ITPRC NEWS - November 2001
IPSec vs. MPLS-based
By Irwin Lazar
In recent weeks many
carriers have introduced new VPN services based on MPLS.
There exists a large amount of confusion over the benefits and
drawbacks to each VPN type. In
this article we explore the features of both VPN technologies and
provide some advice as to the usefulness of each.
VPN of course stands for “Virtual Private Network” but if you ask
ten people for a more descriptive definition you are likely to get ten
different responses. In a
nutshell, a VPN allows you to tunnel traffic through a “public”
shared network. VPNs
typically allow you to protect your traffic so it is kept isolated from
other traffic on the network.
In an IPSec VPN, end-points establish secure encrypted connections using
the IPSec protocol across a public IP-based network.
End points can be a client and server, or gateway devices
residing on the edge of the public network. By using encryption, any
packets intercepted along the way are difficult to read.
Many service providers
such as AT&T and Worldcom offer IPSec-based VPN services in which
they assume responsibility for managing the IPSec gateways and they also
provide a level of guaranteed performance
assuming all end-points are directly connected to their network.
The major advantage to
IPSec is its flexibility. Because
IPSec doesn’t rely on the underlying network in any way, except to
provide IP connectivity, IPSec VPNs can be established between any two
points on a public IP network such as the Internet.
IPSec VPNs can transverse geographical or service provider
boundaries and are a popular choice for serving remote locations in
markets with limited services such as Africa and parts of Asia.
The drawback to IPSec
is that IPSec tunnels across the public Internet offer no service level
guarantees and therefore may not be suitable for latency sensitive
traffic such as voice and video. Even
in environments where traffic stays on a single service provider
network, there is no way to prioritize specific streams of traffic over
others, as all traffic is treated equally in the backbone.
There is also no way to monitor application performance across
the service provider backbone since all traffic encrypted.
IPSec VPNs may also be
difficult to manage. Using
encryption requires management of public keys and certificates.
Since IPSec relies on the uniqueness of the end-station devices,
IPSec is difficult to deploy in environments where Network Address
Translation (NAT) is used, since NAT is designed to hide the attributes
of the end-points. In
addition, the encryption process adds overhead and delay into packet
Typically sold under the label of a “Private IP” service, MPLS-based
VPNs are currently available from a number of new and old service
providers. In an MPLS-VPN,
a service provider isolates your traffic across its network by appending
labels to the packets as they arrive.
Label switch paths (LSP) are then established which insure that
your traffic is only forwarded to your devices, providing the same level
of security as current Frame Relay or ATM offerings.
IPSec encryption can even be used in conjunction with MPLS-VPNs
to further increase security where necessary.
MPLS-VPNs can be
implemented in a variety of ways. Some service providers offer services
which resemble Layer 2 services such as Frame Relay, while others offer
services that provide connectivity at Layer 3.
MPLS-VPNs offer several
advantages over IPSec services. Since
MPLS-VPNs do not encrypt traffic, it is possible to provide IP QoS
across the PVC (or LSP) while it is also possible to monitor traffic
flows across a path to determine application performance.
MPLS-VPN services also allow customers to easily build
fully-meshed networks since all the inter-connections of PVCs occur in
the service providers network, this is a big advantage to today’s
current Frame Relay or ATM offerings.
Finally, MPLS-VPNs represent an easier migration for enterprises
than IPSec offerings since they do not add additional complexity to the
end-points. All the
complexity can be hidden in the service provider network, just as is
done today with Frame Relay or ATM.
However there are
several drawbacks to MPLS-based VPN services.
Some engineers are concerned that IP traffic is carried
unencrypted across a public IP network, however the use of labels does
provide traffic isolation. MPLS-VPN
services are still immature and they are based on still emerging
standards. Vendors are
still coming up to speed and operational and management systems are
still evolving. Those
deploying MPLS-based VPN services today will be on the bleeding edge of
the technology curve.
services are currently available across a single-service provider
network. All end-points
must be able to directly connect to the VPN service provider’s
network. This will limit
the geographic availability of MPLS-VPN services until such time as
standards and agreements are available to support cross-service provider
For enterprises, VPN-based services may offer clear advantages to
traditional services such as Frame Relay and ATM.
More scalable bandwidth, potentially lower costs, and improved
flexibility are just some of the advantages offered by current VPN
considering VPN services must understand the strengths and weaknesses of
each approach. More importantly, they must understand the business case
for VPN deployment. In many
cases, falling costs of traditional services such as Frame Relay and ATM
have made them cost competitive with VPNs, with far less complexity and
the carrier space the future is clear. Carriers are moving toward IP-VPN
services as a way to increase their service offerings, leverage their IP
networks, and remove their reliance on Frame Relay and ATM.
For most carriers, the future will be based on MPLS-VPNs, with
IPSec where necessary. For
enterprises, this means a solid understanding of VPN technologies is
essential before making any decisions.
Irwin Lazar is a Senior Consultant for The Burton
Group where he focuses on
strategic planning and network architecture for Fortune 500 enterprises
as well as large service providers. He is the conference director for
MPLScon and runs The MPLS Resource Center
Information Technology Professional's Resource Center.
Please send any comments about this article to email@example.com
All Content Of This Site
Is Copyright 2000-2004 - ITPRC.COM