1. Field of the Invention
The present invention relates to apparatuses, methods and computer program products that collect service level agreement (SLA) statistics in communication networks and especially virtual private networks (VPN).
2. Discussion of the Background
Communication networks provide an infrastructure by which messages (digital or analog) may be routed from a source to one or more destinations. Proprietary, exclusive networks may be used when messages are to be distributed only between a private set of network nodes. These proprietary networks may span only local regions, and are thus called local area network (LAN). Similarly, such proprietary networks may extend across a single city, and thus may be referred to as a metropolitan area network (MAN). When extending over a larger geographic region, where the nodes are separated by relatively large distances, the network is referred to as a wide area network (WAN).
However, the expense of establishing and maintaining a proprietary network whether it be a LAN, MAN or a WAN, is often not cost effective. Furthermore, maintaining the network often requires personnel with specialized skills, having job descriptions that may be well outside the scope of the company""s main line of business. While the proprietary network does offer the advantages of dedicated security and avoidance of traffic congestion problems, the expense and maintenance issues associated with developing proprietary, exclusive-use networks is not often justifiable, particularly when publicly available resources are available, such as the Internet.
Virtual private networks (VPN) provide a cost effective alternative to proprietary networks. A VPN enables communication among a xe2x80x9ccommunity of interestsxe2x80x9d by enabling private traffic to be passed between at least two nodes within the VPN using a shared communication resource, such as the Internet. When the Internet is used as a component of the communication network, the VPN is referred to as an xe2x80x9cInternet VPNxe2x80x9d. However, unlike un-regulated and uncontrolled communications over the Internet, a VPN is usually established by Internet service providers (ISPs), who provide differentiated services from other users who are not part of the VPN. The differentiated services for users of the VPN, are contractually governed by an agreement between the ISP and VPN customer in the form of a xe2x80x9cservice level agreementxe2x80x9d (SLA).
The SLA may include provisions for a predetermined network availability, such as 99.9% average end-to-end availability over a one month period for 10 or more sites, and at least 99.8% average end-to-end network availability over a period of one month for 3 to 9 sites. Network speed is another metric of performance that is typically part of the SLA, where an average network latency may be specified to be 120 milliseconds (ms) for round-trip transmission between VPN sites within the United States or within Europe, for example. Some Internet service providers, such as UUNET will provide a service level guarantee and will credit an account of a VPN customer if the level of service, as defined in the SLA, was not achieved. An optional feature in VPNs is the availability of encryption for data packets so that unintended xe2x80x9clistenersxe2x80x9d will not be able to decipher the information content of the messages sent through the commonly available information channel.
VPNs, and in particular Internet VPNs, often choose to employ tunneling technology as a way to securely transfer data between two similar networks (e.g., private LANs) over an intermediate network such as UUNET net IP network. Tunneling (sometimes referred to as xe2x80x9cencapsulationxe2x80x9d) encloses a first data packet in a new packet by appending a new header (transmitted in an unencrypted format) to the first data packet, so the network routes the new packet based on the information contained in the new header. The first data packet is usually encrypted when contained in the new data packet so no information can be gleaned from it, except by the intended recipient. The encapsulated packets travel through the network until they reach the destination identified in the new header. At the destination, the new header is stripped away and the first data packet is decrypted and processed. The tunneling and encryption may employ DES and 3DES standards-based technology for transferring data between network locations more securely via an OC-48 TCP/IP infrastructure, for example.
As determined by the inventors, several advantages to Internet VPNs include improved privacy, reduced cost relative to dedicated leased lines, and an improved coverage area, largely owing to the availability of the global reach of the Internet.
As recognized by the present inventors, conventional Internet VPNs are suboptimal in flexibility and scaleability. FIG. 1, shows an example conventional VPN with a source probe 1 and destination probe 3 that cooperate to collect network SLA statistics. The source probe 1 is hosted on a personal computer using a UNIX operation system, for example, and has a particular IP address. The source probe 1 prepares a 1-packet probe (probe message) that is sent through a source router 7 and then through the network 17 to the destination probe 3. The source probe 1 includes in the probe message a time stamp, indicating the time at which the source probe 1 sent the probe message. The source router 7, which is maintained on a customer""s site with the source probe 1, has a different IP address than the source probe 1. The router 7 also handles signals for terminals on a source LAN 10, which itself has a different IP address. As with the source probe 1, source router 7 and source LAN 10, the destination probe 3, destination router 13 and destination LAN 12 all have unique IP addresses.
