IP Convergence: Beyond VoIP, Beyond Cost Savings

We've all been there.  Travel expenses have to be cut, and yet your work centers are geographically separated, work groups are forged from different work centers, and your management suggests you increase your use of video conferencing.  You grudgingly submit to the idea but hope that you still have enough money to do the necessary amount of travel, and you might even try some video conferencing.  But will it work?

Corporations have learned a lot since this 2004 Norwegian study that indicated that video conferencing affected corporate travel from 2.5-3.5%.  Part of the  following study suggests that it's merely a matter of implementing the right culture with the right technology and you can start saving, but what might the long term impacts be of reducing personal interaction amongst employees.

In the online Q&A for Patrick Lencioni's book Death by Meeting, Patrick states:

Q: As technology continues to make life and business more and more virtual, do you think this has positive or negative effects on meetings?

A: I think that the promises of the virtual workplace have not panned out to the extent that everyone expected. The fact is human beings need to be in the same room, face to face, in order to engage in the kind of discourse that leads to good decisions. When we try to circumvent that reality by using audio and video conferencing, we dilute the quality of our conversations, and ultimately, the decisions that we make. Of course, there are certain types of conversations that are fine for virtualcommunication - customer service, basic information sharing, and tactical updates. But trust andconflict and commitment and accountability are not easily nurtured over a network, even a high speed one.

© Copyright 2007 The Table Group, Inc. w 3640 Mt. Diablo Blvd., Suite 202 w Lafayette, CA 94549 w www.tablegroup.com

After having read a few of Patrick's books, I believe this theories are fairly sound.  I can see how it would be difficult to mine for conflict on an audio bridge if you can't read body language of everyone simultaneously, although I do seem to find the sore subjects on my own even without video, it just takes a few more questions.  I also wonder if Patrick tried using a true telepresence setup if he might change his mind.  In this recent post from our own Thomas Hobika, Tom covers telepresence and what is involved.  If you can truly create an experience where it is almost as good as being there, wouldn't it be almost as good as being there?

Of course, you still can't get the satisfaction of going to lunch together after the meeting is over.  At least not yet.  :-)

by Dave Siegel

In response to the article How Feds are dropping the ball on IPv6 over at Network World, Rich Fisk writes:

Quoted from http://blogs.globalcrossing.com/ipv6-eternal-wait-pt2#comment-928
I just attended the Network World Live Road show here in DC and the chairman of ARIN seemed to have an opposing view to the [statement] that you made in NW.

1. Somewhere in 2010 the IP address space will run out as emerging markets grow.

2. His organization is telling ISP to make plans for IPv6 as there will be a day soon where ARIN will not be handing out more IPv4 space.

3. After #2 happens (no pun intended) there will be the beginnings of two Internets. One IPv4 and one IPv6. While all sites will be reachable with IPv4 clients at first there will come a time where there will be IPv6 only sites.

Yes, we know that IPv4 address will run very low some day, but the sky has been falling for 12, maybe 13 years now.  People are tired of hearing it, in large part because you can still get IPv4 address space today.  Even if an organization starts to run low on addresses they can resort to NAT and RFC1918 (private address space, e.g. 10.x.x.x).  

The way I see it, getting denied for a new IPv4 address and being given an IPv6 address block may be the only catalyst for IPv6 deployment in the LAN.  Early IPv6 deployments in the LAN that are forced due to unavailability of IPv4 addresses only will employ a NAT with external IPv4 addresses (or address), but they will function more or less identically as the use of RFC1918 space would.  IT Network Managers will have decide if they go with an IPv6 implementation over the more familiar private address space.  They will have to use a NAT, because they are going to get stuck in this situation long before the Internetv6 is here.

