as an informational appliance. One application of this service is providing Web access to the blind. (This may require special resources—available in the PSTN—to convert the Web data into speech.) A variant of this service is that the telephone is used to initiate as well as to retrieve the content. In other words, the user requests through the telephone with voice commands that certain information on the Internet be delivered in an audio form over the PSTN and heard on the telephone.

Internet Call-Waiting

Call-waiting is a familiar service in the PSTN world. With this service, a subscriber who participates in a telephone call is notified when another call comes in over the same telephone line. Then it is up to the subscriber to place the party on hold and accept the incoming call, or to ignore the incoming call. After accepting the new call, the subscriber can also toggle between the two calls.
Add a Note HereAs the number of data calls grew, the telephone companies realized that they needed to provide the means for temporarily disabling call-waiting. Subscribers invariably use the cancel waiting feature when they go on-line; if they did not, the tones that indicate the arrival of a new call would interfere with the operation of the modem and could result in loss of the connection. Until the Internet call-waiting (ICW) service was introduced, subscribers could not eat their cake and have it, too.
Add a Note HereThe ICW service typically works as follows:
§  Add a Note HereWhen the subscriber logs onto the Internet via a dial-up connection, the IP address of his or her PC is recorded.
§  Add a Note HereWhen the network detects an incoming call destined to the subscriber, a dialog box pops up on the subscriber’s screen. The dialog box presents the caller’s telephone number or name, if available, and a set of options for call treatment. The options may include the following: accept as an IP voice call, accept as a PSTN voice call, route to another telephone number, or route to voice mail.
§  Add a Note HereAfter obtaining the subscriber’s response, the network implements the option chosen.
Add a Note HereUnlike its PSTN counterpart, the ICW service does not always support toggling between the calls. In the case where the incoming call is accepted as an IP voice call, toggling between calls is just toggling between applications, which makes it simple to support. But the case where the incoming call is accepted as a PSTN voice call, toggling between the PSTN call and the data call is not currently supported.
Add a Note HereThe ICW service can be enriched with many useful features. For example, the subscriber may be given the option of setting up a list of telephone numbers from which all originating calls are to be blocked, keeping a log of calls not answered, and returning calls by automatic dial-out. In addition, the idea behind the ICW automatically extends to “Internetization” of a large set of IN-supported services (such as call-forwarding, personal number, or follow-me).
Add a Note HereIt is obvious how the ICW service benefits Internet users. It also benefits service providers by increasing the number of completed calls.