WO2001031857A1 - Method of implementing ip virtual private networks to ensure quality of service - Google Patents

Method of implementing ip virtual private networks to ensure quality of service Download PDF

Info

Publication number
WO2001031857A1
WO2001031857A1 PCT/AU2000/001311 AU0001311W WO0131857A1 WO 2001031857 A1 WO2001031857 A1 WO 2001031857A1 AU 0001311 W AU0001311 W AU 0001311W WO 0131857 A1 WO0131857 A1 WO 0131857A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
network
paths
routers
service
Prior art date
Application number
PCT/AU2000/001311
Other languages
French (fr)
Inventor
Ian Alexander Rose
Original Assignee
Astracon, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Astracon, Inc. filed Critical Astracon, Inc.
Priority to AU11165/01A priority Critical patent/AU1116501A/en
Publication of WO2001031857A1 publication Critical patent/WO2001031857A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/4608LAN interconnection over ATM networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2425Traffic characterised by specific attributes, e.g. priority or QoS for supporting services specification, e.g. SLA

Definitions

  • This invention relates to the management of large scale Internet protocol (IP) networks, such as those operated by a telecommunications company for the purposes of providing IP virtual private network (VPN) services to its customers.
  • IP Internet protocol
  • VPN IP virtual private network
  • the invention relates to a method for optimal selection of connections in a connection-orientated transport network and IP router configuration to provide a guaranteed quality of service (QoS) for the VPN.
  • QoS quality of service
  • IP networks are typically designed to meet the needs of a single enterprise.
  • telecommunications companies and other service providers start to provide IP VPN services for their customers, they face problems of designing and deploying the IP network to achieve cost-effective utilization of their transport networks, whilst simultaneously being able to support a contracted level of service to each of their customers.
  • SLA Service Level Agreement
  • QoS quality of service
  • Routing techniques for known classical IP networks focus on achieving connectivity for all nodes in the network and sharing the available bandwidth equitably.
  • Recent advances allow the total network to partitioned into private sub-networks, where connectivity exists between the members of each private sub-network and prevented between members of different subnetworks.
  • Further advances can support differential quality, where one customer (or class of customer) is offer superior service to other customers.
  • Telecommunications service providers who are operating IP networks to provide VPN services need to ensure isolation between different VPNs.
  • the service providers also need to ensure that the specified QoS for the traffic between the particular set of terminations which constitute a VPN is met, for each of the VPNs supported by the IP network.
  • QoS Quality of service
  • An absolute guarantee means that the quality is described without reference to other services. This allows the service consumer to independently, or through a trusted third party, verify that the service provider is delivering the contracted QoS.
  • Absolute QoS is contrasted with differential QoS, wherein the service provider guarantees only that one customer's traffic will get some preferential treatment over that of another customer.
  • An absolute guarantee may be stringent, in the limiting case requiring 100% of the traffic to conform to a specific quality criterion.
  • useful cases where only a fraction (say 90%) of the traffic is guaranteed to conform to the criterion.
  • the degenerate case is the well known best effort, where 0% of the traffic is required to meet the criterion.
  • the quality criterion may be expressed as a single measurement, such as a sustained end-to-end bit rate. Equally, the criterion may be some form of profile, such as a sustained bit rate, plus a burst bit rate and burst duration.
  • a VPN generally comprises a number of terminations at different customer sites. Each termination is a point where the telecommunications company's customer may send and receive IP packets from other terminations in the VPN (or VPNs) to which it belongs.
  • a common form of a termination would be a port on a router.
  • a typical example is a customer edge (CE) router, where the port is connected to a customer's local area network (LAN) and the router is connected to the service provider.
  • CE customer edge
  • LAN local area network
  • a coarser form of termination would be all the traffic at a customer's site that is aggregated by a particular CE router.
  • a finer form of termination would be the traffic generated by a particular LAN connected device.
  • NMS network management system
  • PTP-TS point-to-point trail selector
  • RSVP resource reservation protocol
  • SONET synchronous optical network
  • TCP/IP transmission control protocol / Internet protocol
  • VPN virtual private network
  • virtual private network means an IP connectivity service provided by a service provider wherein at each network site there are one or more terminations via which users may send and receive data, each termination will only receive data that is sent by a user connected to a termination or is sent by the service provider, and data sent on a termination cannot be read or disrupted by any equipment other than that equipment connected to a termination or connected by the service provider.
  • absolute quality of service means a quality of service that can be verified solely by observing the traffic at the terminations of a VPN.
  • the invention resides in a method of implementing a virtual private network (VPN) between a plurality of sites with terminations connected to routers in the network, said method including the steps of:
  • VPN virtual private network
  • the terminations are connected to the routers, either at the site of the termination or at a remote site.
  • the cost of network resource is calculated from a weighted sum of: the capital cost of the set of paths; the capital cost of transferring data from one router to another router via an intermediate router; the operating cost of the set of paths; and the operating cost of transferring data from one router to another router via an intermediate router.
  • the routers may be either physical routers or virtual routers constructed by partitioning the resources of a physical router, or a partitioning of the route table in a physical router based on originating port.
  • Each path in the VPN may be one of a point-to-point connection, a point-to- multipoint connection, multipoint-to-point connection or a multipoint-to- multipoint connection.
  • a connection may use a Layer 1 protocol or a Layer 2 protocol, such as ATM, SDH, SONET or Frame Relay;
  • a connection may use an IP protocol, such as IPSec, Layer 2 tunnelling protocol (L2TP) or resource reservation protocol (RSVP); or a connection may use multi-protocol label switching.
  • connection oriented network supports QoS requirements relating to one or more of bandwidth, delay, delay variation, security, or reliability.
  • the AQoS is specified as a requirement on one or more of bandwidth, delay, delay variation, security or reliability.
  • the AQoS requirement may be specified as either a specific value, or as a stochastic profile, which AQoS requirement may be specified explicitly or inferred from a group specification.
  • the AQoS requirement is inferred from one or more QoS specifications, wherein each specification relates to a single termination.
  • a termination may be a member of more than one service.
  • a termination is one of the following: a local area network (LAN) port, an IP address, a set of contiguous or discontiguous IP addresses, or the aggregated traffic from all LANs at a site. Most preferably only some pairs of terminations of the VPN have an AQoS.
  • the cost of network resource may be determined by delegating to a network management system or to an operational support system associated with the terminations of the VPN.
  • the invention resides in a method of implementing a virtual private network (VPN) for a plurality of geographically dispersed sites, each site including one or more terminations connected to Internet protocol (IP) routers, said method including the steps of:
  • the interconnecting step (b) includes the steps of creating and configuring paths between at least some of the IP routers.
  • each path in the VPN is characterised by an absolute quality of service specification (AQoS) that satisfies the global QoS specification.
  • AQoS absolute quality of service specification
  • the global QoS is suitably a set of AQoS specifications that characterise the quality of service for the VPN.
  • the invention resides in a point-to-point trail selector (PTP-TS) for implementing a virtual private network (VPN) between a plurality of sites with terminations connected to routers in the network, said PTP-TS including:
  • AQoS absolute quality of service
  • processor means coupled to the input means and operative to create a set of paths between at least some of the routers, wherein each path supports connection orientated data transfer with a quality of service specification, and to configure the set of paths such that: (i) said set of paths satisfies the AQoS specification between said terminations of the VPN; and (ii) the cost of network resource for implementing the VPN, including said paths and routers, is minimised.
  • the point-to-point trail selector may further include:
  • an identification means for obtaining information about network resource available for implementing the VPN wherein the identification means is coupled to the processor means, and the processor means creates and configures the set of paths using the network resource information.
  • the point-to-point trail selector is a component of a network management system and the cost of network resource is provided by a cost model associated with the network management system.
  • FIG. 1 illustrates the network topology of an example IP VPN
  • FIG. 2 illustrates the inter-router connectivity of the example IP VPN of FIG. 1 ;
  • FIG. 3 is a block diagram of an exemplary trail selector employed in a hierarchy of network management systems.
  • One aspect of the invention is to provide some practical solutions to the problem of enumerating pair-wise quality relationships between all sites in a
  • VPN including the following: • Only specify AQoS relationships, and more particularly highly specific
  • Unspecified relationships can default to either a less specific AQoS relationship, or to a differential QoS specification.
  • the "Black Stump" site may specify 10 Mb/s to the "Corporate Center” site
  • the "Black Stump Engineering LAN” may specify 1 Mb/s to the "Corporate Center Engineering LAN”.
