"The virtual private network is evolving from a simple multiple site connectivity tool to enabling applications, collaborations, and connecting communities of individuals."

The virtual private network (VPN), a key component of an enterprise service offering, is evolving to shift the focus from "plain vanilla" multiple site connectivity to enabling applications and collaborations of individuals and communities of individuals. The range of applications is huge, from healthcare solutions that require a very high degree of robustness to networked industrial facilities and services such as online market exchanges that require very low latency.

Migration from First to Second VPN Generations

The first generation of VPN services was based on TDM/PDH connections typically provided over SDH/SONET network infrastructure. The lack of flexibility, coarse granularity, lack of efficient bandwidth utilization, and the relative high cost, together with the introduction of new technologies, triggered a migration towards a second generation, in which TDM was replaced by Frame Relay and ATM. Bandwidth flexibility and Class of Service (CoS) were introduced. But the service provider's network only offered end-to-end connectivity between sites. All the VPN intelligence was located at the customer premises.

Today's Third Generation: Flexibility to Deploy VPNs of Any Topology

Today, the market is focused on the third generation, based on widely available IP/MPLS infrastructure. The service provider manages VPN intelligence using network-located devices. To put it simply, each VPN site sends all the traffic to a device (Provider Edge Equipment) controlled by the service provider, which is responsible for forwarding traffic to the right destination with the expected quality of service (QoS).

Tomorrow's Fourth Generation: Quality of Experience

Tomorrow's fourth generation will be driven by the customer's desire to completely outsource VPNs to service providers. CIOs prefer to focus on their business processes, applications, and the QoE expected by end-users rather than occupy themselves with the nitty-gritty of network functionality.

In the fourth generation, therefore, customers will define their own VPN Service Level Agreements (SLAs) in a non-technical language that they understand, the sites they have, the applications they run, and the QoE (rather than technical QoS) they anticipate. The service provider will decide whether it is preferable to deploy a layer 2 or layer 3 networking solution for each VPN. Such a solution can also combine layer 2 ethernet and layer 3 IP connectivity for different VPN segments and even sites.

The key concept behind the coming fourth generation is that the service provider should be able to identify the application that has generated a flow (a voice call, a file download, citrix activity, etc.) and uses this information to handle the flow's entire sequence of packets end-to-end according to the type of application and its level of criticality as defined in the SLA. In addition to controlled application-aware connectivity, some added-value functionality will also be provided, such as visibility (end-to-end quality monitoring, resource usage monitoring), online configuration, security, expense control (alerts when new resources are required), security, and applications acceleration.