Netwatcher (ISSN 0890-5800) is a monthly publication of CIMI Corporation. Subscription information is available here . Copyright © 1999, CIMI Corporation. All rights reserved. No publication or reproduction of this document is permitted without the express written consent of CIMI Corporation.

The new look is the use of logical or virtual subsets to divide the LAN. We’re used to seeing these structures at Level 2, in the form of VLANs, but unlike VLANs, there may be no specific integration between these new user LAN groupings and any other group, or any other layer in the routing model.

Traditionally, LANs have been indiscriminate corporate communications resources. You put stuff on a LAN anywhere there was a connection to it, and it traveled to wherever you had to remove the data. This is, in fact, the connectionless view of networking, where the network just somehow gets the stuff to where it’s needed. LAN interconnect broadened this kind of networking over WANs.

One consequence of this style of networking is that it’s difficult to establish priorities for competing traffic. Since network paths are discovered and since no control is exerted over the introduction of traffic, it’s possible that the network will be over-committed and that individual applications will suffer randomly because of congestion.

A second consequence is that the network is a promiscuous path to everyone’s door, and it’s up to the individual server or client to police what might be requested by other users to prevent delivery of material to unauthorized parties. The same kind of policing may be needed to protect local data from damage.

A number of vendors have introduced mechanisms for dealing with the problems of allocation of network resources and access control. Usually, the umbrella terms "policy management" or "directory-enabled networking" have been used. We’ve talked about these two approaches (and their relationship) in previous issues.

The common problem with these approaches is that they don’t alter the basic connectionless nature of the LAN. Because connectionless datagrams are "contextless" inside the network, and because there’s no clear indication of the purpose of any given datagram, any sort of useful management of LAN traffic has to look into the packet and attempt to decode what’s taking place there.

The examination of "imbedded" information to make network decisions easier has been called "Level x" switching, where "x" is some number greater than three but less than eight (the top of the OSI model is Level 7). It’s not so much that the vendors really switch at these higher layers (because there isn’t necessarily any address data there to switch on), but that they use these layers to help make handling decisions beyond data steering.

Some vendors jumped purely into what could be called "Level 4" switching, but that strategy, as one of the early players (Neo Networks) pointed out, is pretty much useless. In order to perform any reasonable level of application classification, you have to look at packet contents to any level needed, which means all the way up the OSI stack and possibly into the payload as well.

Higher-level classification of packets would let users develop effective policy management because it would support reasonable traffic segregation. Unfortunately, the problem that has plagued policy management in general is not so much the lack of ability to decide what to enforce policy on as the ability to control the number of distinct policy statements required for the enforcement. Lots of statements mean lots of work.

Two recent strategies seem to be addressing that. One, promulgated by Top Layer, a start-up LAN vendor, provides a means for dividing the network up into "zones", which would be groups of users or servers who share common requirements. By letting policy be defined on a zone basis, the technique reduces the number of separate policies needed. This makes the policy definition burden manageable.

A zone is usually a combination of users and servers, but the definition of any zone is fully controlled by the user. The administrator sets policies for each zone, and also sets inter-zonal policies. All relationships in the zone are then controlled by the policy.

In the Top Layer approach, the nature of the LAN is unchanged. The switch lets you analyze traffic and set policies, but the routing of information is still done as before, and the traffic is still intermingled on the LAN. However, because admission control and zone-to-zone policy control can be exercised in detail, a Top Layer zone could look a lot like a virtual LAN within a LAN.

A second strategy, "Application Driven Networking", is sponsored by IBM. The IBM approach has both traditional and non-traditional elements in it. The non-traditional piece, which we’ll focus on here, is based on the concept that applications are really the core of policy control, and that it should therefore be possible to create "virtual application networks" using tunneling protocols. These networks would subdivide the connectionless, permissive, LAN and permit the user of the network to enforce both access control and resource control on a per-application basis.

IBM’s approach is different in that it allows users to employ tunneling to create what are essentially Level 3 VLANs within a LAN. These tunnels can be encrypted if the application requires security. If tunnels are limited to a subset of users and if encryption is employed, the tunneling creates secure virtual networks that can be extended across the WAN.

IBM’s policy management approach is also slightly different from most, and it works either for tunneled virtual LANs or the standard non-segmented LANs. IBM integrates the first-line policy server function that makes policy decisions, with the technology that enforces decisions. This flattens the policy management structure considerably. IBM also performs policy validation at the edge, and adds a handling vector to packets to communicate the policy decision along the line. This further reduces the overhead of the process.

IBM also allows the setting of application policies, which lets users create application-centric networking rules, the kind of rules most users seem to want to make. It should simplify the process of policy creation and maintenance.

Clearly the common element in these approaches is the use of "collections" of users/servers to simplify the policy process. Also clearly, the use of virtual LANs based on tunneling could be applied by both vendors. Is it a good idea?

It would seem that an application network created using tunneling would be a very useful artifact in those cases where an application had a relatively static user base, and where the application required special handling in the security and/or QoS sense. The use of tunneling would automatically reduce the risk of an intruder joining the application network, and the use of encryption could virtually eliminate it.