  • the Black Stump Engineering LAN is guaranteed 1 Mb/s, while all the other Black Stump LANs, such a Finance, Sales, Marketing merely state that together with Engineering, they are guaranteed 10Mb/s.
  • Specify AQoS for groups of terminations that have some characteristic in common As an example, specify that each termination designated for
  • an absolute quality dispersion matrix (AQDM)
  • the AQDM is explicitly, or implicitly specified by the use of the VPN.
  • the AQDM may be changed as a result of the customer's changed needs, typically associated with a change in price levied by the service provider.
  • the AQDM specifies the absolute QoS requirement (if any) for data send from any termination in the VPN to any other termination.
  • the matrix may be complete, in that every pair of terminations has an absolute QoS relationship, or (more usually) incomplete, in that some pairs of terminations have an absolute QoS relationship, but others do not.
  • the null relationships may be best effort, or differentiated QoS. It may be expected that in many commercially useful VPNs, the AQDM is sparse.
  • the preferred method of the invention relates specifically to the non-null members of the AQDM. However it is desirable that the method applies when the AQDM is partially complete. In the case of an incomplete AQDM, the null members may be routed using one of the many published techniques for implementing best effort or differential QoS. This disclosure now goes on to describe the method in relation to how the non-null members of the AQDM are implemented.
  • each VPN site has a router, termed a CE router, physically located at the site.
  • This router will be connected to the service provider's premises via some form of Customer Access Network (CAN).
  • the CE router will typically be a low-cost device.
  • the CAN will often have one physical bearer, typically DSL, E1/T1 , ISDN or SONET. If all traffic at the site is not part of the same VPN, or if the AQoS requirements are expressed at a finer grain than the site, then the CAN bearer will comprise a number of multiplex channels, termed Privacy Channels.
  • the privacy channels will be multiplexed using some protocol, preferably one which can support non-trivial QoS requirements. Examples of preferable privacy channel protocols, are ATM and E1/T1 channelization, and less preferably frame relay or multiprotocol label switched (MPLS). Typically there will be one privacy channel as follows:
  • Each unique combination of VPN membership that exists at a site has one or more privacy channels. For example, if at a site LAN Port A was part of VPN X, and both LAN Ports B and C where part of VPN X and Y, then there would be two privacy channels, one for the VPN X, and one for VPN X and Y combined.
  • NMS network management system
  • AT An aggregation of terminations
  • the CE router is capable of policing each termination's originating AQoS requirements. For example, if the AQoS for LAN1 to X is 1 Mb/s and for LAN2 to X is 2Mb/s, then
  • LAN1 and LAN2 may be grouped into an AT at 3Mb/s, provided the CE router can prevent either LAN generating enough traffic to compromise the other LAN's QoS.
  • ⁇ all data sent from the site is subject to the same treatment by the service provider's equipment. For example if the AQoS for LAN1 to X is 1Mb/s and for LAN2 to X is 2Mb/s, then LAN1 and LAN2 may be grouped into an AT at 3Mb/s, and the service provider's equipment need not distinguish the two traffic for delivery to X; or
  • the service provider's equipment is capable of routing the data from the individual terminations based on the content of the IP packet. For example if the AQOS for LAN1 to X is 1 Mb/s and for LAN2 to Y is 2Mb/s, then LAN1 and LAN2 may be grouped into an AT at 3Mb/s, and the service provider's equipment routes to X using the source address range intrinsic to LAN1 , and to Y using the source IP address range intrinsic to LAN2.
  • the CE router is configured to route data between the privacy channels and the LAN ports, and to route local data between LAN ports. If there is one privacy channel, then the CE router will be configured according to classic IP routing. That is, routes that specify the packet's Layer 2 destination based on the destination IP address alone. If there is more than one privacy channel, then the CE configuration may use classic routing for one privacy channel, but must also use some augmented routing method, preferably "Origin Routing", for the other channels. Origin routing specifies the packet's Layer 2 destination based on the destination IP address in addition to the originating Layer 2 port.
  • originating IP address For QoS that is specified to a finer granularity than LAN port, it will be necessary to include further discriminators in the origin routes, such as originating IP address, the packet Type of Service (TOS), or the upper layer protocol (e.g. HTTP, SMTP etc).
  • TOS packet Type of Service
  • HTTP HyperText Transfer Protocol
  • the CE router is configured for the QoS of its privacy channels, and the queuing discipline for packets entering those privacy channels, For the case where there is one termination per AQDM entry, the privacy QoS and discipline is directly inferred from the AQDM. If there are aggregated terminations, then the privacy QoS and queue discipline is derived by aggregating the respective AQDM entries. For example, if LAN 1 and LAN 2 both specify to destination X, a bandwidth AQOS of 1 Mb/s sustained and 2Mb/s peak at 10% burst size, then at 100% grade of service (GOS) the privacy channel requires a bandwidth QoS of 4Mb/s.
  • GOS grade of service
  • the CE queue discipline - that is the shaping and policing polices - for directing traffic to the privacy channel, is configured into the CE routers, in such a way that the per- termination QoS is always met.
  • the route for each LAN port may be set for the [1 Mb/s, 2Mb/s peak, 10%] profile.
  • the LAN port queue discipline may be relaxed to utilize the unused privacy channel bandwidth.
  • the queue discipline for each LAN port's traffic that exceeds the AQDM requirement may be such as to overflow into any unoccupied bandwidth of the other privacy channel. Such an overflow pattern would allow LAN1 to sustainably send at 2Mb/s or even 3.5 Mb/s during periods when LAN2 was sending nothing.
  • each site it is preferable for each site to have a router, it is feasible, especially in the case where the customer presents one LAN at a site, to have network terminating equipment that adapts the LAN protocol onto a suitable line protocol for transmission to the service provider's premises.
  • the network equipment - service provider's site The network equipment - service provider's site
  • the service provider's network has a number of provider terminations at which the VPN is manifest. These may be physical ports or multiplex channels within a physical port. Each provider termination is supported by a provider edge routing element (RE). Most preferably this will be a "virtual router", that is a partition of a physical provider edge (PE) router. Virtual routing capability may be explicitly supported by the PE router, or may be implicitly supported using Origin Routing. Less preferably the RE will be the physical PE router.
  • RE provider edge routing element
  • the REs will be connected to a connection-oriented inter-router network.
  • the inter-router network is capable of creating paths, that link REs.
  • the VPN is built by selecting an appropriate set of paths, and then configuring the routers to use those paths.
  • Each inter-router path is capable of supporting a absolute QoS guarantee, either as a stringent guarantee such as a constant bit-rate ATM, SONET or SDH path, or as a weaker guarantee, such as a VBR ATM or Frame Rely path.
  • the inter-router network may itself be an IP network, where the paths are implemented as IP transfers over that IP network. Most usefully, the IP transfer will be in the form of IP tunnelling, as this maintains the separation between the VPN's IP address space and that of the inter-router network.
  • the IP network will either have effectively unconstrained bandwidth, or will offer a absolute QoS guarantee, such as supported by resource reservation protocol (RSVP).
  • RSVP resource reservation protocol
  • the RE will perform any adaptation required from IP to the path protocol.
  • the path protocol is ATM
  • the router will perform the AAL5 adaptation.
  • the hardware configuration where the PE router and the edge inter-router switches are combined in one physical network element is most desirable.
  • a path in the inter-router network is point-to-point, that is it connects exactly two REs.
  • a path may be is multipoint-to-point, that is it merges data from several sources onto one path, as supported by as ATM or MPLS.
  • the activity of designing a particular user's VPN is suitably to:
  • the absolute requirements of the design are that VPN privacy is maintained and that the AQDM is fulfilled.
  • the secondary requirement is that there is no alternate design that consumes less of the service provider's network resource.
  • the first requirement, that of VPN privacy, is most simply ensured by dedicating each inter-router path to the traffic destined for exactly one VPN.
  • each termination is a member of exactly one VPN, and therefore each RE is dedicated to that one VPN.
  • the design rule is that inter-router paths connect REs of the same VPN only.
  • both the inter-router network and the route tables within the REs are jointly designed to send data to appropriate REs only.
  • the second requirement constitutes the remainder of this disclosure.
  • the starting point of design is an AQDM expressed that the RE terminations.
  • the AQDM expressed by the user is in effect, the AQDM at the RE terminations. If there is a non-trivial CAN, as discussed in the previous section, then the AQDM as expressed by the user must be mapped to an AQDM that references the RE terminations. As each privacy channel is an RE termination, the mapping of the AQDM follows the same principle as discussed previously for determining privacy channel QoS.
  • each path aggregates fewer AQDM entries, for non-constant bandwidth profiles, this means that the bandwidth requirement of each path moves closer to the sum of the peak bandwidths of the members, rather than the sum of the mean bandwidths as would occur if there where very many members;
  • the design process will obtain in close-to-real-time from the routers and inter-router network, a model for predicting the costs that will be incurred.
  • EMS element management system
  • NMS network management system
  • each non-null member of the AQDM specifies a bandwidth profile
  • the inter-router network supports point-to- point paths. Instances of this embodiment are termed bandwidth-based, point-to-point configurations.