The network 17 includes routers 9 that are interconnected by way of lines 4. Likewise, routers 5 are interconnected by lines 2. Interconnections between routers 9 and 5 are not shown to help illustrate the point that there are different physical paths that a packet may follow through the network 17 when traveling from the source probe I to the destination probe 3. The actual path that a particular packet follows (i.e., an xe2x80x9cin-bandxe2x80x9d path, or channel) will be influenced by the source/destination pair included in its header. Because the source/destination pair will vary depending which device is generating the packet and which device is receiving the packet, packets handled by the source router 7 and ultimately headed through destination router 13 may follow different routes through the network 17. Routers 5 and 9 in the network include routing tables that direct how certain packets are routed, and thus these routers may handle one packet from the source probe 1, different from a packet generated by a terminal on the source LAN 10. Thus, a data packet from the source LAN 10 may follow a path through the routers 5 and lines 2 (xe2x80x9cin-bandxe2x80x9d path) while the probe message may follow a path through the routers 9 and lines 4 (i.e., not xe2x80x9cin-bandxe2x80x9d). Of course, the two paths may be the same, although there is no guarantee.
The operation of sending the probe message and collecting statistics is now described. The probe message is formed and sent from the source probe 1 at a predetermined time and a time stamp of the send time is included in the probe message. Once the probe message is passed through the network 17 and by the destination router 13 to the destination probe 3, the destination probe 3 recognizes that the probe message has been received. The destination probe 3 then sends a reply probe message to the source probe 1, and includes information in the reply probe message regarding the time that the destination probe 3 took between receiving the probe message and transmitting the reply probe message. Thus, the reply probe message includes the time stamp inserted by the source probe 1 and the remote latency caused by the destination probe 3. In this way, when the source probe 1 receives the reply probe message it is possible to determine the round trip time between when the source probe 1 originally sent the probe message and the time that the reply probe message was received by the source probe 1, less the remote latency time. The source router 7 and the destination router 13 may be 4500 CISCO routers that are configured to receive packets from both the source LAN 10 as well as the source probe 1. Thus, the source router 7 is generic in operation and is a separate network component hosted in a separate housing from the source probe 1.
Availability is one of the SLA statistics that is collected by way of the probing process. Because availability relates to a measurement that is taken over a period of time (or over a number of discrete events), the source probe 1 is configured to set a polling interval at 2.5 minutes so as to provide two measurements for a 5 minute window, and therefore provide a 5 minute resolution with regard to the availability statistic.
The present inventors recognized that the VPN architecture shown in FIG. 1 is suboptimal in that it does not offer the desired flexibility and scaleability features that would allow for independent upgrading and maintenance of the shared network 17. The present inventors have recognized that the shared network 17 may be reconfigured and upgraded for future operations. In doing so, it is even possible that additional nodes may be added to the VPN, or even the service level agreement may vary from time to time. Accordingly, it is a limitation with the VPN shown in FIG. I that the source probe 1 and destination probe 3 are xe2x80x9chard-wiredxe2x80x9d to operate at certain polling intervals. Furthermore, the source and destination probes do not necessarily send the probe messages in-band (i.e., over the same physical path traversed by data packets sent between the source LAN 10 and the destination LAN 12), even though the SLA is tied to the performance of the in-band channel.
Accordingly, by having the source probe 1, as well as the destination probe 2, implemented in a separate computer outside of the source router 7 and having a separate IP address, operators of the VPN are therefore limited by the capabilities of the source probe 1 to accurately collect SLA statistics. This is especially problematic when changes are to be made to the xe2x80x9ccorexe2x80x9d shared network 17. Furthermore, the amount of space required to host the source probe 1, the source LAN 10 and the router 7, adds to maintainability restrictions at the source site.
In light of the above-discussed and other limitations of conventional systems and methods for collecting SLA statistics, an object of the present invention is to overcome these and other limitations by providing a software reconfigurable probing router.
A feature of the present invention is to include a probing router at both the source site and the destination site such that the probing operation is performed within the router housing itself, using processing resources available from the router. In this way, the probing operation is performed in software (although hardware/firmware/software combinations are alternatives as well) so that changes in the core network and SLA statistic collection processes may be quickly and easily accomplished. Furthermore, the probing router sends the probe message through the same path as the data, thus providing a direct measurement of SLA data.
Another feature of the present invention is that an operations center connected to the network enables a remote xe2x80x9cVPN builderxe2x80x9d to remotely configure each of the probing routers in the VPN, so that within a short period of time the topology of the VPN may be enabled by informing each of the probing routers of the statistic collection obligation it has and communicating and replying to probe messages with other probing routers in the VPN. Furthermore, the operation center enables a remote probe poller processor to receive, compile, and calculate SLA statistics for the VPN. The statistics may be collected at rates consistent with the SLA for the particular VPN. Furthermore, the operating center enables a SLA reporting system to report data collected by the probe poller processor in a format that is convenient for the VPN customer to verify that the SLA metrics were in fact complied with during a particular operation cycle.