A VLAN is a Level 2 collection of users, usually presumed to be based on a subnetwork architecture. A Level 3 VPN built on a LAN may be the most legitimate use of the tunneling protocols yet defined. Policy management can control who’s allowed to enter into an L3VPN, and also decide what performance it’s members will enjoy. If the policy management system is sophisticated enough (and both IBM and Top Layer says they are, as do other players like Neo Networks and Cisco) it can manage L3VPN admission, performance, WAN connectivity, etc.

The potential downside of tunnel L3VPNs on LANs is the introduction of additional complexity. An L3VPN is essentially a routed subnetwork operating on its own rules within the LAN. This could create confusion in operation and support.

Suppose a user knew the IP address of a server as 10.1.2.3. If the server is on a tunnel L3VPN, its address may be on the network, but only on the VPN and not the "real" LAN. Or, it might have a different address on each.

Policy filtering and Lx switching would also have to accommodate tunnels. The header data would be in a different place depending on whether the packet was tunneled or not.

On the other hand, it could breed a new kind of networking. Each application would have its own VPN, consisting of its servers and any clients who were more or less permanently linked to the application. Other clients would join the application through a gateway (tunnel portal) based on policy rules.

The last decade of networking has been both a study in progress and one in disappointment. We’ve come a long way in many areas, but the sad truth is that no major trend predicted by the press and pundits has really materialized.

The latest trend is the Internet, and this one is (like the others) being significantly over-hyped. Sadly, the truth about what’s happening in public IP services is more exciting than fiction, and we’re not facing it optimally because we can’t see it.

The question, of course, is what they’re changing to. Answering that will require a look at the things that have brought us to this particular network juncture, at this time.

LANs developed in much the same way as WANs did, but the cycle of "professionalism" was shorter. Why? Because we needed to have more users on LANs to make them effective in meeting their business goals. WANs link sites; LANs link desks. Something that we need for every desktop becomes harder to sustain faster than something that links every building.

It’s not that we didn’t try. Vendors introduced things like ATM, VLANs, and Level 3 switching, and all manner of other stuff that would empower a professional with the ability to create astonishing flexible LANs. They developed router variations, new protocols for traffic management and network management. They did everything but clone themselves, and that was the one thing that the situation absolutely required.

If everybody had to be an automotive engineer to be allowed to drive, as we’ve previously noted, there’d be no traffic problems. Commodity businesses require commodities of consumers, and that pretty much forecloses any kind of educational or cultural elitism. We’ve wanted data networking to take its place at the heart of businesses, and to become as revenue-enriching to providers as voice. To get that wish, we have to dumb it down.

The need to broaden the base of data through reduction in the skills needed to deploy it has created dual drives in the market; cheap-and-dirty LAN products and network outsourcing in the WAN space. Both are essential consequences of the need to simplify. Making LAN switching a simple bits-for-bucks play, with the lowest bidder in the per-port cost game the winner, lets buyers equip their desktops with communications pipes that the unruly expansion in the number of data applications can’t congest. Making WANs a matter of negotiating a contract with a service level agreement instead of a black art of traffic engineering and protocol analysis lets us extend those fat LAN conduits into business-level networks.

The intended consequence of these shifts in buyer attitude are to equip every PC with an inexhaustible supply of bandwidth and equip every business site with a flexible set of data services available on a moment’s notice to solve a problem or address an opportunity. Good stuff, we’d all agree. The unintended consequences of these moves will reshape the industry—in fact, is already doing just that.

It started simply enough, with a few vendors like Cabletron and 3Com seeming to come under profit pressure. Then Bay was bought by Nortel. Ascend by Lucent. Siemens bought a passel of startups to launch a new data business. Cisco bought an ACD vendor and an ATM edge player. Nortel bought an IP edge player.

The root of the situation is the shrinking margins in the LAN space and the growing potential in the service provider space. If users are going to suck bits out of cheap little Ethernet switches, the margins and profits of LAN vendors are certain to suffer. Big Cisco almost alone weathers the storm, because they can still field high-margin WAN products. But who will they sell them to? The service providers, unless the commoditization in the networking space miraculously reverses itself.

Service providers can’t build old-style networks and simply provide the users with the gear and circuits on an outsource basis. The cost of this kind of managed service is simply too high for most applications to bear. So…service providers field a new data architecture designed to support not only the existing applications but also a host of more tactical new applications that wouldn’t cost-justify under the current private networking rules.

IP is the way to make services populist, because IP is the language of applications. We know, then, that business and personal communications will gravitate to an IP-based architecture. Data service growth, then, is IP service growth.

Ah, and that’s the rub. Were data already at parity with voice in revenues, the IP infrastructure would be at least at parity with voice infrastructure. Similarly, were that revenue parity to be achieved soon, it would result in a massive IP build-out. On the other hand, we know that the Internet today is less than 1% of worldwide service provider revenues, and less than 5% of worldwide revenues would be directly attributed to any sort of IP traffic. If the current balance were maintained, then IP would never be much of a factor in networks, and likewise in equipment sales.