  • the point-to-point trail selector (PTP-TS) of the embodiment performs the following functions: design the point-to-point connections that implement the inter- router paths; • design the routing pattern; design the traffic flow control (policing and shaping); and design the protocol adaptation (for example, AAL5 for IP-over- ATM).
  • the PTP-TS designs the implementation of the VPN by selecting the set of connections that just meet the QoS specification, while minimizing the cost of the connections plus the cost of transit routing.
  • the PTP-TS generally selects a set of connections that lie somewhere between a minimal set of (N-1 ) connections, and a full mesh of about N 2 connections (this is in contrast to Classical IP over ATM).
  • N-1 minimal set of connections
  • N 2 connections full mesh of about N 2 connections
  • the routers may be more like a mesh.
  • the inter-router connections would be sparser, with each connection carrying more highly aggregated traffic.
  • the PTP-TS is responsible for selecting the least cost implementation of the VPN. This choice is qualified by the end result having to meet the customer- supplied QoS specification. However, there are many ways of selecting a set of connections that will work. Some examples of connecting N routers are: • mesh — this minimizes routing cost and end-end delay, however the cost of the approximately N 2 connections and size of the route table entries may make this a poor choice; linear — this minimizes connection cost and minimizes route table entries, at the expense of longer delays and higher router processing costs; and spanning tree — this strikes a balance between the options above.
  • the approach taken by the PTP-TS is to select the set of connections such that the total cost to provide the VPN is minimized.
  • the total cost consists of the cost of connections in the point-to-point network plus the cost of routing. Therefore the PTP-TS selects a set of connections that is optimum for that VPN, considering the capabilities of the point-to-point network and the IP routers, with the terminations in the desired locations. For example, the end result may be something like a mesh within a city, a tree between cities and linear for expensive international traffic.
  • the PTP-TS predicts its connection costs from a cost model for the point-to- point network.
  • This cost model exposes the costs of using the available resources of the underlying point-to-point network, and is typically exposed by the network management system (NMS) responsible for provisioning connections in the point-to-point network.
  • NMS network management system
  • This cost model includes concepts such as distance-dependent transmission cost, fixed termination cost and switching cost.
  • the network resources available for implementing the VPN may also be available from a connection model included in the NMS.
  • the PTP-TS predicts the routing cost from the router element cost models.
  • Router cost models typically state a fixed cost for transiting traffic, plus a capacity dependent cost to account for router processing.
  • the PTP-TS combines this information to deduce the cost of the various candidate implementations and then selects an optimal cost result that satisfies the VPN AQoS specification.
  • the example network 100 shown in FIG. is composed of a number of campus-level LAN segments, S1 to S6 linked by a transport layer.
  • the boundary of the service provider's responsibility may be the LAN side of a router, or may include the LAN itself.
  • provider edge (PE) IP routers R1 to R6 are located on the customer's premises at the customer's sites A to D.
  • the inter-router network associated with the transport layer extends to the customer's premises.
  • the inter-router network protocols are a mixture of ATM, SONET and IP (via the public Internet), as described in more detail below.
  • the service provider links five LAN segments (S#) at three sites or locations in two cities, 100km apart.
  • Site A is the head office in a first city, with corporate facilities on network segment S2, and Site B is the manufacturing complex in a second city, with manufacturing and stock control systems on network segment S4.
  • a telecommunications company has a central office Y in the first city and a central office X in the second city, which central offices provide switching infrastructure.
  • Site C is a remote regional sales center with network segment S5.
  • Site D is a new one-person serviced office with network segment S6.
  • Network segments S1 , S3, and S5 support desktop computer systems.
  • the customer's service level agreement (SLA) in the example which is simplified for the purposes of this discussion by ignoring probabilistic QoS, is specified as follows: •
  • the LAN segment port aggregate AQoS is as follows:
  • S6 requires 1 Mb/s second peak, with 30 minutes per day total usage.
  • the inter-termination AQoS for the segments is as follows:
  • the AQDM for the inter-termination AQoS might be conveniently represented as shown in Table 1 below.
  • the ADQM was deduced as follows: • the above inter-termination AQoS map directly to AQDM entries, marked with an asterisk (*) in Table 1 ; the port aggregate bandwidth requirement for S2 and S4 is mitigated, to reflect that there is insufficient port bandwidth requirement on other VPN terminations to justify these flows; the other AQDM entries are deduced from the port aggregate AQoS using a bandwidth-proportioning technique as described above on page 7, but ignoring commercially insignificant data flows, and rounding.
  • Traffic between the routers is transported using a mixture of physical bearers 102 (R1-R2), 103 (R3-R4), SONET switches (T1 & T2) and fibre links 104 (R2-R4), ATM switches (A1 & A2) and links 105, and Internet links 106.
  • the VPN IP packets are transported over bearer circuits, that is multiplex circuits over the above described physical bearers, as shown in FIG. 2.
  • An Internet circuit 201 transports IP packets to segment S6 via router R1 from all other LAN segments.
  • Two building cable circuits are provided at site A between segments S1 and S2.
  • the first circuit 202 carries packets between S2 and each of S5 and S6, whilst the second circuit 203 carries packets between segments S1 and S2 only.
  • An ATM permanent virtual circuit (PVC) 204 is provided between segments S1 and S4, for carrying packets S5-S1 , S5-S2, S5-S6, S4-S1 and S4-S6.
  • An ATM PVC 205 is provided between S1 and S3, for carrying packets S3-S1 and S3-S6.
  • An ATM PVC 206 is provided between segments S2 and S3, for transporting packets between those segments only.
  • a SONET STS-3 circuit 207 is similarly dedicated to IP packets between segments S2 and S4.
  • a further two building cable circuits are provided at site B between segments S3 and S4.
  • One cable circuit 208 carries packets S5-S3, whilst the other circuit 209 carries packets S4-S3.
  • STS-3 capacity As that flow is relatively static, large, and important, it is transported over a direct SONET STS-3 connection 207 between R2 and R4.
  • the small and volatile data flow into the new sales center at Site D, is transported over the public Internet 101 using a local ISP
  • ATM circuit 204 is dimensioned to 5.5 Mb/s in the S4 to S1 direction, and 1.5 Mb/s in the reverse direction, to accommodate the sum of S4-S6, S4-S1 , S5-S1 , S5-S2 AQDM entries.
  • ATM Circuit 205 is dimensioned to 0.5 Mb/s to accommodate the sum of the S3-S1 and S3-S6 AQDM entries.
  • S2 to S3 AQoS is supported by an ATM constant bit rate PVC 206 between R1 and R3.
  • PVC 206 Dedicated (low cost) building cabling supports the QoS requirements between the LAN segments in one building.
  • Routers are either dedicated to a customer, or are VPN aware. Route tables in R1 to R4 are designed to ensure that traffic flows as specified.
  • QoS circuits which in the example include circuits 203, 205 and 209.
  • the VPN is small (say less than 10 sites), then a highly meshed, or fully meshed option is possible.
  • a centralized router optically located in a Central Office
  • the network is more spread out, then there can be several star-points (like airline hubs).
  • the router supports input throttling, then the aggregate traffic can share the QoS circuits.
  • FIG. 3 is a diagram illustrating a network management system 300 which includes, as a component, a point-to-point trail selector (PTP-TS) 301 for implementing a virtual private network (VPN).
  • the PTP-TS includes an input means in the form of a client interface 302 for receiving an absolute quality of service (AQoS) specification from a client 303 desiring VPN services.
  • the PTP-TS also includes an identification module 304 for obtaining information about network resource available for implementing the VPN.
  • the client interface 302 and the identification module 304 are each coupled to a processor 305.
  • the identification means 304 communicates with subsidiary network management systems (NMS) relevant to terminations specified for the VPN, including a path NMS 310 and a router element NMS 320.
  • NMS subsidiary network management systems
  • the path NMS 310 includes a processor 311 and a database 312 containing information about the different connection orientated network path resources administered by the path NMS.
  • the resources administered by the path NMS include dedicated management systems for ATM 313, SONET 314 and IP Sec 315 resources that enable creation of paths between the specified terminations.
  • the router element (RE) NMS 320 includes a processor 321 and a database 322 containing information about router elements administered by the RE NMS.
  • Network resources in the form of router elements may be administered indirectly by operational support systems for respective first 323, second 324 and third 325 termination group router elements (RE).
  • the operational support systems enable configuration of the routers to direct traffic as required in relation to terminations of the VPN.
  • the VPN NMS processor 305 receives path cost offers 316 and router element 326 cost offers from the path NMS 310 and RE NMS 320, respectively.
  • the cost offers include both capital cost and operating cost components for the network resource, and this aspect of path set configuration allows the minimisation of the cost of network resource for implementing the VPN.
  • the VPN NMS processor 305 creates, using the design principals set out above, a set of paths between some of the routers connected to terminations of the network. The paths are then configured such that they satisfy the client supplied AQoS specification between the terminations of the VPN.
  • the present invention is concerned with a method and means for efficiently implementing a VPN where some or all of the QoS specification is in terms of an AQoS; rather the concept of absolute quality of service (AQoS) per se, or the various ways of specifying an AQoS.
  • QoS absolute quality of service