As of today, finding popular sites that have deployed v6 to their web sites is extremely rare.  I did a little experiment with top of mind web sites.  As one would hope, ipv6.org resovles to an IPv6 address.  From there, I had a little more trouble.  By the way,"traceroute6: Non-recoverable failure in name resolution" means that no AAAA record was found, or in laymans terms, the site is NOT IPv6 ready.  The results are below.

dsiegel@terra:~ >traceroute6 www.ipv6.org
traceroute6 to shake.stacken.kth.se (2001:6b0:1:ea:202:a5ff:fecd:13a6) from 2001:450:1:1001::1e, 64 hops max, 12 byte packets
 1  2001:450:1:1001::1d  39.711 ms  39.317 ms  40.010 ms
 2  sl-bb1v6-rly-t-96.sprintv6.net  113.674 ms  113.480 ms  113.673 ms
 3  sl-bb1v6-nyc-t-1000.sprintv6.net  126.309 ms  126.216 ms  126.633 ms
 4  sl-bb1v6-sto-t-102.sprintv6.net  218.384 ms  215.206 ms  214.051 ms
 5  2001:7f8:d:fb::24  342.243 ms  342.473 ms  342.180 ms
 6  se-tug.nordu.net  343.023 ms  341.761 ms  341.059 ms
 7  c2sth-so-6-0-0.sunet.se  342.812 ms  343.377 ms  344.655 ms
 8  2001:6b0:dead:beef:2::2c6  342.023 ms  342.605 ms  341.990 ms
 9  2001:6b0:1:1200::1  342.148 ms  342.206 ms  343.006 ms
10  clubroom-gw.stacken.kth.se  342.221 ms  342.900 ms  342.158 ms
11  igloo.stacken.kth.se  342.637 ms  344.114 ms  343.147 ms

dsiegel@terra:~ >traceroute6 www.google.com
traceroute6: Non-recoverable failure in name resolution

dsiegel@terra:~ >traceroute6 www.yahoo.com
traceroute6: Non-recoverable failure in name resolution

dsiegel@terra:~ >traceroute6 www.ask.com
traceroute6: hostname nor servname provided, or not known

dsiegel@terra:~ >traceroute6 www.msn.com
traceroute6: Non-recoverable failure in name resolution

dsiegel@terra:~ >traceroute6 www.globalcrossing.com
traceroute6: hostname nor servname provided, or not known

dsiegel@terra:~ >traceroute6 www.verio.net
traceroute6: hostname nor servname provided, or not known

dsiegel@terra:~ >traceroute6 www.sprint.net
traceroute6: hostname nor servname provided, or not known

dsiegel@terra:~ >traceroute6 www.att.net
traceroute6: hostname nor servname provided, or not known

dsiegel@terra:~ >traceroute6 www.sprintv6.net
traceroute6 to www.sprintv6.net (2001:440:1239:4::2) from 2001:450:1:1001::1e, 64 hops max, 12 byte packets
1 2001:450:1:1001::1d 40.637 ms 41.133 ms 41.545 ms
2 sl-bb1v6-rly-t-96.sprintv6.net 113.473 ms 113.064 ms 112.476 ms
3 sl-bb1v6-nyc-t-1000.sprintv6.net 125.839 ms 125.544 ms 126.679 ms
4 sl-s1v6-nyc-t-1004.sprintv6.net 127.108 ms 132.845 ms 128.818 ms
5 www.sprintv6.net 127.799 ms 127.502 ms 127.634 ms



Good going Sprint!  You win a prize! Granted, it's not their main corporate web site and it does little more than check if you are v6 enabled and give you some helpful v6 related links, so it's not a true datapoint for an ordinary site.

In reality, I think that there will be a gap between #2 and #3, or when we run out of IPv4 addresses to assign and when all web sites and other servers have both IPv4 and IPv6 addresses.  Enterprises will deploy NAT to maintain connectivity to the Internetv4 rather than contact every web site admin to request they enable for IPv6, and the Federal networks will satisfy the mandate by being able to run IPv6 rather than take the giant step of actually turning off IPv4.  That, my friends, is the path of least resistance.

