虛擬私人網路(VPN)是用來在網際網路上模擬專線的技術，並經常被使用來提供遠方站台間的安全性通訊。在安全性已獲得保證時，虛擬私人網路對於服務品質(QoS)的需求逐漸成長。

在本論文，我們提出一個能確保服務品質之虛擬私人網路架構伴隨著一個新的服務合同(SLA)。在這個架構之下，一個客戶將可以在服務合同內詳細指定他的虛擬私人網路之服務品質需求 (例如：整個虛擬私人網路的頻寬與即時微流頻寬需求)。

提出的確保服務品質之虛擬私人網路架構以虛擬私人網路水管模型與差別服務(DiffServ)架構為基礎。此架構邏輯上將邊緣路由器的頻寬容量切割成為數個虛擬私人網路的(即時性或非即時性)微流聚集類別。首先，為了提供細緻的服務品質控制，微流的狀態資訊在允入控制模組被處理。接著，我們使用正則化最小均方差(NLMS)線性預測器以有效將每個虛擬私人網路內即時性服務類別與非即時性服務類別的資源做有效分配。在提出的架構下，管理差別服務領域的責任交給頻寬經紀人(BB)。我們使用網路模擬器2(NS-2)建立了模擬網路，並採用五個量測指標以分析在數個虛擬私人網路架構下的效能表現。

Virtual private network (VPN) techniques emulate leased lines over Internet are frequently used to secure communications between remote sites. However, there is a demand to guarantee quality of service (QoS) related to VPN.

In this thesis, we propose a QoS-enabled VPN architecture with a new service level agreement (SLA) approach. Within this architecture, a customer can specify his QoS requirement in detail such as VPN total bandwidth and real-time micro-flow bandwidth requirements in SLA.

Our QoS-enabled VPN architecture is based on VPN hose model over differentiated services (DiffServ) architecture. It logically partition capacity at edge routers to various classes of (real-time and non real-time) micro-flow aggregations of VPNs. First, micro-flows’ state information is dealt at admission control module in edge routers in order to provide fine granularity of QoS control. Second, a dynamic bandwidth prediction technique, normalized least mean square error (NLMS) linear predictor, is used to share resources efficiently between VPN real-time service classes and VPN best-effort service class within each VPN. Our architecture put the responsibility of managing DiffServ domain’s network resources in a bandwidth broker (BB). Simulation networks are set up by network simulator 2 (NS-2) and performances of proposed QoS-enabled VPN architecture, CE-based and current provider provisioned VPN architectures have been evaluated according to five metrics.