Abstract

A method of, and point-to-point trail selector (PTP-TS) for, implementing a virtual private network (VPN) between a plurality of sites with terminations connected to routers in the network. The PTP-TS (301) including input means (302) for receiving from a client (303) an absolute quality of service (AQoS) specification that specifies service required between respective terminations of the VPN; processor means (305) coupled to the input means and operative to create a set of paths between at least some of the routers, wherein each path supports connection orientated data transfer with a quality of service specification, and to configure the set of paths such that (i) said set of paths satisfies the AQoS specification between said terminations of the VPN; and (ii) the cost of network resource for implementing the VPN, including said paths and routers, is minimised. Suitably there is further included an identification means (304) for obtaining information about network resource available for implementing the VPN, wherein the identification means is coupled to the processor means (305), and the processor means creates and configures the set of paths using the network resource information.

Description

METHOD OF IMPLEMENTING IP VIRTUAL PRIVATE NETWORKS TO ENSURE QUALITY OF SERVICE
BACKGROUND OF THE INVENTION
(i) Field of the Invention
This invention relates to the management of large scale Internet protocol (IP) networks, such as those operated by a telecommunications company for the purposes of providing IP virtual private network (VPN) services to its customers. In particular, although not exclusively, the invention relates to a method for optimal selection of connections in a connection-orientated transport network and IP router configuration to provide a guaranteed quality of service (QoS) for the VPN.
(ii) Discussion of the Background Art
Existing IP networks are typically designed to meet the needs of a single enterprise. As telecommunications companies and other service providers start to provide IP VPN services for their customers, they face problems of designing and deploying the IP network to achieve cost-effective utilization of their transport networks, whilst simultaneously being able to support a contracted level of service to each of their customers.
Some customers require a VPN service with a guaranteed level of service and are prepared to incur a greater cost, others are satisfied with a "best effort" service at low cost, yet others require some something in between. The cost-quality trade-off is typically expressed in a Service Level Agreement (SLA) between the telecommunications service provider and the customer. The SLA specifies various "quality of service" (QoS) aspects of the VPN, for example, packet delay, reliability, and required throughput, between the terminations of the VPN. The QoS required for each VPN is likely to be different because of differing SLAs with individual customers.
Routing techniques for known classical IP networks focus on achieving connectivity for all nodes in the network and sharing the available bandwidth equitably. Recent advances allow the total network to partitioned into private sub-networks, where connectivity exists between the members of each private sub-network and prevented between members of different subnetworks. Further advances can support differential quality, where one customer (or class of customer) is offer superior service to other customers.
Telecommunications service providers who are operating IP networks to provide VPN services need to ensure isolation between different VPNs. The service providers also need to ensure that the specified QoS for the traffic between the particular set of terminations which constitute a VPN is met, for each of the VPNs supported by the IP network.
Quality of service (QoS) guarantees may be considered from two perspectives, namely absolute and differential. An absolute guarantee means that the quality is described without reference to other services. This allows the service consumer to independently, or through a trusted third party, verify that the service provider is delivering the contracted QoS. Absolute QoS is contrasted with differential QoS, wherein the service provider guarantees only that one customer's traffic will get some preferential treatment over that of another customer.
An absolute guarantee may be stringent, in the limiting case requiring 100% of the traffic to conform to a specific quality criterion. However useful cases exist where only a fraction (say 90%) of the traffic is guaranteed to conform to the criterion. The degenerate case is the well known best effort, where 0% of the traffic is required to meet the criterion. The quality criterion may be expressed as a single measurement, such as a sustained end-to-end bit rate. Equally, the criterion may be some form of profile, such as a sustained bit rate, plus a burst bit rate and burst duration.
A VPN generally comprises a number of terminations at different customer sites. Each termination is a point where the telecommunications company's customer may send and receive IP packets from other terminations in the VPN (or VPNs) to which it belongs. A common form of a termination would be a port on a router. A typical example is a customer edge (CE) router, where the port is connected to a customer's local area network (LAN) and the router is connected to the service provider. A coarser form of termination would be all the traffic at a customer's site that is aggregated by a particular CE router. A finer form of termination would be the traffic generated by a particular LAN connected device. Consider a scenario where an absolute QoS specification is required between at least two of the terminations of a VPN. This may arise from a global QoS for the VPN as a whole, or arise from particular quality requirements for traffic between particular sites in the VPN. A typical QoS specification might state the bandwidth requirement between two terminations. Other specifications could be in terms of end-to-end delay or delay variation, or even abstract qualities such as mean time between failure. However, enumerating pair-wise quality relationships between all VPN sites is unrealistically complex for a reasonable size VPN, because an 'N' member VPN has approximately N2 relationships.
(iii) Glossary of Terms
AQDM: absolute quality dispersion matrix
ATM: asynchronous transfer mode
AQoS: absolute QoS
MPLS: multi-protocol label switched
NMS: network management system
PTP-TS: point-to-point trail selector
PVC: permanent virtual circuit
QoS: quality of service
RSVP: resource reservation protocol
SDH: synchronous digital hierarchy
SLA: service level agreement
SONET: synchronous optical network
TCP/IP: transmission control protocol / Internet protocol
VPN: virtual private network
(iv) Definitions
The expression virtual private network (or "VPN") as used herein means an IP connectivity service provided by a service provider wherein at each network site there are one or more terminations via which users may send and receive data, each termination will only receive data that is sent by a user connected to a termination or is sent by the service provider, and data sent on a termination cannot be read or disrupted by any equipment other than that equipment connected to a termination or connected by the service provider. The expression absolute quality of service (or "AQoS"), as used herein, means a quality of service that can be verified solely by observing the traffic at the terminations of a VPN.
BRIEF SUMMARY OF THE INVENTION
(i) Object of the Invention
It is an object of this invention to provide a method and means of implementing an IP VPN, where at least some of the VPN's traffic is subject to an absolute quality of service guarantee.
It is another object of this invention that, subject to implementing an absolute quality of service guarantee, efficient use is made of the service provider's router and inter-router network resources.
It is a further object of the present invention to provide a method and means of implementing a VPN by selecting paths in a point-to-point transport network and corresponding IP router configuration, in order to allow the service provider to offer a quality of service guarantee for the VPN, in a manner that makes optimal use of the available resources of the point-to- point transport network and the available IP routers.
(ii) Disclosure of the Invention
In one form, the invention resides in a method of implementing a virtual private network (VPN) between a plurality of sites with terminations connected to routers in the network, said method including the steps of:
(a) specifying an absolute quality of service (AQoS) between respective terminations of the VPN;
(b) creating a set of paths between at least some of the routers, wherein each path supports connection orientated data transfer with a quality of service specification; and
(c) configuring the set of paths, such that: (i) said set of paths satisfies the AQoS specification between the terminations of the VPN; and (ii) the cost of network resource for implementing the VPN, including said paths and routers, is minimised. Suitably the terminations are connected to the routers, either at the site of the termination or at a remote site.
Preferably the cost of network resource is calculated from a weighted sum of: the capital cost of the set of paths; the capital cost of transferring data from one router to another router via an intermediate router; the operating cost of the set of paths; and the operating cost of transferring data from one router to another router via an intermediate router.
The routers may be either physical routers or virtual routers constructed by partitioning the resources of a physical router, or a partitioning of the route table in a physical router based on originating port.
Each path in the VPN may be one of a point-to-point connection, a point-to- multipoint connection, multipoint-to-point connection or a multipoint-to- multipoint connection. A connection may use a Layer 1 protocol or a Layer 2 protocol, such as ATM, SDH, SONET or Frame Relay; a connection may use an IP protocol, such as IPSec, Layer 2 tunnelling protocol (L2TP) or resource reservation protocol (RSVP); or a connection may use multi-protocol label switching.
Preferably the connection oriented network supports QoS requirements relating to one or more of bandwidth, delay, delay variation, security, or reliability.
Suitably the AQoS is specified as a requirement on one or more of bandwidth, delay, delay variation, security or reliability. The AQoS requirement may be specified as either a specific value, or as a stochastic profile, which AQoS requirement may be specified explicitly or inferred from a group specification.