Imagine starting your car and seeing that message on your dash.

If this happens, it's not outside of the realm of possibility.  BMW labs is experimenting with the use of IP sub-systems for internal communications, which is a pretty interesting idea!  One of the draw backs of using standard protocols and components is the availability of knowledge around said commonly available technology, but IP can be secured pretty well, so if it's done properly hacking shouldn't be a big concern. 

The author didn't mention the possibility for 3rd party after market add-ons, but one would think they'd be possible if the car has IP packets flowing through it's veins, but then that would reopen the possibility of security threats too, so it might be in BMW's best interest to try and prevent any sort of external tampering with the system.

I think the author of the article is a little confused about IPv6, though.  He says:

Costs drop because fewer specialized components are needed, and the new
version of IPv6 is even better than the more than fine performance from
IPv4.

I would love to know how the new version of IP is even better than the performance of IPv4, especially given that it doesn't perform as well as IPv4, which I noted in a previous post.  In some discussions with members of the IT community from various government agencies, they are leery of deploying IPv6 for security reasons (not because of known issues but more because of the unknown issues that have yet to be discovered because IPv6 is not widely adopted yet).  As a result of these factors as well as overall adoption rate, IPv6 support might actually cost a bit more than IPv4 for several more years.

Despite the erroneous implication of improved performance, if this just a proof of concept and 3rd party after-market add-ons are not a priority, why not design it around IPv6?  IPv6 might even help insure that the system stays a somewhat closed
one...or it might be the killer app that drives further development and
investment in IPv6.  Furthermore, you could do crazy stuff like putting an RFID tag on every nut and bolt in the car, build an RFID-to-IPv6 proxy server, ping every last component on the car, and triangulate their position to make sure they're all where they are supposed to be.  Then when your mechanic ends up with those extra parts and throws them to the side like he did before, you can run the diagnostic before leaving the shop and call him on it.

Better make sure there's an on-board DNS system too, just so we don't have to see the following error message 'Communication Failed with device 2001:450:1999:900:0:670:1708:1920'.  :-)

posted by Dave Siegel

We usually think of QoS as a way of making sure that our applications work the way they are intended.  That is the whole point, right?  Case in point, in my my last post QoS and your PC, we discussed how to implement QoS to provide a better user experience for desktop video conferencing.

But it doesn't always work out that way.

Some years ago now, a company called Caspian Networks created a carrier-class routing platform that analyzed flows in real-time, and it could restrict throughput on that flow based on configuration information.  The impact of this capability is rather interesting...rather than limiting the throughput of a type of application on a general level (a la the Diffserv model), say limiting P2P traffic to 15% of the overall backbone capacity, it can limit the throughput of each application individually, regardless of whether there is congestion in the network or not!

Just imagine the havoc this could cause from a net neutrality perspective.  Are you an RBOC or cable company worried about Skype?  Just limit the throughput on any Skype flow to the point where it'll sound horrible, but not so bad that it won't work at all.  In fact, you can do the same for any application that competes with something you sell yourself.

I first learned of Caspian Networks many years ago through an "economics of the Internet" mailing list hosted by Gordon Cook, and there was a gentleman participating by the name of Dr. Larry Roberts who believed that the economics of the Internet could be radically improved through restricting traffic that was deemed to detract value from the network rather than add to it.  As one of the founders of Caspian, he took this belief and created a product around it.  Caspian folded last year, but Larry started a new company in 2004 called Anagran, and it does pretty much the same thing that Caspian did.  Looking at Anagran's web site, they're clearly focusing on the improved quality that they can give to applications, and yet at the lower right hand corner of the web site, it still mentions "controls P2P and optimizes capacity."

I was reminded of Dr. Roberts and Anagran recently upon reading the following article about Comcast and some technology they have implemented that slows down P2P applications such as BitTorrent, eDonkey and Gnutella, which you can read about in the Associated Press article Comcast blocks Some Internet Traffic.  I don't know if Comcast is using Anagran, but I would guess that they have used something very similar.

