ITPRC NEWS - November 2001 - http://www.itprc.com/

IPSec vs. MPLS-based VPNs
By Irwin Lazar

In recent weeks many carriers have introduced new VPN services based on MPLS.  There exists a large amount of confusion over the benefits and drawbacks to each VPN type.  In this article we explore the features of both VPN technologies and provide some advice as to the usefulness of each.

VPN Overview:
VPN of course stands for “Virtual Private Network” but if you ask ten people for a more descriptive definition you are likely to get ten different responses.  In a nutshell, a VPN allows you to tunnel traffic through a “public” shared network.  VPNs typically allow you to protect your traffic so it is kept isolated from other traffic on the network. 

IPSec VPNs:
In an IPSec VPN, end-points establish secure encrypted connections using the IPSec protocol across a public IP-based network.  End points can be a client and server, or gateway devices residing on the edge of the public network. By using encryption, any packets intercepted along the way are difficult to read. 

Many service providers such as AT&T and Worldcom offer IPSec-based VPN services in which they assume responsibility for managing the IPSec gateways and they also provide a level of guaranteed performance  assuming all end-points are directly connected to their network.

The major advantage to IPSec is its flexibility.  Because IPSec doesn’t rely on the underlying network in any way, except to provide IP connectivity, IPSec VPNs can be established between any two points on a public IP network such as the Internet.  IPSec VPNs can transverse geographical or service provider boundaries and are a popular choice for serving remote locations in markets with limited services such as Africa and parts of Asia.

The drawback to IPSec is that IPSec tunnels across the public Internet offer no service level guarantees and therefore may not be suitable for latency sensitive traffic such as voice and video.  Even in environments where traffic stays on a single service provider network, there is no way to prioritize specific streams of traffic over others, as all traffic is treated equally in the backbone.  There is also no way to monitor application performance across the service provider backbone since all traffic encrypted.

IPSec VPNs may also be difficult to manage.  Using encryption requires management of public keys and certificates.  Since IPSec relies on the uniqueness of the end-station devices, IPSec is difficult to deploy in environments where Network Address Translation (NAT) is used, since NAT is designed to hide the attributes of the end-points.  In addition, the encryption process adds overhead and delay into packet transmission.

MPLS-based VPNs:
Typically sold under the label of a “Private IP” service, MPLS-based VPNs are currently available from a number of new and old service providers.  In an MPLS-VPN, a service provider isolates your traffic across its network by appending labels to the packets as they arrive.  Label switch paths (LSP) are then established which insure that your traffic is only forwarded to your devices, providing the same level of security as current Frame Relay or ATM offerings.  IPSec encryption can even be used in conjunction with MPLS-VPNs to further increase security where necessary.

MPLS-VPNs can be implemented in a variety of ways. Some service providers offer services which resemble Layer 2 services such as Frame Relay, while others offer services that provide connectivity at Layer 3.

MPLS-VPNs offer several advantages over IPSec services.  Since MPLS-VPNs do not encrypt traffic, it is possible to provide IP QoS across the PVC (or LSP) while it is also possible to monitor traffic flows across a path to determine application performance.  MPLS-VPN services also allow customers to easily build fully-meshed networks since all the inter-connections of PVCs occur in the service providers network, this is a big advantage to today’s current Frame Relay or ATM offerings.  Finally, MPLS-VPNs represent an easier migration for enterprises than IPSec offerings since they do not add additional complexity to the end-points.  All the complexity can be hidden in the service provider network, just as is done today with Frame Relay or ATM.

However there are several drawbacks to MPLS-based VPN services.  Some engineers are concerned that IP traffic is carried unencrypted across a public IP network, however the use of labels does provide traffic isolation.  MPLS-VPN services are still immature and they are based on still emerging standards.  Vendors are still coming up to speed and operational and management systems are still evolving.  Those deploying MPLS-based VPN services today will be on the bleeding edge of the technology curve.

Finally, MPLS-VPN services are currently available across a single-service provider network.  All end-points must be able to directly connect to the VPN service provider’s network.  This will limit the geographic availability of MPLS-VPN services until such time as standards and agreements are available to support cross-service provider tunnels.

Now What?
For enterprises, VPN-based services may offer clear advantages to traditional services such as Frame Relay and ATM.  More scalable bandwidth, potentially lower costs, and improved flexibility are just some of the advantages offered by current VPN service offerings. 

However, organizations considering VPN services must understand the strengths and weaknesses of each approach. More importantly, they must understand the business case for VPN deployment.  In many cases, falling costs of traditional services such as Frame Relay and ATM have made them cost competitive with VPNs, with far less complexity and overhead. 

In the carrier space the future is clear. Carriers are moving toward IP-VPN services as a way to increase their service offerings, leverage their IP networks, and remove their reliance on Frame Relay and ATM.  For most carriers, the future will be based on MPLS-VPNs, with IPSec where necessary.  For enterprises, this means a solid understanding of VPN technologies is essential before making any decisions.

..............................
Irwin Lazar is a Senior Consultant for The Burton Group where he focuses on strategic planning and network architecture for Fortune 500 enterprises as well as large service providers. He is the conference director for MPLScon and runs The MPLS Resource Center   and The Information Technology Professional's Resource Center. 

Please send any comments about this article to ilazar@tbg.com ============================================================