If required, the AQoS requirement is inferred from one or more QoS specifications, wherein each specification relates to a single termination.
In some instances a termination may be a member of more than one service. Generally, a termination is one of the following: a local area network (LAN) port, an IP address, a set of contiguous or discontiguous IP addresses, or the aggregated traffic from all LANs at a site. Most preferably only some pairs of terminations of the VPN have an AQoS.
The cost of network resource may be determined by delegating to a network management system or to an operational support system associated with the terminations of the VPN.
In another aspect, the invention resides in a method of implementing a virtual private network (VPN) for a plurality of geographically dispersed sites, each site including one or more terminations connected to Internet protocol (IP) routers, said method including the steps of:
(a) specifying a global quality of service (QoS) for service components of the VPN; and
(b) interconnecting the IP routers at the sites with a point-to-point network that satisfies the global QoS specification.
Preferably the interconnecting step (b) includes the steps of creating and configuring paths between at least some of the IP routers.
Most preferably each path in the VPN is characterised by an absolute quality of service specification (AQoS) that satisfies the global QoS specification. The global QoS is suitably a set of AQoS specifications that characterise the quality of service for the VPN.
In a further aspect, the invention resides in a point-to-point trail selector (PTP-TS) for implementing a virtual private network (VPN) between a plurality of sites with terminations connected to routers in the network, said PTP-TS including:
(a) input means for receiving an absolute quality of service (AQoS) specification that specifies service required between respective terminations of the VPN;
(b) processor means coupled to the input means and operative to create a set of paths between at least some of the routers, wherein each path supports connection orientated data transfer with a quality of service specification, and to configure the set of paths such that: (i) said set of paths satisfies the AQoS specification between said terminations of the VPN; and (ii) the cost of network resource for implementing the VPN, including said paths and routers, is minimised. The point-to-point trail selector may further include:
(c) an identification means for obtaining information about network resource available for implementing the VPN wherein the identification means is coupled to the processor means, and the processor means creates and configures the set of paths using the network resource information.
If required the point-to-point trail selector is a component of a network management system and the cost of network resource is provided by a cost model associated with the network management system.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates the network topology of an example IP VPN; FIG. 2 illustrates the inter-router connectivity of the example IP VPN of FIG. 1 ; and
FIG. 3 is a block diagram of an exemplary trail selector employed in a hierarchy of network management systems.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
Introduction
One aspect of the invention is to provide some practical solutions to the problem of enumerating pair-wise quality relationships between all sites in a
VPN, including the following: • Only specify AQoS relationships, and more particularly highly specific
QoS relationships, between the members of the VPN that are of most commercial interest to the customer. Unspecified relationships can default to either a less specific AQoS relationship, or to a differential QoS specification. For example, the "Black Stump" site may specify 10 Mb/s to the "Corporate Center" site, and the "Black Stump Engineering LAN" may specify 1 Mb/s to the "Corporate Center Engineering LAN". In this example, the Black Stump Engineering LAN is guaranteed 1 Mb/s, while all the other Black Stump LANs, such a Finance, Sales, Marketing merely state that together with Engineering, they are guaranteed 10Mb/s. • Specify AQoS for groups of terminations that have some characteristic in common. As an example, specify that each termination designated for
"Sales" has 100ms delay to the "Conference Center" termination, thus saving the enumeration of that specification for the plethora of individual sales terminations. • Infer specific QoS relationships, based on more general relationships. For example, if the three members of a VPN were capable of sending and receiving data at rates X, Y and Z, then the inferred bandwidth QoS from the first to the third member is X*Z/(Z+Y).
Irrespective the form of the QoS specification, one of the above methods, or some other approach, it is preferable that an absolute quality dispersion matrix (AQDM), be produced. The AQDM is explicitly, or implicitly specified by the use of the VPN. The AQDM may be changed as a result of the customer's changed needs, typically associated with a change in price levied by the service provider. The AQDM specifies the absolute QoS requirement (if any) for data send from any termination in the VPN to any other termination. The matrix may be complete, in that every pair of terminations has an absolute QoS relationship, or (more usually) incomplete, in that some pairs of terminations have an absolute QoS relationship, but others do not. The null relationships may be best effort, or differentiated QoS. It may be expected that in many commercially useful VPNs, the AQDM is sparse.
The preferred method of the invention relates specifically to the non-null members of the AQDM. However it is desirable that the method applies when the AQDM is partially complete. In the case of an incomplete AQDM, the null members may be routed using one of the many published techniques for implementing best effort or differential QoS. This disclosure now goes on to describe the method in relation to how the non-null members of the AQDM are implemented.
The network equipment - customer's site and access
Preferably, each VPN site has a router, termed a CE router, physically located at the site. This router will be connected to the service provider's premises via some form of Customer Access Network (CAN). The CE router will typically be a low-cost device. The CAN will often have one physical bearer, typically DSL, E1/T1 , ISDN or SONET. If all traffic at the site is not part of the same VPN, or if the AQoS requirements are expressed at a finer grain than the site, then the CAN bearer will comprise a number of multiplex channels, termed Privacy Channels. The privacy channels will be multiplexed using some protocol, preferably one which can support non-trivial QoS requirements. Examples of preferable privacy channel protocols, are ATM and E1/T1 channelization, and less preferably frame relay or multiprotocol label switched (MPLS). Typically there will be one privacy channel as follows:
• Each unique combination of VPN membership that exists at a site has one or more privacy channels. For example, if at a site LAN Port A was part of VPN X, and both LAN Ports B and C where part of VPN X and Y, then there would be two privacy channels, one for the VPN X, and one for VPN X and Y combined.
• Within each VPN combination, there is most simple one privacy channel per non-null AQDM entry relating to that site. Most preferably, there will be one privacy channel for each aggregation of terminations (see next paragraph, below).
• Within each site, if there is VPN traffic that is not subject to an AQoS specification, there will be a privacy channel to transport that class of traffic.
• There may be a privacy channel to transport management information from the CE router to the service provider's network management system (NMS).
An aggregation of terminations (AT) is the set terminations that obey all the following criteria:
• All are members of the same VPNs.
• If the AQoS is bandwidth or delay based, then the CE router is capable of policing each termination's originating AQoS requirements. For example, if the AQoS for LAN1 to X is 1 Mb/s and for LAN2 to X is 2Mb/s, then
LAN1 and LAN2 may be grouped into an AT at 3Mb/s, provided the CE router can prevent either LAN generating enough traffic to compromise the other LAN's QoS.
• If the traffic from the terminations is sent over the same privacy channel, then either:
■ all data sent from the site is subject to the same treatment by the service provider's equipment. For example if the AQoS for LAN1 to X is 1Mb/s and for LAN2 to X is 2Mb/s, then LAN1 and LAN2 may be grouped into an AT at 3Mb/s, and the service provider's equipment need not distinguish the two traffic for delivery to X; or
■ the service provider's equipment is capable of routing the data from the individual terminations based on the content of the IP packet. For example if the AQOS for LAN1 to X is 1 Mb/s and for LAN2 to Y is 2Mb/s, then LAN1 and LAN2 may be grouped into an AT at 3Mb/s, and the service provider's equipment routes to X using the source address range intrinsic to LAN1 , and to Y using the source IP address range intrinsic to LAN2.
The CE router is configured to route data between the privacy channels and the LAN ports, and to route local data between LAN ports. If there is one privacy channel, then the CE router will be configured according to classic IP routing. That is, routes that specify the packet's Layer 2 destination based on the destination IP address alone. If there is more than one privacy channel, then the CE configuration may use classic routing for one privacy channel, but must also use some augmented routing method, preferably "Origin Routing", for the other channels. Origin routing specifies the packet's Layer 2 destination based on the destination IP address in addition to the originating Layer 2 port. For QoS that is specified to a finer granularity than LAN port, it will be necessary to include further discriminators in the origin routes, such as originating IP address, the packet Type of Service (TOS), or the upper layer protocol (e.g. HTTP, SMTP etc).
In addition to routing, the CE router is configured for the QoS of its privacy channels, and the queuing discipline for packets entering those privacy channels, For the case where there is one termination per AQDM entry, the privacy QoS and discipline is directly inferred from the AQDM. If there are aggregated terminations, then the privacy QoS and queue discipline is derived by aggregating the respective AQDM entries. For example, if LAN 1 and LAN 2 both specify to destination X, a bandwidth AQOS of 1 Mb/s sustained and 2Mb/s peak at 10% burst size, then at 100% grade of service (GOS) the privacy channel requires a bandwidth QoS of 4Mb/s. If a lower GOS is required, say 90%, then a privacy channel bandwidth, say 3.5 Mb/s will be required (as might be calculated using well-known stochastic aggregation mathematics). For aggregated terminations, the CE queue discipline - that is the shaping and policing polices - for directing traffic to the privacy channel, is configured into the CE routers, in such a way that the per- termination QoS is always met.