QoS is like a gun.  It's not the thing that is evil, it's how it's used.  It does, however, highlight some of the problems with the economic model of the Internet (which was the main topic of the conversation on the previously mentioned mailing list).  As prices on bandwidth have decreased over the years and the basic job of transferring bits has become a commodity, the industry analysts and business strategists have told the carrier to "move up the stack" into applications in order to reach profit margin salvation, and in response carriers have invested what must amount to hundreds of billions of dollars in development only to deploy an application that some else now makes available for free or for profit right on their commodity pipe.  While I believe that the only solution for the carrier to build a better application rather than try to break the competitions, it does pose a risk.  If carriers cannot get the margins they are looking through by selling applications, there will be little choice but to "un-commoditize" basic connectivity and raise prices.  Whether you believe Metcalfe's law or Andrew Odlyzko's more conservative version, maybe the applications are nothing more than fodder for connecting people and are the driver for selling bigger and more profitable pipes just like the latest Microsoft product drives computer upgrades?

Either way, I think the realization of these truths has been a contributor to the stabilization in bandwidth pricing over the past year, and might suggest that this stabilization will at least continue for some time.

Hat tip to Norm for the Comcast article reference.

by Dave Siegel

In a comment on this post from one of our readers, Christopher Wacker writes:

To me, it sounds like you A/V issues lie with your networking.  I work for a MPLS consulting firm (if you don't know what MPLS is, you can take a look at http://mpls-experts.com/default.asp?page=pages/whatismpls.asp&v=nontech for a brief overview of what MPLS is) and have noticed this problem quiet often with companies.  Are you currently using ATM/Frame Relay?

I am somewhat familiar with MPLS.  :-)

I was an IP Engineer at Frontier Globalcenter when we were doing our rollout of MPLS back in Q1 1999, which coincidentally was the first deployment of MPLS in any production IP network anywhere.  We deployed the mesh nationally in Q2 of 1999, and according to our primary core vendor at the time (Cisco), we were the first carrier with a nationwide deployment of MPLS. With the acquisition of Frontier by Global Crossing, we began building new POPs internationally in Europe and Latin America over the first half of 2000, and our US domestic MPLS core became an international one..

It was a tough time for us to deploy MPLS.  The standard was so new it wasn't even a standard yet, it was still in draft.  There were lots of bugs in our vendors' routing code.  Deploying Juniper created additional complexities because each vendor interpreted the RFC's and Internet Drafts (pre-RFC's) differently, which occasionally led to some very interesting network behavior.

But I digress.

Towards your question around the use of ATM/FR, I am not directly connected to our corporate network with ATM/FR or MPLS, which is the root of my problem and a common plague of the telecommuter.  I use a local ISP who buys transit from someone other than Global Crossing, and the performance is often less than desirable. 

For the sake of argument, let's say that I was connected directly to the corporate MPLS network, would my QoS problems be solved?  Would I be able to set different ToS bits on the video packets coming from communicator compared with the voice?  As near as I can tell, there are no such settings in MS Communicator 07, and if that is true, then all packets originating from my computer will look like any other data packets and will not get any special treatment on the network. 

QoS on MPLS works great, but if you can't differentiate packets in some way (IP address range, port range, or ToS bits) you won't be able to take advantage of it.  Usually, differentiating packets within the same application (say OCS) is impossible to anywhere other than the application itself.  I say usually because it is possible that if the application uses different ports on seperate rtp streams, and you can tell which one will always be video and which will always be voice, you can probably work something out on the CPE router to classify the packet, but it would certainly be easier to just set the parameters in the application.


Perhaps one of our readers knows if it is possible to set the ToS packets within OCS?

If you're like me, when one of your internal IT guys gives you a call and asks you if you want to trial some new software, the answer is almost nearly always a resounding YES.  Last week Steve Schafer gave me a call and asked if I wanted to try out the new 2007 version of MS Communicator based on the OCS platform.  I got set up with it on Monday and wanted to share some of my experiences with it.