[1] C. Perkins, “IP encapsulation within IP,” RFC 2003, Oct. 1996.
[2] D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina, “Generic routing
encapsula-tion,” RFC 2784, March 2000.
[3] W. Townsley, A Valencia, A.Rubens, G. Pall, G. Zorn, and B. Palter, “Layer
two tun-neling protocol,” RFC2661, Aug. 1999.
[4] S. Kent and R. Atkinson, “Security architecture for the Internet protocol,”
RFC 2401, Nov. 1998.
[5] A. Zhao, Y. Yuan, Y. Ji, and G. Gu, “Research on tunneling techniques in virtual pri-vate networks,” in Communication Technology Proceedings, 2000, pp. 691-697.
[6] N. Duffield, P. Goyal, A. Greenberg, P. Mishra, K. Ramakrishnan, and J. Merwe, “A flexible model for resource management in virtual private networks,” in Proc. SIGCCOM ’99, Oct. 1999, pp.95-108.
[7] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss, “An architecture for differentiated services,” RFC 2475, Dec. 1998.
[8] C. Metz, “The latest in virtual private network: part I,” IEEE Internet Computing, vol. 7, pp.87-91, Feb. 2003.
[9] Y. Jia, L. Guerrero, O. Kabranov, D. Makrakis, and O. Barbosa, “Dynamic resource allocation in QoS-enabled/MPLS supported virtual private networks
and its Linux based implementation,” in IEEE CCECE, 2002, pp.1448-1454.
[10] J. Gallardo, D. Markrakis, and L.Barbosa, “Use of α-stable self-similar stochastic processes for modeling traffic in broadband networks,” Performance Evaluation, vol. 4, pp.71-98, March 2000.
[11] Y.C. Lee, “Design and implementation of QoS VPN experimental environment in DiffServ framework,” M.S. thesis, National Taiwan University, Taipei, Taiwan, 2001
[12] T. Braun, M. Guenter, and I. Khalil, “Management of quality of service
enabled VPNs,” IEEE Comm. Mag., vol. 39, pp.90-98, May 2001.
[13] I. Khalil and T.Braun, “Implementation of a bandwidth broker for dynamic end-to-end resource reservation in outsourced virtual private networks,” in Proc. IEEE Local Computer Networks, 2000, pp.511-519.
[14] I. Khalil and T. Braun, “Edge provisioning and fairness in VPN-DiffServ networks,” in Proc. IEEE Computer Communications and Networks, 2000, pp.424-431.
[15] I. Khalil and T. Braun, “A range-based SLA and edge driven virtual core provisioning in DiffServ-VPNs,” in Proc. IEEE Local Computer Networks, 2001, pp.12-21.
[16] K. Nichols, S. Blake, F. Baker, and D. Black, “Definition of the differentiated services field (DS field) in the IPv4 and IPv6 headers,”RFC 2474, Dec. 1998.
[17] D. Black, S. Brim, B. Carpenter, and F. Le Faucheur, “Per hop behavior identification codes,” RFC 3140, June 2001.
[18] B.Davie, at el., “An expedited forwarding PHB (Per-Hop Behavior),” RFC 3246, March 2002.
[19] J. Heinanen, F. Baker, W. Weiss, and J. Wroclawski, “Assured forwarding PHB group,” RFC 2597, June 1999.
[20] S. Floyd and V. Jacobson, “Link-sharing and resource management models for packet networks,” IEEE/ACM Trans. Networking, vol. 3, pp.365-386, Aug. 1995.
[21] S. Floyd, “Notes on CBQ and guaranteed service,” July 1995.
[22] M. Cargui and D. McDysan, “Service requirements for layer 3 provider provisioned virtual private networks,” Internet draft
draft-ietf-ppvpn-requirements-05.txt, Oct. 2002.
[23] P. Calhoun, W. Luo, D. McPherson, and K. Peirce, “Layer two tunneling protocol (L2TP) differentiated services extension,” RFC 3308, Nov. 2002.
[24] D. Black, “Differentiated services and tunnels,” RFC 2983, Oct. 2000.
[25] S. Kent and R. Atkinson, “IP encapsulation security payload,” RFC 2406, Nov. 1998
[26] S. Kent and R. Atkinson, “IP authentication header,” RFC 2402, Nov. 1998
[27] S. Haykin, Adpative Filter Theory, 3rd ed. New Jersey: Prentice Hall, 1996.
[28] K. Kim, P. Mouchtaris, S. Samtani, R. Talpade, and L. Wong, “A simple admission control algorithm for IP networks,” in LNCS 2093, 2001, pp.117-123.
[29] A. Tanenbaum, Computer Networks, 3rd ed. New Jersey: Prentice Hall, 1996.
[30] G. Almes, S. Kalidindi, and M. Zekauskas, “A one-way delay metric for IPPM,” RFC 2679, Sep. 1999.
[31] C. Demichelis, and P. Chimento, “IP packet delay variation metric for IP performance metrics (IPPM),” RFC 3393, Nov. 2002.
[32] NS project. The Network Simulator － ns-2 (Web site). http://www.isi.edu/nsnam/ns
[33] J. P. McGregor and R.B. Lee, “Performance impact of data compression on virtual private network transactions,” in Proc. IEEE Local Computer Networks, 2000, pp.500-510.
[34] O. Elkeelany. at el., “Performance analysis of IPSec protocol: encryption and authen-tication,” in IEEE International Conference on Communications, 2002, pp.1164-1168.
[35] Cygwin project. http://www.cygwin.com/
[36] V. Paxson, G. Almes, J. Mahdavi, and M. Mathis, “Framework for IP performance metrics,” RFC 2330, May 1998.
[37] W. Leland, M. Taqqu, W. Willinger, and D.Wilson, “On the self-similar nature of Ethernet traffic (extended version),” IEEE/ACM Trans. Networking, vol. 2, pp.1-15, Feb. 1994.
[38] W. Willinger, M. Taqqu, R. Sherman, and D.Wilson, “Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at source level,” IEEE/ACM Trans. Networking, vol. 5, pp.71-86, Feb. 1997.
[39] V. Paxson and S. Floyd, “Wide area traffic: the failure of Poisson modeling,” IEEE/ACM Trans. Networking, vol.3, pp.226-244, June 1995.
[40] M. Crovella and A. Bestavros, “Self-similarity in World Wide Web traffic:
evidence and possible causes,” IEEE/ACM Trans. Networking, vol. 5, pp.835-846, Dec. 1997.
[41] M. Garret and W. Willinger, “Analysis, modeling and generation of self-similar VBR video traffic,” in Proc. SIGCOMM ’94, Aug. 1994, pp.269-280.
[42] W. Willinger and V. Paxson, “Where mathematics meets the Internet,” Notices of the AMS, vol. 45, pp.961-970, 1998.