Extending the above example, the route for each LAN port may be set for the [1 Mb/s, 2Mb/s peak, 10%] profile. Alternatively, and in some commercial instances, preferably the LAN port queue discipline may be relaxed to utilize the unused privacy channel bandwidth. Further extending the above example, the queue discipline for each LAN port's traffic that exceeds the AQDM requirement, may be such as to overflow into any unoccupied bandwidth of the other privacy channel. Such an overflow pattern would allow LAN1 to sustainably send at 2Mb/s or even 3.5 Mb/s during periods when LAN2 was sending nothing.
Though it is preferable for each site to have a router, it is feasible, especially in the case where the customer presents one LAN at a site, to have network terminating equipment that adapts the LAN protocol onto a suitable line protocol for transmission to the service provider's premises.
The network equipment - service provider's site
The previous discussion of the customer site equipment and the CAN, disclose methods by which the service provider may extend the function of their routing equipment to the customer's premises, while respecting the high cost-to-bandwidth ratio of the CAN. The remainder of this disclosure describes how to provide a VPN, given that the data is available to the provider's equipment. This includes the case where there is no CAN, or a trivial CAN, such as data generated physically close to the provider's equipment as occurs with some form of application server, or when the provider network extends to the customer's premises as is common for large businesses, or when the CAN'S cost-to-bandwidth ratio is low as is true for CBD optical fiber.
The service provider's network has a number of provider terminations at which the VPN is manifest. These may be physical ports or multiplex channels within a physical port. Each provider termination is supported by a provider edge routing element (RE). Most preferably this will be a "virtual router", that is a partition of a physical provider edge (PE) router. Virtual routing capability may be explicitly supported by the PE router, or may be implicitly supported using Origin Routing. Less preferably the RE will be the physical PE router.
The REs will be connected to a connection-oriented inter-router network. The inter-router network is capable of creating paths, that link REs. The VPN is built by selecting an appropriate set of paths, and then configuring the routers to use those paths. Each inter-router path is capable of supporting a absolute QoS guarantee, either as a stringent guarantee such as a constant bit-rate ATM, SONET or SDH path, or as a weaker guarantee, such as a VBR ATM or Frame Rely path. Usefully the inter-router network may itself be an IP network, where the paths are implemented as IP transfers over that IP network. Most usefully, the IP transfer will be in the form of IP tunnelling, as this maintains the separation between the VPN's IP address space and that of the inter-router network. Most usefully, the IP network will either have effectively unconstrained bandwidth, or will offer a absolute QoS guarantee, such as supported by resource reservation protocol (RSVP).
Typically, the RE will perform any adaptation required from IP to the path protocol. For example, if the path protocol is ATM, then the router will perform the AAL5 adaptation. The hardware configuration where the PE router and the edge inter-router switches are combined in one physical network element is most desirable. Most simply, a path in the inter-router network is point-to-point, that is it connects exactly two REs. Usefully, a path may be is multipoint-to-point, that is it merges data from several sources onto one path, as supported by as ATM or MPLS. There is limited application of point-to-multi-point, multi-point-to-multi-point or broadcast paths, firstly because the vast bulk of IP packets are directed to a particular IP address destination, secondly because there are few technologies capable of supporting these exotic modes with QoS.
Configuring the routing entities and the inter-router paths The activity of designing a particular user's VPN is suitably to:
• select a set of inter-router paths; • select the QoS for each inter-router path; and
• select the routes in each RE to direct the correct traffic onto the correct inter-router path.
The absolute requirements of the design are that VPN privacy is maintained and that the AQDM is fulfilled. The secondary requirement is that there is no alternate design that consumes less of the service provider's network resource. The first requirement, that of VPN privacy, is most simply ensured by dedicating each inter-router path to the traffic destined for exactly one VPN. In the common case, each termination is a member of exactly one VPN, and therefore each RE is dedicated to that one VPN. In this case, the design rule is that inter-router paths connect REs of the same VPN only. In the more complex cases, both the inter-router network and the route tables within the REs, are jointly designed to send data to appropriate REs only. The second requirement constitutes the remainder of this disclosure. The starting point of design is an AQDM expressed that the RE terminations. In the case where there is a trivial CAN, the AQDM expressed by the user, is in effect, the AQDM at the RE terminations. If there is a non-trivial CAN, as discussed in the previous section, then the AQDM as expressed by the user must be mapped to an AQDM that references the RE terminations. As each privacy channel is an RE termination, the mapping of the AQDM follows the same principle as discussed previously for determining privacy channel QoS.
The common principle behind all embodiments of this invention is that traffic can flow from one RE to another RE either directly via a path, or indirectly via a set of paths and other REs. Producing a design with a greater number of paths tends to have some or all of the following effects:
• the bandwidth requirement of individual paths is reduced, but as the cost- to-bandwidth ratio of most technologies drops with increasing bandwidth, the overall cost of transmission may rise;
• each path aggregates fewer AQDM entries, for non-constant bandwidth profiles, this means that the bandwidth requirement of each path moves closer to the sum of the peak bandwidths of the members, rather than the sum of the mean bandwidths as would occur if there where very many members;
• the amount of transit traffic through each RE, that is traffic that enters the router from the inter-router network, but is destined for different RE, increases, thereby incurring a greater cost in routing hardware; • AQDM members that specify delay or delay variation become easier to achieve.
As the design is heavily influenced by the cost of the inter-router paths, and the cost of transiting the REs, it is highly desirable that these costs be predictable when designing the VPN. One traditional approach to this type of problem is to have the cost information preset into the design method. Preferably, the design process will obtain in close-to-real-time from the routers and inter-router network, a model for predicting the costs that will be incurred. Usefully an element management system (EMS) or a network management system (NMS) may intervene in obtaining such a cost predicting model. Inter-router networks having Point-to-Point connections and bandwidth based AQoS
In another embodiment of the invention, each non-null member of the AQDM specifies a bandwidth profile, and the inter-router network supports point-to- point paths. Instances of this embodiment are termed bandwidth-based, point-to-point configurations. The point-to-point trail selector (PTP-TS) of the embodiment performs the following functions: design the point-to-point connections that implement the inter- router paths; • design the routing pattern; design the traffic flow control (policing and shaping); and design the protocol adaptation (for example, AAL5 for IP-over- ATM). The PTP-TS designs the implementation of the VPN by selecting the set of connections that just meet the QoS specification, while minimizing the cost of the connections plus the cost of transit routing.
For N terminations, the PTP-TS generally selects a set of connections that lie somewhere between a minimal set of (N-1 ) connections, and a full mesh of about N2 connections (this is in contrast to Classical IP over ATM). Typically where connections are cheap, such as intra-city central offices, the routers may be more like a mesh. Where connections are expensive, such as national and international distances, the inter-router connections would be sparser, with each connection carrying more highly aggregated traffic.
The PTP-TS is responsible for selecting the least cost implementation of the VPN. This choice is qualified by the end result having to meet the customer- supplied QoS specification. However, there are many ways of selecting a set of connections that will work. Some examples of connecting N routers are: • mesh — this minimizes routing cost and end-end delay, however the cost of the approximately N2 connections and size of the route table entries may make this a poor choice; linear — this minimizes connection cost and minimizes route table entries, at the expense of longer delays and higher router processing costs; and spanning tree — this strikes a balance between the options above. The approach taken by the PTP-TS is to select the set of connections such that the total cost to provide the VPN is minimized. The total cost consists of the cost of connections in the point-to-point network plus the cost of routing. Therefore the PTP-TS selects a set of connections that is optimum for that VPN, considering the capabilities of the point-to-point network and the IP routers, with the terminations in the desired locations. For example, the end result may be something like a mesh within a city, a tree between cities and linear for expensive international traffic.
The PTP-TS predicts its connection costs from a cost model for the point-to- point network. This cost model exposes the costs of using the available resources of the underlying point-to-point network, and is typically exposed by the network management system (NMS) responsible for provisioning connections in the point-to-point network. This cost model includes concepts such as distance-dependent transmission cost, fixed termination cost and switching cost. The network resources available for implementing the VPN may also be available from a connection model included in the NMS. A discussion of one arrangement of connection and cost models, which may be used in conjunction with the present invention, is contained in PCT International Patent Publication No. WO 00/22788 in the name of the present applicant.