There are several new features that I find very attractive:

• All conversations are kept and stored in a mailbox.  This can be the text of an IM conversation, or if it's a phone call, then the number, name of person you called (if available) and the length of call is recorded.
• The IDLE status doesn't obfuscate any other status, but shares the button color so that you know if the person is idle at their keyboard while in a meeting, on the phone, or available.  You get a little bit of credit this way for behaving yourself and not multitasking while on a conference call.  It might also eliminate a few yt?'s
  
• Multi-party video calls, Ohhhh yeah!  Create a multi-person IM conversation and then fire up Video.  Whoever is talking at the time is broadcast to all other parties.  It works reasonably well for me in spite of the fact that I am a tele-worker with a lousy Internet connection.
• Quasi-FMC/UC capabilities that include a DID for your computer, simultaneous ring to another number of yours, voice-mail delivered to your inbox as a .wav file, as well as the ability to call a voice access number and access your calendar and email.  I don't suspect I'll ever use that last feature, but it is nice to know that if I was ever having trouble falling asleep that I could have a pleasant female-timbered computer voice read my email inbox to me, which I shall hence forth dub Femail.  Copyright!  :-)

And there are several things that I predict will be very evil.

• All those great mailing lists in the outlook exchange address book now come up on searches with an auto-complete function in the communicator search window.  Just when email got so crazy that you had to turn to IM for productivity gains, here come the mass IM broadcasts!  Broadcast IM's are bad, mmmkay???  Just say No!
• The new color scheme is a bit harsh.  The charcoal title bar is fine, but the new 3D shading on the buttons and the traffic-light red/yellow/green availability scheme is kind of hard on the eyes.  The other issue here is the connotation associated with red.  The previous version showed a pleasant shade of blue when someone was busy, but now it's red.  Since I tend to be booked in meetings most of the day, I am always an angry shade of red.  That's evil.

Stuff that still doesn't work quite right:

• Softphones still suck.  I have a reasonably fast laptop and a gig of RAM, but somehow I still have issues coding/decoding when my computer gets busy for a few seconds.  Give this program more priority by default.  I have a Microsoft IP phone on the way that should resolve this problem, but I'm still pretty shocked that computer telephony doesn't work better than it does.
  
• Video/audio sync in video calls.  I've noticed that I receive the video frames before the audio.  What gives?  Audio should have priority over video.  Always!  If Video is falling behind, drop the frames.  If the audio is falling a second or two behind, wipe the whole buffer and start over or something so it doesn't feel like I'm having a conversation with someone half-way to the moon.
  

All in all, the new features are pretty cool, and I'm looking forward to the rest of the company getting upgraded to this release.

In my last post about the PS Home, I spoke about the Sony announcement of PS Home and how I found the technology interesting.

Unfortunately, I broke one of the cardinal rules of good blogging by completely failing to tie it back into Global Crossing's business. A Hat Tip goes out to Matt Sewell from our Phoenix office for pointing this disconnect out to me.

Immersive, Virtual Reality environments are important to me and to Global Crossing because it points the way to the future of collaboration, which is currently one of our best value-add product areas. Much like the way that pr0n addicts drove early bandwidth usage on the Internet (and were therefore one of the key investors!), Second Life addicts are driving innovation in collaboration technologies, particularly the immersive variety (and are therefore investors in it!).

What we learn from these evolving technologies and how they are adopted can give us clues (but not necessarily direct evidence) as to how the technology may be adopted by the business world.

But before I start thanking SL Addicts for helping realize the dream of virtual reality....

...lets look at what we have learned so far.

