Soap Box: Will IP VPNs Ever Be Viable?

Posted: 1/2002

Soap Box

Will IP VPNs Ever Be Viable?

By Bert Whyte

No one roots harder for Internet protocol (IP) services to succeed than creators of broadband service creation platforms, but it’s time to get real.

After a few years of fishing in the broadband services pool, carriers are “cutting bait” on unprofitable services faster than we can say VoDSL. We’re kidding ourselves if we think IP is a magic bullet. The IP virtual private network (VPNs), one of the earliest purported “killer apps,” is a classic example of how the myths surrounding IP can lead us all down the garden path.

Not to confuse the issue, we are not talking about the traditional VPN services, predominately ATM and frame relay-based, that today are generating savings for users and handsome profits for providers, but rather the elusive premium service IP VPN: The secure, network-based VPN services that “IP services vendors” are trying to convince carriers to deploy.

How’s this for a business model: A carrier markets its new Security IP VPN Service to customers as a way of reducing customer premise equipment (CPE) requirements. “Don’t worry about encryption, firewalls, CPE; just leave that to us.”

(Except the data aren’t encrypted until they get to the central office or even further down the pipe, but don’t worry about that! What could happen in the last mile?)

From the get-go, these services are a tough sell, and for good reason. For one thing, the bottom line benefit to customers isn’t there. Once things are in place, managing the CPE that provides encryption (and does so from the second the data leave the router) requires maybe a fraction of one administrator’s time. There is no real savings to the customer unless the services are priced low, rather than as premium services.

Carriers, for reasons we’ll explore momentarily, need to price these services at a premium if they hope to see profits. Worse yet, the very customers who might be inclined to subscribe to premium-priced services — financial services or health care companies, for example — are the least likely to trade off control for a slight savings.

Even if the provider could find some takers, getting into the secure VPN business today means installing, integrating and managing a new “next-gen” IP services platform. Those already on the market purport to make IP VPNs viable by integrating not only layers 1 through 3 of the OSI stack, but also layers 4 through 7 — an interesting concept, but one that as yet proves unwieldy.

For one thing, chaos generally descends within the CO, as decisions have to be made as to who will manage and have access to this equipment: the folks who administer the switches or the group that understands IP configurations, firewalls, encryption, etc.

Second, this integrated model has not been shown to scale. In fact, most first-generation broadband aggregation solutions are failing to scale in performing traditional subscriber management functions, much less Layer 3 issues.

While the issues of baseline profitability, OA&M turf wars and scalability probably will be mitigated by second-generation solutions during the next 18 months, secure IP VPNs may still face a deal-breaker: accountability.

In offering these services, providers become responsible to their customers for securing packets end-to-end, on net and off.

Say a customer places a call from its New York headquarters to an office in London. Traffic goes from the customer site to the first carrier point of presence (PoP) where it is encrypted. From there, it likely is handed off to a long-haul carrier, or two or three or four, for international transport before being returned to the original carrier’s local network in London. Only the original provider is responsible for the traffic the whole way.

Interoperability issues aside, this puts a hefty wrench in the business case. Again, the target industries for premium services essentially are disqualified.

In health care, the HIPAA Act of 1999 decrees that health care records traversing a network must by regulation be protected from end to end. This is virtually impossible unless all the customer sites can be reached without traffic going off net, or the provider has very tight interoperability and costly service agreements in place with other carriers.

The costs would be high — another margin-buster — even assuming such agreements are possible.

And let’s face it: How many service providers really want to be responsible for securing multimillion-dollar financial transactions? Hint: So far, none.

So Where is the Money?

Even if they never ascend to the next level, VPNs, as we know them, should continue to generate revenue and attract new users.

Worldwide end-user VPN expenditures were projected to grow 275 percent from $12.8 billion to $48 billion between 2001 and 2005 according to a 2001 study conducted by Infonetics Research. For network-based VPNs, however, it remains to be seen whether new service models can cost-justify investments in next-generation infrastructures available today.

The best approach might be for service providers to link up with security partners to design truly scalable solutions in which a partner shares responsibility.

For greater revenue, the more likely scenario is that VPNs will become more flexible and application-driven. While those users willing to turn over the reins on security are limited, nearly all businesses could benefit from dynamic control over bandwidth utilization and new services.

For example, a multinational business using a typical VPN service to connect 200 offices would have CPE in each location and direct links to the service provider’s network. Today, these connections represent a fixed bandwidth capacity.

Going forward, there are incremental profits to be had in allowing users to increase available bandwidth instantaneously to support applications such as videoconferencing or long distance training.

By eliminating the ongoing financial commitment, long wait times and turn-up costs associated with increased bandwidth, providers will encourage customers to use more capacity and experiment with more new services. The more services they use, the more insulated that customer is from the dreaded churn.

Over time, the migration clearly will be toward user controlled service selection and even development. Sharing the “edge” with consumers in a new way will present carriers with many challenges but will present real opportunities. We’re afraid network-based IP VPNs will never deliver on their promises. At least not until someone, even the vendors claiming to enable them, gets clear on what exactly the promise is.

Bert Whyte has served as a director, president and CEO of Network Equipment Technologies, doing business as
(, since June 1, 1999. offers open, nonproprietary service creation platforms that allow service providers and end users to dynamically define, deliver and manage network services.

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 69157