Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested


/
Send to a friend Feedback

Experts call MPLS bad for 'Net

VPNs based on Multi-protocol Label Switching said to be risky. Backbone mgmt. challenges also cited.

Related linksToday's breaking news
Send to a friendFeedback


Two prominent Internet researchers from AT&T Labs are among a growing number of experts raising red flags about Multi-protocol Label Switching, a next-generation traffic engineering technology backed by network industry leaders such as Cisco, Juniper Networks and AT&T itself.

The researchers - security guru Steve Bellovin and network operations expert Randy Bush - say MPLS create serious network management challenges for Internet backbone providers. Even more dire are their warnings about potential security and privacy problems for companies that deploy MPLS-based VPNs.

MPLS VPNs are a "great way to sell routers, but they greatly complicate the core of the Internet," Bush says.

"Most security holes are caused by human error. With MPLS VPNs, there's a potential for a network administrator doing the provisioning wrong and losing the privacy of the communication," Bellovin says, pointing out that MPLS VPNs do not automatically encrypt data.

Bush and Bellovin hold leadership positions in the Internet Engineering Task Force (IETF), a standards-setting body that developed MPLS. In fact, MPLS is on the agenda at an IETF meeting being held this week in London.

The IETF is split between critics and fans of MPLS. The strongest advocates include Cisco and Juniper Networks, which argue that MPLS-based VPNs offer adequate security and are less expensive to deploy than alternatives favored by Bush and Bellovin.

MPLS is a protocol that lets carriers merge various types of data traffic, including frame relay and ATM, over one backbone running IP. MPLS supplements the Internet's best-effort approach to delivering communications with differentiated classes of service.

Finalized by the IETF in 1999, MPLS is being deployed by several service providers, including AT&T, which uses the protocol to support an IP-enabled frame relay service. The controversial MPLS VPNs are in use by companies such as IBM Canada and Canadian Life Assurance that want to outsource the management of their VPNs.

Critics Bush and Bellovin claim MPLS is unnecessary because carriers can run frame relay or ATM traffic directly over an Internet backbone.

"If I have a pure IP core, I don't need MPLS," Bush says.

While these IETF leaders don't like MPLS, they aim their strongest criticism at MPLS VPNs. In particular, they denounce a technique for creating MPLS VPNs that was outlined in an IETF informational document - called RFC 2547 - published in 1999 by two Cisco engineers.

"MPLS is a social disease, but it won't kill us," Bush says. "RFC 2547 VPNs are deadly. They will not scale to what the Internet needs five years from now. They will break your network."

RFC 2547 outlines a technique for using the Border Gateway Protocol (BGP), which runs on the Internet's backbone routers, to propagate information about MPLS VPNs. With this approach, ISPs must manage a special BGP routing table for each MPLS VPN and store parts of that routing table at every location where the VPN is accessed.

Today, most ISPs manage one BGP routing table, which is already a difficult task and becoming more unwieldy as the number of entries in the master table grows.

"For network operators the issue is: I'm having trouble managing one routing table, and you want me to run thousands of them?" Bush says.

To help address this scaling problem, Juniper has developed an alternative to RFC 2547 that pushes management of the special VPN routing tables out to customers. This type of MPLS VPN is supported by Juniper in a product called MPLS Circuit Cross Connect, and Juniper has pitched the idea to the IETF as a potential standard.

Cisco has a similar offering that it also proposed to the IETF.

The new Cisco and Juniper approaches let MPLS VPNs be established at Layer 2 of the Open Systems Interconnection's seven-layer structure, instead of Layer 3 as outlined in RFC 2547. These VPNs are designed to send legacy traffic such as frame relay and ATM over MPLS.

Bush acknowledges the Layer 2 MPLS VPNs have fewer scalability problems than the original Layer 3 ones.

But Bellovin outlines several security risks with both types. Because the information is not automatically encrypted, information sent to the wrong person can be read by that person. MPLS VPNs also are susceptible to leaked traffic if a connection is disrupted, he says.

"MPLS VPNs have very bad failure modes," Bellovin says. "The end points are set up by the service provider so the corporate customer doesn't have control."

Bellovin prefers VPNs using IP Security (IPSec), an IETF-developed tunneling technology with built-in encryption. With IPSec, if a communication is sent to the wrong person, that person can't read it. And IPSec causes less stress on the Internet's backbone routers because customers handle provisioning.

Bush and Bellovin are not alone in expressing concern about the security and scalability of MPLS VPNs.

"RFC 2547 is a nightmare of unprecedented proportion," says Vijay Gill, a senior network architect at Metromedia Fiber Networks. Like Bush, Gill prefers Layer 2 MPLS VPNs because "they're much simpler and we won't have to deal with customer routing tables."

Thomas Nolle, president of CIMI, predicts that MPLS VPNs running over the Internet will fail to gain widespread use. However, he says MPLS VPNs running on separate dedicated IP networks - such as AT&T's offering - can be made more secure and might succeed.

"Any large organization that is looking at MPLS VPNs as a substitute for frame relay or for encrypted tunnels should assume right now that the state of the technology will not support them," Nolle says.

MPLS VPNs also have their fans.

Cisco Fellow Bruce Davie says MPLS VPNs based on RFC 2547 are more scalable and just as secure as VPNs using frame relay or ATM. He also says the amount of configuration involved with RFC 2547 VPNs is less than that of IPSec VPNs, but that this burden is carried by ISPs, not customers.

"MPLS-based VPNs are significantly less expensive to deploy than IPSec VPNs," he says.

As far as security is concerned, Davie says "millions of people are quite happy with the level of security in frame relay, and MPLS provides comparable security."

A company that is concerned about security can encrypt its data before sending it over an MPLS VPN, Davie adds.

However, Davie confirms Cisco is developing an encapsulation technology called Universal Transport Interface that will let network managers send frame relay or ATM packets directly over IP without MPLS.

At its heart, this debate over MPLS VPNs is philosophical.

Internet engineers such as Bush and Bellovin favor keeping the Internet's backbone simple and dumb, while putting the complexity and intelligence at the edges of the network and at customer sites. MPLS flies in the face of that approach.

Telephone service providers, on the other hand, are used to a more centralized approach to provisioning services and a smarter backbone. They like MPLS because it is closer to traditional data communications technologies such as frame relay and ATM.

"I really think it comes down to a matter of philosophy," Davie says. "The people who worked on MPLS for a long time tried to solve practical problems. Other people say MPLS is a big deviation from pure Internet architecture, [and] it should be stopped at all costs."

MPLS VPNs explanied

Related Links

Contact Senior Editor Carolyn Duffy Marsan

Other recent articles by Marsan

RFC 2547

Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread

MPLS research page

Why MPLS matters in carrier networks
MPLS gives service providers increased control over their networks - and that can only translate to better service quality for users.
Network World, 07/30/01.

Has MPLS reached a fork in the road?
MPLS may be at a fork in the road to dominating the future of networking, and it may have already taken the wrong turn.
Network World, 06/18/01.

MPLS takes on security role
How does a complex new IETF protocol, which was developed to deliver quality-of-service capabilities over IP networks, end up as a promising new technology for VPNs? That's the current story line for Multi-protocol Label Switching.
Network World, 05/21/01.

Network World on VPNs e-mail newsletter

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.