The PTP-TS predicts the routing cost from the router element cost models. Router cost models typically state a fixed cost for transiting traffic, plus a capacity dependent cost to account for router processing. The PTP-TS combines this information to deduce the cost of the various candidate implementations and then selects an optimal cost result that satisfies the VPN AQoS specification.
Example
One way of implementing the PTP-TS is as a component of a network management system that is responsible for the provisioning of VPNs. This implementation will be discussed in relation to an example VPN that is illustrated in FIG. 1. The example network 100 shown in FIG. is composed of a number of campus-level LAN segments, S1 to S6 linked by a transport layer. The boundary of the service provider's responsibility may be the LAN side of a router, or may include the LAN itself. In this example, provider edge (PE) IP routers R1 to R6 are located on the customer's premises at the customer's sites A to D. The inter-router network associated with the transport layer extends to the customer's premises. The inter-router network protocols are a mixture of ATM, SONET and IP (via the public Internet), as described in more detail below.
The service provider links five LAN segments (S#) at three sites or locations in two cities, 100km apart. Site A is the head office in a first city, with corporate facilities on network segment S2, and Site B is the manufacturing complex in a second city, with manufacturing and stock control systems on network segment S4. A telecommunications company has a central office Y in the first city and a central office X in the second city, which central offices provide switching infrastructure. Site C is a remote regional sales center with network segment S5. Site D is a new one-person serviced office with network segment S6. Network segments S1 , S3, and S5 support desktop computer systems.
The customer's service level agreement (SLA) in the example, which is simplified for the purposes of this discussion by ignoring probabilistic QoS, is specified as follows: • The LAN segment port aggregate AQoS is as follows:
51 and S3 require 10Mb/s ingress and egress.
- S2 and S4 require 100Mb/s ingress and egress.
- S5 requires 1 Mb/s total.
S6 requires 1 Mb/s second peak, with 30 minutes per day total usage.
The inter-termination AQoS for the segments is as follows:
52 to S4 require 50Mb/s each way.
52 to S3 require 5Mb/s each way. - S1 to S2 requires 10Mb/s.
53 to S4 requires 10Mb/s.
The AQDM for the inter-termination AQoS might be conveniently represented as shown in Table 1 below. The ADQM was deduced as follows: • the above inter-termination AQoS map directly to AQDM entries, marked with an asterisk (*) in Table 1 ; the port aggregate bandwidth requirement for S2 and S4 is mitigated, to reflect that there is insufficient port bandwidth requirement on other VPN terminations to justify these flows; the other AQDM entries are deduced from the port aggregate AQoS using a bandwidth-proportioning technique as described above on page 7, but ignoring commercially insignificant data flows, and rounding.
Figure imgf000018_0001
Table 1 - Absolute Quality Dispersion Matrix
Traffic between the routers is transported using a mixture of physical bearers 102 (R1-R2), 103 (R3-R4), SONET switches (T1 & T2) and fibre links 104 (R2-R4), ATM switches (A1 & A2) and links 105, and Internet links 106.
The VPN IP packets are transported over bearer circuits, that is multiplex circuits over the above described physical bearers, as shown in FIG. 2. An Internet circuit 201 transports IP packets to segment S6 via router R1 from all other LAN segments. Two building cable circuits are provided at site A between segments S1 and S2. The first circuit 202 carries packets between S2 and each of S5 and S6, whilst the second circuit 203 carries packets between segments S1 and S2 only. An ATM permanent virtual circuit (PVC) 204 is provided between segments S1 and S4, for carrying packets S5-S1 , S5-S2, S5-S6, S4-S1 and S4-S6. An ATM PVC 205 is provided between S1 and S3, for carrying packets S3-S1 and S3-S6. An ATM PVC 206 is provided between segments S2 and S3, for transporting packets between those segments only.
A SONET STS-3 circuit 207 is similarly dedicated to IP packets between segments S2 and S4. A further two building cable circuits are provided at site B between segments S3 and S4. One cable circuit 208 carries packets S5-S3, whilst the other circuit 209 carries packets S4-S3. Finally, there is an ATM PVC 210 which carries IP packets to and from segment S5.
A summary of the traffic flow and QoS guarantee in the VPN 100 is: The large data flow from S2 to S4 takes most of the SONET
STS-3 capacity. As that flow is relatively static, large, and important, it is transported over a direct SONET STS-3 connection 207 between R2 and R4.
The small and volatile data flow into the new sales center at Site D, is transported over the public Internet 101 using a local ISP
(not shown). Privacy is obtained by encryption at both R6 and R1. The Internet was chosen as the bearer because of the fast establishment time (days), and a remote regional location. This has very low establishment costs, but relatively high equipment costs. • The data flows within the buildings at sites A and B are carried by 100BaseT standard building cables 202/203 and 208/209, easily meeting the QoS.
ATM circuit 204 is dimensioned to 5.5 Mb/s in the S4 to S1 direction, and 1.5 Mb/s in the reverse direction, to accommodate the sum of S4-S6, S4-S1 , S5-S1 , S5-S2 AQDM entries.
ATM Circuit 205 is dimensioned to 0.5 Mb/s to accommodate the sum of the S3-S1 and S3-S6 AQDM entries.
S2 to S3 AQoS is supported by an ATM constant bit rate PVC 206 between R1 and R3. • Dedicated (low cost) building cabling supports the QoS requirements between the LAN segments in one building.
Routers are either dedicated to a customer, or are VPN aware. Route tables in R1 to R4 are designed to ensure that traffic flows as specified.
The design principles used by the PTP-TS of the embodiment include:
Design a network implementation consisting of routes and/or permanent circuits.
Use a permanent circuit between each pair of routers that needs a QoS guarantee. These form the QoS circuits, which in the example include circuits 203, 205 and 209.
Select the most effective technology for implementing the QoS circuits, by trading off cost, reliability, and provisioning time. Introduce other permanent circuits to satisfy the Port Aggregate QoS guarantees. The principle here is that if more permanent circuits are introduced, then fewer router-hops are required — his saves router costs, but increases the costs of circuits (such as ATM PVC). The management of such a network involves making a trade-off between circuit costs and switching costs. Some factors influencing the circuit costs verses switching costs trade-off are:
If the VPN is small (say less than 10 sites), then a highly meshed, or fully meshed option is possible. - If the VPN is geographically localized, then a centralized router (optimally located in a Central Office) can be used as the focus of a star network. If the network is more spread out, then there can be several star-points (like airline hubs). - If the router supports input throttling, then the aggregate traffic can share the QoS circuits.
Provide sufficient circuits, or sufficiently reliable circuits, to support the SLA specified reliability.
Design the routing tables to utilize the circuits that have been selected.
FIG. 3 is a diagram illustrating a network management system 300 which includes, as a component, a point-to-point trail selector (PTP-TS) 301 for implementing a virtual private network (VPN). The PTP-TS includes an input means in the form of a client interface 302 for receiving an absolute quality of service (AQoS) specification from a client 303 desiring VPN services. The PTP-TS also includes an identification module 304 for obtaining information about network resource available for implementing the VPN. The client interface 302 and the identification module 304 are each coupled to a processor 305. In the example, the identification means 304 communicates with subsidiary network management systems (NMS) relevant to terminations specified for the VPN, including a path NMS 310 and a router element NMS 320.
The path NMS 310 includes a processor 311 and a database 312 containing information about the different connection orientated network path resources administered by the path NMS. The resources administered by the path NMS include dedicated management systems for ATM 313, SONET 314 and IP Sec 315 resources that enable creation of paths between the specified terminations. Similarly, the router element (RE) NMS 320 includes a processor 321 and a database 322 containing information about router elements administered by the RE NMS. Network resources in the form of router elements may be administered indirectly by operational support systems for respective first 323, second 324 and third 325 termination group router elements (RE). The operational support systems enable configuration of the routers to direct traffic as required in relation to terminations of the VPN.
The VPN NMS processor 305 receives path cost offers 316 and router element 326 cost offers from the path NMS 310 and RE NMS 320, respectively. The cost offers include both capital cost and operating cost components for the network resource, and this aspect of path set configuration allows the minimisation of the cost of network resource for implementing the VPN. In use, the VPN NMS processor 305 creates, using the design principals set out above, a set of paths between some of the routers connected to terminations of the network. The paths are then configured such that they satisfy the client supplied AQoS specification between the terminations of the VPN.
It will be appreciated that, in one form, the present invention is concerned with a method and means for efficiently implementing a VPN where some or all of the QoS specification is in terms of an AQoS; rather the concept of absolute quality of service (AQoS) per se, or the various ways of specifying an AQoS.
Throughout the specification the aim has been to describe the preferred embodiments of the invention without limiting the invention to any one embodiment or specific collection of features or sequence of steps. Alternative arrangements, falling within the spirit and scope of the following claims which define the invention, will occur to persons of appropriate skill in the art.

