This Week in NW
Experts call MPLS bad for 'Net
VPNs based on Multi-protocol Label Switching said to be risky. Backbone mgmt. challenges also cited.
Two prominent Internet researchers from AT&T Labs are among a growing number of experts raising red flags about Multi-protocol Label Switching, a next-generation traffic engineering technology backed by network industry leaders such as Cisco, Juniper Networks and AT&T itself.
The researchers - security guru Steve Bellovin and network operations expert Randy Bush - say MPLS create serious network management challenges for Internet backbone providers. Even more dire are their warnings about potential security and privacy problems for companies that deploy MPLS-based VPNs.
MPLS VPNs are a "great way to sell routers, but they greatly complicate the core of the Internet," Bush says.
"Most security holes are caused by human error. With MPLS VPNs, there's a potential for a network administrator doing the provisioning wrong and losing the privacy of the communication," Bellovin says, pointing out that MPLS VPNs do not automatically encrypt data.
Bush and Bellovin hold leadership positions in the Internet Engineering Task Force (IETF), a standards-setting body that developed MPLS. In fact, MPLS is on the agenda at an IETF meeting being held this week in London.
The IETF is split between critics and fans of MPLS. The strongest advocates include Cisco and Juniper Networks, which argue that MPLS-based VPNs offer adequate security and are less expensive to deploy than alternatives favored by Bush and Bellovin.
MPLS is a protocol that lets carriers merge various types of data traffic, including frame relay and ATM, over one backbone running IP. MPLS supplements the Internet's best-effort approach to delivering communications with differentiated classes of service.
Finalized by the IETF in 1999, MPLS is being deployed by several service providers, including AT&T, which uses the protocol to support an IP-enabled frame relay service. The controversial MPLS VPNs are in use by companies such as IBM Canada and Canadian Life Assurance that want to outsource the management of their VPNs.
Critics Bush and Bellovin claim MPLS is unnecessary because carriers can run frame relay or ATM traffic directly over an Internet backbone.
"If I have a pure IP core, I don't need MPLS," Bush says.
While these IETF leaders don't like MPLS, they aim their strongest criticism at MPLS VPNs. In particular, they denounce a technique for creating MPLS VPNs that was outlined in an IETF informational document - called RFC 2547 - published in 1999 by two Cisco engineers.
"MPLS is a social disease, but it won't kill us," Bush says. "RFC 2547 VPNs are deadly. They will not scale to what the Internet needs five years from now. They will break your network."
RFC 2547 outlines a technique for using the Border Gateway Protocol (BGP), which runs on the Internet's backbone routers, to propagate information about MPLS VPNs. With this approach, ISPs must manage a special BGP routing table for each MPLS VPN and store parts of that routing table at every location where the VPN is accessed.
Today, most ISPs manage one BGP routing table, which is already a difficult task and becoming more unwieldy as the number of entries in the master table grows.
"For network operators the issue is: I'm having trouble managing one routing table, and you want me to run thousands of them?" Bush says.
To help address this scaling problem, Juniper has developed an alternative to RFC 2547 that pushes management of the special VPN routing tables out to customers. This type of MPLS VPN is supported by Juniper in a product called MPLS Circuit Cross Connect, and Juniper has pitched the idea to the IETF as a potential standard.
Cisco has a similar offering that it also proposed to the IETF.
The new Cisco and Juniper approaches let MPLS VPNs be established at Layer 2 of the Open Systems Interconnection's seven-layer structure, instead of Layer 3 as outlined in RFC 2547. These VPNs are designed to send legacy traffic such as frame relay and ATM over MPLS.
Bush acknowledges the Layer 2 MPLS VPNs have fewer scalability problems than the original Layer 3 ones.
But Bellovin outlines several security risks with both types. Because the information is not automatically encrypted, information sent to the wrong person can be read by that person. MPLS VPNs also are susceptible to leaked traffic if a connection is disrupted, he says.
"MPLS VPNs have very bad failure modes," Bellovin says. "The end points are set up by the service provider so the corporate customer doesn't have control."
Bellovin prefers VPNs using IP Security (IPSec), an IETF-developed tunneling technology with built-in encryption. With IPSec, if a communication is sent to the wrong person, that person can't read it. And IPSec causes less stress on the Internet's backbone routers because customers handle provisioning.
Bush and Bellovin are not alone in expressing concern about the security and scalability of MPLS VPNs.
"RFC 2547 is a nightmare of unprecedented proportion," says Vijay Gill, a senior network architect at Metromedia Fiber Networks. Like Bush, Gill prefers Layer 2 MPLS VPNs because "they're much simpler and we won't have to deal with customer routing tables."
Thomas Nolle, president of CIMI, predicts that MPLS VPNs running over the Internet will fail to gain widespread use. However, he says MPLS VPNs running on separate dedicated IP networks - such as AT&T's offering - can be made more secure and might succeed.
"Any large organization that is looking at MPLS VPNs as a substitute for frame relay or for encrypted tunnels should assume right now that the state of the technology will not support them," Nolle says.
MPLS VPNs also have their fans.
Cisco Fellow Bruce Davie says MPLS VPNs based on RFC 2547 are more scalable and just as secure as VPNs using frame relay or ATM. He also says the amount of configuration involved with RFC 2547 VPNs is less than that of IPSec VPNs, but that this burden is carried by ISPs, not customers.
"MPLS-based VPNs are significantly less expensive to deploy than IPSec VPNs," he says.
As far as security is concerned, Davie says "millions of people are quite happy with the level of security in frame relay, and MPLS provides comparable security."
A company that is concerned about security can encrypt its data before sending it over an MPLS VPN, Davie adds.
However, Davie confirms Cisco is developing an encapsulation technology called Universal Transport Interface that will let network managers send frame relay or ATM packets directly over IP without MPLS.
At its heart, this debate over MPLS VPNs is philosophical.
Internet engineers such as Bush and Bellovin favor keeping the Internet's backbone simple and dumb, while putting the complexity and intelligence at the edges of the network and at customer sites. MPLS flies in the face of that approach.
Telephone service providers, on the other hand, are used to a more centralized approach to provisioning services and a smarter backbone. They like MPLS because it is closer to traditional data communications technologies such as frame relay and ATM.
"I really think it comes down to a matter of philosophy," Davie says. "The people who worked on MPLS for a long time tried to solve practical problems. Other people say MPLS is a big deviation from pure Internet architecture, [and] it should be stopped at all costs."
Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread
Why MPLS matters in carrier networks
Has MPLS reached a fork in the road?
MPLS takes on security role