Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Report: US FCC to allow payments for speedier traffic
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Report: US FCC to allow payments for speedier traffic
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs


/
Send to a friend Feedback

Experts call MPLS bad for 'Net

VPNs based on Multi-protocol Label Switching said to be risky. Backbone mgmt. challenges also cited.

Related linksToday's breaking news
Send to a friendFeedback


Two prominent Internet researchers from AT&T Labs are among a growing number of experts raising red flags about Multi-protocol Label Switching, a next-generation traffic engineering technology backed by network industry leaders such as Cisco, Juniper Networks and AT&T itself.

The researchers - security guru Steve Bellovin and network operations expert Randy Bush - say MPLS create serious network management challenges for Internet backbone providers. Even more dire are their warnings about potential security and privacy problems for companies that deploy MPLS-based VPNs.

MPLS VPNs are a "great way to sell routers, but they greatly complicate the core of the Internet," Bush says.

"Most security holes are caused by human error. With MPLS VPNs, there's a potential for a network administrator doing the provisioning wrong and losing the privacy of the communication," Bellovin says, pointing out that MPLS VPNs do not automatically encrypt data.

Bush and Bellovin hold leadership positions in the Internet Engineering Task Force (IETF), a standards-setting body that developed MPLS. In fact, MPLS is on the agenda at an IETF meeting being held this week in London.

The IETF is split between critics and fans of MPLS. The strongest advocates include Cisco and Juniper Networks, which argue that MPLS-based VPNs offer adequate security and are less expensive to deploy than alternatives favored by Bush and Bellovin.

MPLS is a protocol that lets carriers merge various types of data traffic, including frame relay and ATM, over one backbone running IP. MPLS supplements the Internet's best-effort approach to delivering communications with differentiated classes of service.

Finalized by the IETF in 1999, MPLS is being deployed by several service providers, including AT&T, which uses the protocol to support an IP-enabled frame relay service. The controversial MPLS VPNs are in use by companies such as IBM Canada and Canadian Life Assurance that want to outsource the management of their VPNs.

Critics Bush and Bellovin claim MPLS is unnecessary because carriers can run frame relay or ATM traffic directly over an Internet backbone.

"If I have a pure IP core, I don't need MPLS," Bush says.

While these IETF leaders don't like MPLS, they aim their strongest criticism at MPLS VPNs. In particular, they denounce a technique for creating MPLS VPNs that was outlined in an IETF informational document - called RFC 2547 - published in 1999 by two Cisco engineers.

"MPLS is a social disease, but it won't kill us," Bush says. "RFC 2547 VPNs are deadly. They will not scale to what the Internet needs five years from now. They will break your network."

RFC 2547 outlines a technique for using the Border Gateway Protocol (BGP), which runs on the Internet's backbone routers, to propagate information about MPLS VPNs. With this approach, ISPs must manage a special BGP routing table for each MPLS VPN and store parts of that routing table at every location where the VPN is accessed.

Today, most ISPs manage one BGP routing table, which is already a difficult task and becoming more unwieldy as the number of entries in the master table grows.

"For network operators the issue is: I'm having trouble managing one routing table, and you want me to run thousands of them?" Bush says.

To help address this scaling problem, Juniper has developed an alternative to RFC 2547 that pushes management of the special VPN routing tables out to customers. This type of MPLS VPN is supported by Juniper in a product called MPLS Circuit Cross Connect, and Juniper has pitched the idea to the IETF as a potential standard.

Cisco has a similar offering that it also proposed to the IETF.

The new Cisco and Juniper approaches let MPLS VPNs be established at Layer 2 of the Open Systems Interconnection's seven-layer structure, instead of Layer 3 as outlined in RFC 2547. These VPNs are designed to send legacy traffic such as frame relay and ATM over MPLS.

Bush acknowledges the Layer 2 MPLS VPNs have fewer scalability problems than the original Layer 3 ones.

But Bellovin outlines several security risks with both types. Because the information is not automatically encrypted, information sent to the wrong person can be read by that person. MPLS VPNs also are susceptible to leaked traffic if a connection is disrupted, he says.

"MPLS VPNs have very bad failure modes," Bellovin says. "The end points are set up by the service provider so the corporate customer doesn't have control."

Bellovin prefers VPNs using IP Security (IPSec), an IETF-developed tunneling technology with built-in encryption. With IPSec, if a communication is sent to the wrong person, that person can't read it. And IPSec causes less stress on the Internet's backbone routers because customers handle provisioning.

Bush and Bellovin are not alone in expressing concern about the security and scalability of MPLS VPNs.

"RFC 2547 is a nightmare of unprecedented proportion," says Vijay Gill, a senior network architect at Metromedia Fiber Networks. Like Bush, Gill prefers Layer 2 MPLS VPNs because "they're much simpler and we won't have to deal with customer routing tables."

Thomas Nolle, president of CIMI, predicts that MPLS VPNs running over the Internet will fail to gain widespread use. However, he says MPLS VPNs running on separate dedicated IP networks - such as AT&T's offering - can be made more secure and might succeed.

"Any large organization that is looking at MPLS VPNs as a substitute for frame relay or for encrypted tunnels should assume right now that the state of the technology will not support them," Nolle says.

MPLS VPNs also have their fans.

Cisco Fellow Bruce Davie says MPLS VPNs based on RFC 2547 are more scalable and just as secure as VPNs using frame relay or ATM. He also says the amount of configuration involved with RFC 2547 VPNs is less than that of IPSec VPNs, but that this burden is carried by ISPs, not customers.

"MPLS-based VPNs are significantly less expensive to deploy than IPSec VPNs," he says.

As far as security is concerned, Davie says "millions of people are quite happy with the level of security in frame relay, and MPLS provides comparable security."

A company that is concerned about security can encrypt its data before sending it over an MPLS VPN, Davie adds.

However, Davie confirms Cisco is developing an encapsulation technology called Universal Transport Interface that will let network managers send frame relay or ATM packets directly over IP without MPLS.

At its heart, this debate over MPLS VPNs is philosophical.

Internet engineers such as Bush and Bellovin favor keeping the Internet's backbone simple and dumb, while putting the complexity and intelligence at the edges of the network and at customer sites. MPLS flies in the face of that approach.

Telephone service providers, on the other hand, are used to a more centralized approach to provisioning services and a smarter backbone. They like MPLS because it is closer to traditional data communications technologies such as frame relay and ATM.

"I really think it comes down to a matter of philosophy," Davie says. "The people who worked on MPLS for a long time tried to solve practical problems. Other people say MPLS is a big deviation from pure Internet architecture, [and] it should be stopped at all costs."

MPLS VPNs explanied

Related Links

Contact Senior Editor Carolyn Duffy Marsan

Other recent articles by Marsan

RFC 2547

Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread

MPLS research page

Why MPLS matters in carrier networks
MPLS gives service providers increased control over their networks - and that can only translate to better service quality for users.
Network World, 07/30/01.

Has MPLS reached a fork in the road?
MPLS may be at a fork in the road to dominating the future of networking, and it may have already taken the wrong turn.
Network World, 06/18/01.

MPLS takes on security role
How does a complex new IETF protocol, which was developed to deliver quality-of-service capabilities over IP networks, end up as a promising new technology for VPNs? That's the current story line for Multi-protocol Label Switching.
Network World, 05/21/01.

Network World on VPNs e-mail newsletter

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.