Claims

1. A method of implementing a virtual private network (VPN) between a plurality of sites with terminations connected to routers in the network, said method including the steps of:
(a) specifying an absolute quality of service (AQoS) between respective terminations of the VPN;
(b) creating a set of paths between at least some of the routers, wherein each path supports connection orientated data transfer with a quality of service specification; and
(c) configuring the set of paths, such that:
(i) said set of paths satisfies the AQoS specification between the terminations of the VPN; and (ii) the cost of network resource for implementing the VPN, including said paths and routers, is minimised.
2. The method as claimed in claim 1 wherein the terminations are connected to the routers, either at the site of the termination or at a remote site.
3. The method as claimed in claim 1 wherein the cost of network resource is calculated from a weighted sum of:
(A) the capital cost of the set of paths;
(B) the capital cost of transferring data from one router to another router via an intermediate router;
(C) the operating cost of the set of paths; and
(D) the operating cost of transferring data from one router to another router via an intermediate router.
4. The method as claimed in claim 1 wherein the routers are either physical routers or virtual routers constructed by partitioning the resources of a physical router, or a partitioning of the route table in a physical router based on originating port.
5. The method as claimed in claim 1 , wherein each path is a point-to- point connection, a point-to-multipoint connection, multipoint-to-point connection or a multipoint-to-multipoint connection.
6. The method as claimed in claim 5, where a connection uses a Layer 1 protocol or a Layer 2 protocol.
7. The method as claimed in claim 5, wherein a connection uses an IP protocol.
8. The method as claimed in claim 5, wherein a connection uses multiprotocol label switching.
9. The method as claimed in claim 1 , wherein the connection oriented network supports QoS requirements relating to one or more of bandwidth, delay, delay variation, security, or reliability.
10. The method as claimed in claim 1 , wherein the AQoS is specified as a requirement on one or more of bandwidth, delay, delay variation, security or reliability.
11. The method as claimed in claim 10, where the AQoS requirement is specified as either a specific value, or as a stochastic profile.
12. The method as claimed in claim 10, where the AQoS requirement is specified explicitly, or is inferred from a group specification.
13. The method as claimed in claim 10, where the AQoS requirement is inferred from one or more QoS specifications, wherein each specification relates to a single termination.
14. The method as claimed in claim 1 , wherein a termination may be a member of more than one service.
15. The method as claimed in claim 1 , wherein a termination is one of the following: a local area network (LAN) port, an IP address, a set of contiguous or discontiguous IP addresses, or the aggregated traffic from all LANs at a site.
16. The method as claimed in claim 1 , wherein only some pairs of terminations of the VPN have an AQoS.
17. A method as claimed in claim 1 , wherein the cost of network resource is determined by delegating to a network management system or to an operational support system associated with the terminations of the VPN.
18. A method of implementing a virtual private network (VPN) for a plurality of geographically dispersed sites, each site including one or more terminations connected to Internet protocol (IP) routers, said method including the steps of:
(a) specifying a global quality of service (QoS) for service components of the VPN; and
(b) interconnecting the IP routers at the sites with a point-to-point network that satisfies the global QoS specification.
19. The method of claim 18 wherein the interconnecting step includes the steps of creating and configuring paths between at least some of the IP routers.
20. The method of claim 19 wherein each path is characterised by an absolute quality of service specification (AQoS) that satisfies the global QoS specification.
21. The method of any one of claims 18 to 20 wherein the global QoS is a set of AQoS specifications that characterise the quality of service for the VPN.
22. A point-to-point trail selector (PTP-TS) for implementing a virtual private network (VPN) between a plurality of sites with terminations connected to routers in the network, said PTP-TS including:
(a) input means for receiving an absolute quality of service (AQoS) specification that specifies service required between respective terminations of the VPN;
(b) processor means coupled to the input means and operative to create a set of paths between at least some of the routers, wherein each path supports connection orientated data transfer with a quality of service specification, and to configure the set of paths such that:
(i) said set of paths satisfies the AQoS specification between said terminations of the VPN; and (ii) the cost of network resource for implementing the VPN, including said paths and routers, is minimised.
23. The point-to-point trail selector as claimed in claim 22 further including: (c) an identification means for obtaining information about network resource available for implementing the VPN, wherein the identification means is coupled to the processor means; and the processor means creates and configures the set of paths using the network resource information.
24. The point-to-point trail selector as claimed in either claim 22 or claim 23 wherein the trail selector is a component of a network management system and the cost of network resource is provided by a cost model associated with the network management system.
PCT/AU2000/001311 1999-10-26 2000-10-26 Method of implementing ip virtual private networks to ensure quality of service WO2001031857A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU11165/01A AU1116501A (en) 1999-10-26 2000-10-26 Method of implementing ip virtual private networks to ensure quality of service

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US16149299P 1999-10-26 1999-10-26
US60/161,492 1999-10-26

Publications (1)

Publication Number Publication Date
WO2001031857A1 true WO2001031857A1 (en) 2001-05-03

Family

ID=22581398

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2000/001311 WO2001031857A1 (en) 1999-10-26 2000-10-26 Method of implementing ip virtual private networks to ensure quality of service

Country Status (2)

Country Link
AU (1) AU1116501A (en)
WO (1) WO2001031857A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1278340A1 (en) * 2001-07-19 2003-01-22 Lucent Technologies Inc. Controlling levels of traffic in a telecommunications network, and a network node therefor
WO2003055153A2 (en) * 2001-12-21 2003-07-03 Muirhead Charles S System for supply chain management of virtual private network services
US7197038B1 (en) 2002-10-21 2007-03-27 Sprint Communications Company L.P. Internetwork quality of service provisioning with reciprocal compensation
US7715429B2 (en) 2004-12-06 2010-05-11 Hewlett-Packard Development Company, L.P. Interconnect system for supply chain management of virtual private network services

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0790751A2 (en) * 1996-02-16 1997-08-20 Lucent Technologies Inc. Management of ATM virtual circuits with resource reservation protocol
GB2317308A (en) * 1996-08-29 1998-03-18 Kokusai Denshin Denwa Co Ltd Method for constructing a VPN having an assured bandwidth
US5790546A (en) * 1994-01-28 1998-08-04 Cabletron Systems, Inc. Method of transmitting data packets in a packet switched communications network
US5854899A (en) * 1996-05-09 1998-12-29 Bay Networks, Inc. Method and apparatus for managing virtual circuits and routing packets in a network/subnetwork environment
EP0941010A2 (en) * 1998-03-04 1999-09-08 AT&T Corp. Method and apparatus for provisioned and dynamic quality of service in a communications network
EP0944209A2 (en) * 1998-03-20 1999-09-22 Sun Microsystems, Inc. Quality of service allocation on a network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5790546A (en) * 1994-01-28 1998-08-04 Cabletron Systems, Inc. Method of transmitting data packets in a packet switched communications network
EP0790751A2 (en) * 1996-02-16 1997-08-20 Lucent Technologies Inc. Management of ATM virtual circuits with resource reservation protocol
US5854899A (en) * 1996-05-09 1998-12-29 Bay Networks, Inc. Method and apparatus for managing virtual circuits and routing packets in a network/subnetwork environment
GB2317308A (en) * 1996-08-29 1998-03-18 Kokusai Denshin Denwa Co Ltd Method for constructing a VPN having an assured bandwidth
EP0941010A2 (en) * 1998-03-04 1999-09-08 AT&T Corp. Method and apparatus for provisioned and dynamic quality of service in a communications network
EP0944209A2 (en) * 1998-03-20 1999-09-22 Sun Microsystems, Inc. Quality of service allocation on a network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BRAGG: "Quality of Service: Old Idea, New options", September 1999 (1999-09-01) - October 1999 (1999-10-01) *
GUNTER ET AL.: "An Architecture for Managing QoS-enabled VPNs over the Internet", 24TH CONFERENCE ON LOCAL COMPUTER NETWORKS, 17 October 1999 (1999-10-17) - 20 October 1999 (1999-10-20) *
METZ: "IP over 2000: Where Have We Been and Where are We Going?", IEEE INTERNET COMPUTING, January 2000 (2000-01-01) - February 2000 (2000-02-01), pages 83 - 87 *
SRINIVASAN ET AL.: "Fast and Scalable Layer Four Switching", IEEE SIGCOMM '98, pages 2 - 11 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1278340A1 (en) * 2001-07-19 2003-01-22 Lucent Technologies Inc. Controlling levels of traffic in a telecommunications network, and a network node therefor
WO2003055153A2 (en) * 2001-12-21 2003-07-03 Muirhead Charles S System for supply chain management of virtual private network services
WO2003055153A3 (en) * 2001-12-21 2003-12-24 Charles S Muirhead System for supply chain management of virtual private network services
US7684321B2 (en) 2001-12-21 2010-03-23 Hewlett-Packard Development Company, L.P. System for supply chain management of virtual private network services
US7764700B2 (en) 2001-12-21 2010-07-27 Hewlett-Packard Development Company, L.P. System for supply chain management of virtual private network services
US7197038B1 (en) 2002-10-21 2007-03-27 Sprint Communications Company L.P. Internetwork quality of service provisioning with reciprocal compensation
US7715429B2 (en) 2004-12-06 2010-05-11 Hewlett-Packard Development Company, L.P. Interconnect system for supply chain management of virtual private network services

Also Published As

Publication number Publication date
AU1116501A (en) 2001-05-08

Similar Documents

Publication Publication Date Title
CA2352375C (en) Method and apparatus for providing guaranteed quality/class of service within and across networks using existing reservation protocols and frame formats
EP0801481B1 (en) Virtual private network
US8611363B2 (en) Logical port system and method
US6963575B1 (en) Enhanced data switching/routing for multi-regional IP over fiber network
US6385204B1 (en) Network architecture and call processing system
WO2001086892A1 (en) Method and system for transporting traffic in a packet-switched network
US20060039382A1 (en) Telecommunication network comprising an SDH/Sonet-subnet, where the GMPLS function is incorporated in a GMPLS software server
US20040174884A1 (en) Method for traffic engineering of connectionless virtual private network services
WO2002017580A1 (en) Dual switch architecture for mixed packet and circuit transports over sonet and sdh and dwdm
WO2001031857A1 (en) Method of implementing ip virtual private networks to ensure quality of service
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections
Cisco Network Connections

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP