Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet

Tester's Choice: MPLS takes on security role

Ed MierHow does a complex new Internet Engineering Task Force protocol, which was developed to deliver quality-of-service capabilities over IP networks, end up as a promising new technology for VPNs? That's the current story line for Multi-protocol Label Switching.

Companies warmly embraced VPNs as the best way to practice safe networking over the Internet. VPNs have become such a hit that users today face a half-dozen implementation alternatives. For example, VPNs can be built with stand-alone VPN controllers, via VPN software that's part of a server operating system, or via the VPN software in your routers or firewalls. You can also engage a service provider to deploy and manage your VPNs. That's happening more as word of VPN benefits spreads to midsize and smaller organizations. They want VPNs for all the same reasons as the big companies: to securely link their remote sites via the Internet and for secure remote access via the Internet.

So how does MPLS fit into all this? MPLS, a recently finalized IETF protocol, provides two pleasant and inherent by-product benefits. First, it attaches tags - or "labels" - to IP packets when they enter the MPLS-based network. This eliminates the need for each intermediate router node to delve deeply into each packet's IP header to make forwarding and handling decisions. This means packet streams can pass through an MPLS-based WAN infrastructure blindingly fast.

Second, the same labels that MPLS employs for distinguishing IP packet streams - so they can be given the appropriate class-of-service handling - also provide secure isolation of these packets from other traffic over the same physical links.

Our lab recently evaluated the security aspects of MPLS using Cisco's IOS Versions 12.0 and 12.1 across a half-dozen router platforms, from low-end 1750s to high-end 12000 GSRs. (A report detailing this testing is downloadable free from

We concluded that because the MPLS labeling hides the real IP address and other aspects of the packet stream, it provides data protection at least as secure as other Layer 2 technologies, including frame relay and ATM. Indeed, MPLS-based isolation of packet streams can be viewed as the WAN equivalent to virtual LANs - the segregation of traffic over LANs that's enabled by IEEE 802.1p and 802.1q tags.

MPLS without encryption doesn't provide the same level of security as IPSec-based VPNs using Triple-DES encryption. However, Triple-DES's added processing also has a measurable effect on the latency and throughput of traffic that's sent through encrypted VPN tunnels.

MPLS will not put IPSec-based VPNs out of business. There seems to be no technical reason why a company could not also apply IPSec-based security, including encryption, to traffic that is being handled by the service provider via MPLS-labeled VPNs. Indeed, that combination might well provide the best overall security that can be achieved for Internet-based data transmission today.


Mier is founder of Miercom in Princeton Junction, N.J. He can be reached at

Network World on VPNs
Sign up for our free e-mail newsletter.

Breaking VPN news

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.