Possible areas of VPN use within the Janet community
Generally, VPN is only worth consideration when collaboration between sites or remote users and sites is long-term relative to the time needed to provision the service. If VPN use is short-term then the overheads associated with service provisioning may not be justified. For example, if the provisioning of a VPN service takes, say, two days, it is not worth using such a service for a 10 minute VoIP phone connection. However, it might be effective to connect several sites for a research trial lasting some six months. The emergence of dynamically provisioned VPN with a lead time measuring in seconds, which is currently still at the research stage, may change this situation.
Something else to take into account when considering potential areas for VPN use is of course application requirements. There should be a need for some VPN functionality like strong data confidentiality, site protection from external deliberate or accidental harmful activity, or guaranteed bandwidth.
In the context of VPN, the term ‘site’ means a physically or logically separated part of a campus network. For example, it could be a subnet which has no physical connection to other organisation subnets and uses only the VPN tunnel for external communications (a remote user’s computer falls into this category). A more widespread example is a VLAN logically separated from other subnets and nodes by the respective configuration of LAN switches.
Within the education and research community we can suggest several areas of specific research and education activity where VPN services, possibly of different types, might be beneficial for users. Some such areas are given very high-level descriptions below. This is a very preliminary list of possible VPN use and further detailed discussions, investigations and (if necessary) trials are needed to finalise the set of areas and requirements for VPN services (if any) for each one.
- Traditional intra-organisation multi-site network-based applications like e-mailing, database access and web-surfing. Usually, such applications require improved security to protect an organisation’s networked resources from unauthorised access. At the same time, applications in this area do not have any special requirements for improved performance as they are not delay sensitive (also known as elastic applications). Respondents to the VPN survey indicated that these applications are the most popular among VPN users (79% of VPN users use e-mail, 74% use web services and 68% use database access).
- e-Learning applications were identified as the VPN applications in use by 35% of the VPN survey respondents, which shows their importance as a driving force of VPN deployment. The e-Learning area generally includes very diverse applications, from video clips and other materials which can be downloaded in advance to real-time teaching which might use high quality video formats like HDTV (which results in high bandwidth demands) and interactive communications. Hence, while some e-Learning applications can easily be served by standard IP services, others might benefit from the improved security and performance of VPN services.
As an example, one can imagine several e-Learning studios in different colleges which are used by course attendees twice a week over half a year. Each studio is equipped with video facilities which are used by a lecturer and students to communicate during course delivery. The known pattern of stable long-term connectivity between sites, the advanced security requirements (including protection from external attacks to provide reliable connectivity and protect learning content from unauthorised access) and the advanced requirements for guaranteed bandwidth and low loss/delays to provide high quality are all strong reasons for these studios to use VPN.
Of course, there are many details which should be taken into account, discussed and investigated before a decision can be made about using a VPN service with particular functionality for e-Learning applications.
- e-Science/Research collaboration. As with e-Learning, the e-Science area includes a wide spectrum of applications, some of which can benefit from VPN services. At one end of the spectrum are the most demanding networking applications in terms of performance and bandwidth parameters. Examples of such applications are astrophysics collaboration and high energy physics collaboration.
Such applications require real-time data processing and hence require a very low level of delays and jitter. Loss of synchronisation (even in the milliseconds range) between data source and data processing centres might devalue an entire experiment.
The bandwidth demands of such applications can also go beyond the capabilities of modern packet switched networks, or more precisely, beyond the limits within which this kind of network remains effective. When, for example, 1Gbit/s needs to be allocated to a few virtual connections between two VPN sites, a packet-switched network with 10Gbit/s core links will lose its advantages as a shared environment. This will happen because shared packet-switched networks were designed to work effectively when every user flow consumes only a small percentage of the link’s bandwidth. A user could try to consume as much as 10% of total core link bandwidth, which might monopolise a network and prevent other users from receiving a proper service.
Generally, such requirements are very difficult for standard IP networks to satisfy so such extreme projects tend to use private optical networks based on SDH, DWDM or even on dark fibre. In fact, several such applications already make use of the UKLight bandwidth channel network that is operated in parallel with the Janet IP network. As was mentioned before, such a service might be seen as a kind of VPN.
At the other end of the spectrum of e-Science applications are the applications that can easily be served by the standard best-effort IP service. The examples include medium size ftp downloads of non-real time data, wikis, and other means of online collaboration. Between the two extremes we can expect to find some e-Science applications which have medium demands in terms of performance and security. On the one hand, such demands might be too high to be satisfied by a standard IP best effort service; on the other they may not be too high to be satisfied by some kind of packet-switched VPN with a low level of delays/loss and strong protection of traffic. We can imagine several sites collaborating in a relatively long-term project which need to exchange data with delays less than 200 ms, guaranteed bandwidth up to 10Mbit/s and strong requirements for stable, non-interrupted communications during experiments. Of course, such an e- Science application would benefit if its sites were connected by SDH channels. However, it might well be that such requirements can be met by a packet-switched VPN service with improved performance and security functionality as well. As packet-switched networks are generally cheaper and better known for end users, it is worth investigating in more detail what e-Science applications can benefit from packet-switched VPNs and what are their requirements.
- Art collaboration (so called Cyber Arts or Humans Interacting with Virtual Realities) which needs real-time interactive data exchange. The use of HDTV and other high quality video standards makes such applications quite demanding in terms of bandwidth, whereas the real-time nature of collaboration requires improved performance in terms of delays and jitter. The security offered by VPN might be very useful to protect art studios from outside intervention (accidental or malicious) during an art performance.