On the cost of virtual private networks

A virtual private network (VPN) is a private data network that uses a nonprivate data network to carry traffic between remote sites, An "Intranet VPN" establishes network layer connectivity between remote Intranet sites by creating an TP overlay network over the nonprivate network, using various tunneling mechanisms, There are two approaches for establishing such tunnels: a "CPE-based approach" and a "network-based approach." In the first approach, tunnels are established only between the CPE devices, whereas in the second approach tunnels are also established between the routers of the core nonprivate network. In this paper we address the problem of determining a CPE-based and a network-based layout of VPN tunnels while taking into account two factors: the cost of the links over which the VPN tunnels are established and the cost of the core routers that serve as end points for the VPN. We define related graph algorithm problems, analyze their complexity, and present heuristics for solving these problems efficiently.