A lot of hype surrounds the deployment of MPLS (Multi-protocol Label Switching) but as with all new technologies, the hype does not necessarily deliver on the promises made.
The protocol offers a number of significant advantages, especially to service providers. In SA, NetActive and UUNet are already offering services based on their MPLS backbones, hoping to reap the benefits of improved bandwidth utilisation, faster switching and the ability to offer their clients differentiated products and services. These service providers also offer MPLS VPN services over their networks, yet customers should be aware that MPLS is not a security protocol, even though it is often touted as such.
Background to MPLS
MPLS is an emerging IETF (Internet Engineering Task Force) standard that attaches tags or labels to each packet entering the MPLS-based network. These tags enable much faster routing, make class-of-service handling possible, and offer secure isolation from other packets sharing the same infrastructure. Proponents of the protocol claim that it provides increased control, simplicity and manageability of maintaining service provider networks, while offering reliable and secure data transportation across the ISP WAN.
A lot of hype surrounds the deployment of MPLS
Francois Smit, Marketing Manager, Trispen Technologies
Critics of MPLS cite a number of concerns. The say that it is far too complex, especially for a protocol that inherently lives at the core of the Internet. Another big issue often raised is that MPLS does not really scale well, especially when it comes to offering VPN services. ISPs must manage a special BGP (Border Gateway Protocol) routing table for each MPLS VPN and store sections of it at every location where the VPN is accessed. This could mean that ISPs will have to manage hundreds or thousands of these routing tables instead of the single one that they are managing now.
Virtual private networking: IPSec versus MPLS
VPNs are being widely accepted and deployed by many companies and organisations to secure communication flows between branch office sites via the Internet and for secure remote access to the corporate network. It is regarded as a maturing technology that offers real and tangible cost and security benefits. Yet much confusion still exists as to what exactly a VPN is.
On the one hand, there are IP-based VPNs that make use of encryption technology to keep different traffic streams virtually separated, private and confidential. These VPNs are also called secure VPNs. On the other hand, you will find another class of VPNs that separate different traffic streams through logical configuration, but don`t offer security benefits such as privacy, confidentiality and integrity. In their favour, though, is the guaranteed bandwidth and quality of service that service providers can promise to their clients. Against this backdrop, IPSec (Internet Protocol Security) is the leading protocol for secure VPNs, while MPLS is challenging the dominance of Frame Relay to deliver QoS VPN capabilities.
MPLS and security
MPLS offers Layer 2 style security by hiding the real IP addresses and other aspects of packet stream, bringing security in line with other Layer 2 technologies such as frame relay and ATM. This approach is more or less the WAN equivalent of VLANs.
There are, however, some serious security concerns being raised over MPLS, mainly because it doesn`t offer any security services to protect the packet contents. Since the packets are not encrypted, any information accidentally sent to the wrong recipient can be easily read - not a situation most corporates would feel happy with. In the second place, MPLS is susceptible to leak traffic if the connection is disrupted. This leaves it wide open for an attack that would firstly disrupt a particular connection, and then simply gather all the packets that have been leaked.
IPSec, by contrast, encrypts all packets and signs them for integrity checking by the recipient. Even if a packet is incorrectly delivered or leaked, the information is still encrypted and of no use to anyone. IPSec also causes less stress on the Internet`s backbone routers because customers handle provisioning themselves.
Conclusion
In SA, bandwidth restrictions and a restrictive telecoms policy has resulted in corporates building their own network backbones, while some have adopted frame relay VPN service offerings between selected branch offices. Moving from a dedicated WAN or Frame Relay network to a VPN service provider using an MPLS VPN offering will yield some benefits, but in my opinion these benefits are not necessarily compelling enough.
In contrast, secure VPNs do not require expensive infrastructure upgrades to the network, and can utilise any future reductions in price to the underlying bandwidth provider. This means that the full benefit of a VPN can be extended to small or remote branch offices and remote workers, making use of Internet technologies.
So which VPN should one choose? This depends on your circumstances, but opting for a hybrid approach might yield the best of both worlds. Deploy a secure VPN over the Internet as backbone to smaller branch offices and for secure remote access. While you`re at it, you should also extend this VPN over your MPLS VPN to achieve the same high level of security to branch offices and the corporate network.
Share
