Security /

Tester's Choice: MPLS takes on security role

By Edwin Mier
Network World, 05/21/01

How does a complex new Internet Engineering Task Force protocol, which was developed to deliver quality-of-service capabilities over IP networks, end up as a promising new technology for VPNs? That's the current story line for Multi-protocol Label Switching.

Companies warmly embraced VPNs as the best way to practice safe networking over the Internet. VPNs have become such a hit that users today face a half-dozen implementation alternatives. For example, VPNs can be built with stand-alone VPN controllers, via VPN software that's part of a server operating system, or via the VPN software in your routers or firewalls. You can also engage a service provider to deploy and manage your VPNs. That's happening more as word of VPN benefits spreads to midsize and smaller organizations. They want VPNs for all the same reasons as the big companies: to securely link their remote sites via the Internet and for secure remote access via the Internet.

So how does MPLS fit into all this? MPLS, a recently finalized IETF protocol, provides two pleasant and inherent by-product benefits. First, it attaches tags - or "labels" - to IP packets when they enter the MPLS-based network. This eliminates the need for each intermediate router node to delve deeply into each packet's IP header to make forwarding and handling decisions. This means packet streams can pass through an MPLS-based WAN infrastructure blindingly fast.

Second, the same labels that MPLS employs for distinguishing IP packet streams - so they can be given the appropriate class-of-service handling - also provide secure isolation of these packets from other traffic over the same physical links.

Our lab recently evaluated the security aspects of MPLS using Cisco's IOS Versions 12.0 and 12.1 across a half-dozen router platforms, from low-end 1750s to high-end 12000 GSRs. (A report detailing this testing is downloadable free from www.mier.com.)

We concluded that because the MPLS labeling hides the real IP address and other aspects of the packet stream, it provides data protection at least as secure as other Layer 2 technologies, including frame relay and ATM. Indeed, MPLS-based isolation of packet streams can be viewed as the WAN equivalent to virtual LANs - the segregation of traffic over LANs that's enabled by IEEE 802.1p and 802.1q tags.

MPLS without encryption doesn't provide the same level of security as IPSec-based VPNs using Triple-DES encryption. However, Triple-DES's added processing also has a measurable effect on the latency and throughput of traffic that's sent through encrypted VPN tunnels.

MPLS will not put IPSec-based VPNs out of business. There seems to be no technical reason why a company could not also apply IPSec-based security, including encryption, to traffic that is being handled by the service provider via MPLS-labeled VPNs. Indeed, that combination might well provide the best overall security that can be achieved for Internet-based data transmission today.