One might say that Cisco is betting on the "IP-wins-quick" theory. Chambers, in telling everyone to throw out PBXs, is spouting a line that is expected from a firm that doesn’t make PBXs, and that will win if traditional equipment and services are devalued. One might say that Lucent and Nortel, while providing a data strategy, are simply counterpunching with Cisco to keep the press happy while banking on the status quo being continued for considerable time into the future.

That’s why Siemens formed Unisphere, one reason Alcatel bought Xylan, why GEC bought Fore, and why Ericsson bought Torrent. Each of the these players are major voices in international network infrastructure, but not major players in the US market segment. All of these guys think that Cisco and Lucent/Nortel have polarized like the Democrats and Republicans, leaving a big moderate hole in the middle. All hope that by filling that hole, they can capture a big piece of the new-generation network market here, and extend the win to the world market when the model for future networks, having validated itself here, fills the international space as well.

What are the principles of this moderate market play? Here are the key ones:

1. IP will be the service foundation for future data growth, but IP services can be provided without commitment to an IP, connectionless, infrastructure. IP, in short, is a critical user-network interface (UNI), and that’s all.
2. DWDM will be compelling as a networking technology at OC-48, and eventually become cost-effective at OC-12 and even OC-3. Optical networking plays to link wavelengths (lambdas) in various fibers into a kind of virtual path will displace electrical multiplexing and switching at these speeds.
3. ATM will be required at the edge of the network, from the outside plant back to the optical edge, to provide effective traffic concentration, create QoS, and partition resources for security reasons. ATM also provides an easy emulation of the DWDM optical pipes, allowing service devices to be built with the assumption of a meshed set of paths through the core. These paths may start as ATM paths and move to DWDM over time.
4. Service network functions in both the voice and data space will be provided somewhere inside the carrier cloud, no deeper than the optical edge. The exact placement of service intelligence will be dependent on the cost of equipment and the average per-customer revenue. Deeper placement lets service providers enjoy some customer economy of scale.
5. New-generation technology will deploy first in green-field missions (new service geography, or new service type) associated with new revenue opportunities, rather than in cost reduction missions like "convergence".
6. Facility-based carriers, having far more revenue and far more customer access, will dominate the data market and thus the spending.

In this view, playing to the ISPs is simply wasting time and effort because these guys won’t have the money to spend. Thus, the winning hand in the ISP space (which Cisco clearly holds) isn’t worth much of a pot in the market sense. Likewise, counterpunching with Cisco on specific IP features as Lucent and Nortel are inclined to do is only backing a bad play. Voice over IP, for example, may play with the press but wouldn’t play with the market because it’s a cost-reduction play, and isn’t one the facility-based carriers would particularly want to make.

At the same time, service providers will be expanding their networks and modernizing their infrastructure. This will continue and expand the revenue stream associated with traditional networking equipment. We’ll sell more telephony equipment in the next two years than in the last two, and growth in a market that’s exceeding $100 billion US is a big-time opportunity.

Enterprise spending on WAN products will begin to slow, and by the end of the two-year period will be far less than torrid in growth terms. This source will no longer sustain margin/profit growth in the equipment space.

Lucent and Nortel, and second-tier infrastructure players like Tellabs and ADC, will see their profits and margins improve during this period. So will Cisco. The penetration of the new cadre of infrastructure competitors will be, in that interval, modest.

Beyond two years, things change. Private networking sales growth slows considerably under margin pressures during the next five years. Business data services, in the form of VPNs, grow considerably. The player who gets the new infrastructure associated with VPNs will have a total revenue stream measured in the tens of billions of dollars over that period.

Lucent and Nortel, in this period, are vulnerable to the incursion of new players through the VPN infrastructure. However, their core revenue stream from voice services and traditional networking elements will remain secure through the period.

This is the period in which the newly-arrived international players, with all their M&A, must make their move. If they can establish a US market niche during the period from 2001 through 2006, they can hope to gain additional revenues when the developments in the data space impact general infrastructure decisions. That is also the period during which Lucent and Nortel must stave them off.

What about Cisco? Their inevitable loss of growth stimulus from the enterprise networking market must be made up, in the near term, by increased success in the carrier VPN market space. That space is large enough to sustain Cisco’s ambitions, but they will have to get a very big piece of it, particularly in the RBOC segment. There, they collide with Lucent and Nortel, who can bundle VPN infrastructure with the big voice dollars.

Cisco can’t easily draw on those big voice dollars, because Cisco has elected to encourage service providers to dump traditional PSTN equipment in favor of IP gear. Given that about 60% of the current analog line base will probably never transition to xDSL and become subject to packet voice exploitation, this is a faint hope even in the long term. In the next five years, it’s no hope at all.

It may be that Chambers, in his "toss your PBXs" speech, marked the end of Cisco’s chances of being a giant player. We see no way that new IP infrastructure could possibly generate as much revenue as telephony over the next seven years. With no play except IP-based telephony (which we say, without apology, won’t work in the public service space), Cisco can’t tap that revenue stream and can’t grow to match Lucent’s revenues. It may instead be fighting for a place with the new-generation international monsters now being created.

Access the index of CIMI Corporation's recent newsletters.