The MPLS WG Archive

[Eric Osborne <eric@cisco.com>]

On Thu, Oct 26, 2000 at 03:37:31PM -0700, Randy Bush wrote:
> > 	On a technical note (:-)) - I believe it is
> > possible to support a logarithmic growth in the
> > number of "boxes" relative to services.  I suspect 
> > this would make service providers happier than a
> > linear growth.
> 
> but not as happy as zero growth, which solutions such as
> ipsec provide.  remember, for a provider, management cost
> is a function of number of customers, which we want to
> increase, and routers,which we prefer not to increase.

Sure, but consider what you can sell.  If the customer usees IPSec,
they they have to manage the VPN themselves, as well as needing to
approximate something close to N^2 connections.  If the (I)SP sells
VPN service, then the customer has offloaded the work onto the ISP.    

There's a few ways you can give private-network solutions to an
enterprise.  The ones I can think of are:

1) dedicated line (ATM/FR/Leased Line) 
2) IPSec sessions over Internet connectivity
3) MPLS VPN

With #1, the customer can't do full-mesh, becuase with a large enough
number of sites, full-mesh is just too expensive and too much to
manage.  Plus Internet connectivity is not inherent in the mechanism
you use to build your VPN, so has to be managed on top of that.

With #2, the customer has to manage the IPSec sessions.  Sure, you
could manage the CPE, but then *you* have to manage the IPSec
sessions.  And full-mesh is still a problem with many (hundreds to
thousands) of sites, so you have to have hub and spoke again.  One
place IPSec works real well, though, is for roaming access - plug in
anywhere, and IPSec-tunnel back to your corporate access point.  SO
I'm not saying IPSec is dissmissable just yet.

With #3, the customer has nothing to manage.  And the provider has to
manage a technology whose main scalability concern is BGP.  Sure, you
can overload BGP on anybody's box if you add too many routes and/or
neighbors.  But it seems to me that there are design schemes to make
it so that your PE does not have to do all the work.

So yes, you have to do more work and buy more routers.  And no, MPLS
BGP VPNs are not the solution to every possible VPN or VPN-like
scenario you could come up with.  But the assumption here is that it
is less expensive for the (I)SP to manage an MPLS VPN setup
(conectivity information distributed by BGP) than to manage/administer
a large number of IPSec sessions.  My assumption may be wrong, but
certainly there are enough people out there who are actively pursuing
MPLS VPN as a connectivity service that I don't think the assumption
is too far off-base.
 
So customers give you money to provide a VPN service.  You give some
of this money to your vendor of choice, give some to your
infrastructure buildout, and keep the rest. :)
 



eric


> 
> and, as it seems to be agreed that the 2547 cleverness is
> not really for isps, it's lucky we have a useful alternative.
> 
> randy