• Users can get so immersed in the virtual world that they lose track of the real world
• The virtual world rarely incorporates the real world and its utilities, further enforcing a separation of virtual and real worlds.
• Goals are self-created and revolve around "in-game" needs as opposed to real-world needs, and addicts have difficulty putting "in-game" goals into the proper context in their every day life

These issues are going to present a huge problem for people that want to see immersive VR become part of the corporate world because the corporate world will never support immersive VR with the kinds of risks associated with the statements above. The only avenue that offers a solution is a higher level of integration between the real world and VR. This step requires a great deal of additional investment in technology development beyond what exists today. To seamlessly integrate all of the information on your desktop computer with the virtual environment and to create a work environment that mimicks your real one for the purposes of collaborating across great distances is where you can start to draw the eye of the corporation.

This idea, while tantalizing for the corporation, will be wholly rejected by large portions of the current VR population that use their immersion to escape the realities of their physical existence. Remember that they are the ones investing the most in the platforms right now. That is starting to change with corporations like IBM and Sun beginning their investments in second life, but we will need to see much more corporate involvement if we are to see these emerging technologies one day become useful to the every day business.

So, thank you SL addicts. Thank you for paving the way. Please pardon the dust.

Or why Secondlife and similar metaverses will never formally be coined Web 3.0, the next-generation Web.

My friend Rawn covered the recent announcement from Sony on their Playstion Home environment, lauded as a secondlife killer.

Rawn asks:

Is this the death knell for SecondLife or MySpace? Let me know what you think.

Although I cannot properly review something that isn't released, I will say no on both counts. As far as I can tell from the movie (various clips available in the links above)...it looks totally sick. The graphics make secondlife look like crayola-doodled cartoon drawings by comparison. That's where the advantage ends. There are two comparisons to touch on: the comparison between SecondLife and PS-Home, and the comparison between 3D systems and social-networking systems.

The worst part of PS Home is that it only runs on the PS3 and it will probably be a closed system...closed in several ways.

Not only will the client be proprietary, but you have to run it on proprietary hardware (the PS3). The world will logically only provide access to Sony multiplayer-games since the PS3 would not run a game for Xbox or the PeeCee). It also appears that while the environment itself will be free, Sony will charge for various virtual "upgrades" like special clothing.  If Sony themselves is the only source of "objects" in-game and must be purchased from them rather than created by the playerbase, the 3D world will likely stagnate fairly quickly and it won't be much better than a simple GameSpy client for connecting players to servers.  The only reason to be there will be because of the multiplayer games that Sony ties to it.

So no, it won't kill Second Life, but it might happily coexist with it.

Another MMOG, EVE Online is planning to offer a 3D environment in a future game expansion release. Video here MMOG game designers strive to create games that encourage the userbase to collaborate in order to achieve difficult goals, but because all of the necessary tools don't exist in-game, a need has arisen to collaborate out-of-game. I have read stories of various guilds inside an MMOG using secondlife to hold their guild meetings...and since game designers don't want their userbase to leave "their" system, they try to incorporate the tools into their their gaming platform.

What would be great is if there was a truly open system that could encompass the needs for socialization, collaboration, as well enabling transition into proprietary game environments. Even Sony could accomplish this by providing a PC and Xbox client to their 3D world and using more of a second life model. These 3D worlds are not the end-all be-all of the next generation web, though. It is just too cumbersome to share certain things from real life in these 3D environments, so I think web 2.0 and the 2-D browser will rule the roost in the area of sharing photos and networking. Another difference between the Web 3.0 3D environment and the Web 2.0 Myspace environment is that the 3D is real-time online and Myspace is more static...I would liken it to the difference between a chatroom and a Bulletin Board System. In the BBS there is a log of all activity that you can review if you were there or not at the time it was posted, and in a chatroom, if you aren't there you miss it. Each model serves a purpose and I doubt one will ever displace the other.  If you want to read an interesting conversation on the "is second life the web 3.0" check out the following post and the comments over at zephoria.org.

Technorati Tags: Playstation Home, web 2.0, secondlife, Web3D

This presentation from the blackhat conference in Europe last year speaks directly to the point about the security issues between IP-VPN and Ethernet that I took issue with in my last blog. 

