Team LiB
Previous Section Next Section

Summary

The first conclusion that comes to mind after this look at different VPN technologies is that there is no one size fits all solution. GRE, IPSec, and L2TP each have their uses. GRE and IPSec are good solutions for CPE-based VPN services. L2TP is a network-based VPN ideally suited for providing open access.

Can any one protocol replace the others in their own solution space? In theory, it is possible, but because of both implementation and protocol limitations, L2TP is an awkward fit for a CPE-based solution: Why impose the complexity of the PPP and L2TP state machines if there is another way? Similarly, IPSec and GRE introduce encapsulation overhead and lack many of the controls that go with PPP and AAA that combine to make L2TP such a good fit for wholesale.

Open access is an area with the most unaddressed weaknesses, as follows:

  • L2TP is the only solution that works. Neither GRE nor IPSec implementations support open access because IP addresses cannot overlap in the same device. (Actually, there is a way to do this, by leveraging the private VRF forwarding tables originally defined for MPLS-VPN, which will be introduced in the next chapter.) The L2TP architecture also requires a PPP client, which is not always possible.

  • Load balancing and redundancy must be manually provisioned in L2TP. There is no way to dynamically signal a new peer.

  • An L2TP carrier cannot introduce new services, such as selling to the ISP community with web hosting, video distribution, or selling content to the end users. Transport is the only service possible.

  • L2TP may not require state on core routers but it, or more exactly PPP, does create state on the LAC and LNS. You generally need a more powerful router to terminate 8000 sessions than you do to route traffic from 8000 PCs. This creates additional cost for the ISP.

  • The realities of limited sessions per device and limited sessions per tunnel lead to considerable tunnel engineering, examples of which include load-balancing sessions across tunnels, load-balancing tunnels across LNS, switching sessions from one tunnel to another, etc. The closer the network gets to these per-device limits, the more complex it is to manage.

  • MPLS is already the convergence technology of choice, either because of an ATM-to-IP migration or because of IP-based services. For this highly pragmatic reason, it quite simply may make more sense to use MPLS VPN for the broadband network if it has been deployed everywhere else already.

MPLS-based VPNs are going to help solve a lot of these problems.

    Team LiB
    Previous Section Next Section