If you’re fed up with managing virtual private networks (VPNs) then take heart: you are not alone. Although automation and application templates are making VPNs easier to get up and running every month, they are far from straightforward, they can be tedious to configure, and there is still a significant cost involved. A study carried out recently by U.S.-based Forrester Research found that an increasing number of companies are looking to buy their VPNs as a managed service.
The most common reasons for this cited in the research – surprise surprise – were cost effectiveness and simplicity. By outsourcing, companies can avoid managing complex digital certificates, configuring equipment and having to stay on top of frequent upgrades. And when done right, a managed VPN can even save money.
The most popular form of site-to-site link that companies are looking to outsource to replace existing WAN links is a connection over a multi-protocol label switching (MPLS) network, often called an MPLS VPN. MPLS networks have the advantage of ubiquity – pretty much every network service provider worth its salt has, and is actively selling, an MPLS network, with the result that there is now a globally available MPLS backbone.
MPLS networks are interesting because they are smarter than plain IP networks: when IP traffic from a source network enters an MPLS network it is classified and assigned a label by a label edge router, converting the IP packet into an MPLS packet. The labeled packet is then forwarded along a label switch path to a label switch router, which in turn forwards the packet using instructions on the label. At each hop, the label is removed and a new one added before the packet is passed on. When the packet reaches the edge of the MPLS network the label is removed, unencapsulating the packet and reconverting it into an IP packet. It is then forwarded onto the destination network as a normal IP packet.
Why is that smart? Because the labels can include information about the source application of the data, and, effectively, which user or organization the data “belongs to”. And a packet that enters an MPLS network at a particular router can be assigned a different label to the same packet entering the network at a different router – and forwarding decisions can therefore be made based on the ingress router. (This can’t be done using traditional IP packet forwarding as the ingress router’s identity is not part of the packet itself, and IP routing only looks at the packet.) So data can easily be recognized and prioritized – to ensure quality of service (QoS) for voice and video applications for example – based on the type of data it is and also where it is coming from – simply by looking at the label. This is very useful on a converged network carrying many types of data.
What’s more, when a service provider offers an MPLS network and managed ADSL links for small branch offices (or even home workers), the two can be combined to provide what is effectively a QoS enabled ADSL link.
This isn’t just theory – it actually works in practice: Forrester’s research found that most MPLS service providers SLAs are now mature enough to guarantee the latency, jitter and delay metrics needed to build enterprise wide converged voice, video and data networks. “The Internet is not predictable, but MPLS networks are often run on service providers own backbones, so they really can guarantee jitter and latency levels – all the things you need to run video or important transactions,” says Robert Whiteley, an analyst at Forrester.
The Security Question
In terms of security, most companies are used to thinking in terms of IPSec or SSL based IP VPNs. But a WAN link based on an MPLS network is a slightly different kettle of fish. MPLS labeling means that network operators can segregate one network customer’s traffic from all others, so that different customers can use overlapping private IP addressing schemes without needing to resort to NAT. It is this traffic isolation, much like the way Frame Relay or ATM PVCs (private virtual circuits) are isolated on a public ATM or Frame Relay network, that leads to the term MPLS VPN, since each customer has in effect a private IP network.
But, just as Frame Relay or ATM services have no built in method of encryption, nor does an MPLS VPN. Interception of MPLS traffic would require access to the service provider network, so security is based in how capable is the service provider of securing its own network. “MPLS looks like a Layer 2 service like Frame Relay or ATM and has the same level of privacy because your traffic is separate from everyone else’s,” says Whiteley. “You could add encryption, but even (US) government agencies don’t do that. Basically the government has said that encryption is not necessary over MPLS, and more than 90 per cent of MPLS managed service users don’t encrypt their data.”
Essentially then, anyone who was happy with unencrypted ATM or Frame Relay is not taking a significantly higher risk with unencrypted MPLS, although organizations would be well advised to obtain assurances that their prospective carrier has effectively isolated its MPLS backbone from any public Internet-peered portion of their network, Forrester points out. Of course there is nothing about MPLS that precludes encryption: just like any IP traffic, packets can be encrypted using SSL or IPSec before being tagged and entering the MPLS network. But just like any encryption system, there will always be some theoretical performance degradation.
If anything is holding MPLS VPNS back, it’s the lack of a standard network to network interface (NNI) to scale services across multiple carriers. Forrester’s Whiteley predicts that 2005 will be the year in which momentum builds for service provider and vendor consortiums to work to define one. If and when this happens, the last major barrier to a true Frame Relay replacement will have been removed, and large scale MPLS VPNS will become a whole lot more common. Watch this space.