A couple of the key points that I took from this presentation were:

• In the case of both Ethernet VPNs and IP-VPNs, in order to hack into a customers network from outside the network, the attacker must have access to the provider's core routers. (pg. 26)
  
• If an attacker has penetrated the customer's network through a backdoor or through weak physical security, he has some interesting options with an Ethernet VPN that do not exist on an IP-VPN network, especially in a VPLS environment. (pg. 34 and others)
  
• A reminder about how much I dislike spanning tree (pg. 38)

ps. he refers to as the Juniper M7i as a "big-iron" router, when in fact it is the smallest of Juniper's carrier-line of routers and doubles as a high-end Enterprise router.  An M7i may be used by a carrier in a very small site, but such a site is not likely to have thousands of customers as cited in his example.  A site with thousands of customers is much more likely to be riding an M40e at minimum, or more likely an M320.

Hat Tip to Jim Lippard

Technorati Tags: Ethernet, VPLS, IP-VPN, Security

If you've been on the technical side of this industry even a short time, you've no doubt run across debates that are so monumental and so emotion-driven that they are labeled religious debates.  Perhaps the debates are not really so monumental, but each side of the issue often represents a fundamentally different philosophy.  Some favorites of mine? 

• Mac vs. Windows
• PC w/ Unix vs. Unix Workstation
• BSD vs. SVR4
• Emacs vs. vi (or any other editor, really)
• EISA vs. VLB
• USB vs. Firewire
• VHS vs. Betamax?

From the realm of networking, who could forget the long running debate between ATM and IP?  There were many arguments used against IP that were just plain false, like the security concerns around IP and it being easier to hack (which I found silly because all ATM/FR network were running IP atop ATM/FR).

That's why it makes me chuckle a bit to see the same type of argument used in to promote Ethernet as a substitute for IP-VPN in this article about advertising.com switching out their IP-VPN.

Bavisi said that because VPLS is a L2 service there is no need for the firewalls the London office of Advertising.com previously had to manage at the remote sites. ?Both IPsec [a.k.a. DIY] VPNs and IP VPNs delivered by carriers over MPLS networks are at Layer 3, and thus face security issues,? he said.

The first sentence is fine.  It's true, Ethernet (or an MPLS-based IP-VPN solution) eliminates the need for firewalls at each site.  You can safely run in a closed network environment with no IPsec tunnels or other hassle.  The downside to that, however, is that each site now has to use the main corporate center for all Internet traffic, which puts more strain on the WAN...which is great for the backbone provider.  Ultimately it means more business for them.

The second sentence I quoted is the FUD factor coming into play.  There could not possibly a difference in the security risk between an Ethernet VPN running IP and a closed IP-VPN network running IP.  The security risks inherent with an IP network, especially one connected to the Internet somewhere, are not necessarily lessened by moving to an Ethernet network, and the process of centralizing Internet Access and firewalls into one or more main hubs is a common design element in layer 2 and layer 3 VPN's alike.

In a way, the recent development effort into Ethernet remind me of one of the Fundamental Truths of Networking, as cited in RFC 1925.

(11) Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.

Ethernet as a WAN protocol (and the use of VLAN's for logical seperation, QoS, and site identifiers) reminds me an awful lot of ATM and Frame Relay, and MPLS reminds me an awful lot of ATM too.  ATM had QoS and Traffic Engineering and IP didn't, so along came MPLS to give some traffic engineering function and they put CoS into IP.  Now that we're trying to use Ethernet in the WAN, we've got to add all that stuff to it as well, so we'll run it over MPLS and make 802.1p to give it QoS.  We're re-inventing the wheel!

Those of you involved in the creation of these new Ethernet standards should remember your your RFC's.  That way you'd know that the twelfth fundamental rule of networking is

In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away.

Technorati Tags: Ethernet, VPLS, IP-VPN, MPLS