As soon as the word ‘MPLS’ (Multi Layered Protocol Switching) is mentioned the term ‘MPLS VPN’ comes to everybody’s mind. This is soon followed by the thought of corporate offices spread across different cities being connected through an ‘MPLS VPN’. Your subconscious mind has also associated ‘confidentiality of my data probably using encryption’ to this whole concept as it is a VPN and VPNs are supposed to provide confidentiality and integrity of my data. Why else should they say ‘private’ in Virtual Private Networks?
Let’s look at some of the things MPLS is not:
– MPLS was not designed to primarily provide VPN services.
– MPLS VPNs do not use encryption.
Then, why was something called MPLS developed? What is it used for? Where do MPLS VPNs come in? What kind of security do you get when you use an MPLS network?
IP networks were designed to be scalable, resilient. QoS was not an initial consideration when IP was developed. (IP does have the concept of type of service; but it is not been used widely). IP is also a connectionless network and routing decisions have to be made at every router along the route. Within the internet service provider’s network, the routing protocol probably chooses the open shortest path first. If the open shortest path is continuously used, it causes a congestion in frequently used routes while other routes may be underutilized. Additionally, traffic cannot be assigned priority.
Switched networks like ATM and Frame Relay are connection oriented where the traffic can be engineered. Bandwidth requirements, latency can be taken into account in connection oriented switched networks. So, the idea of bringing in switching concepts into the routing domain came about. What this means is that routing decisions will not be made by complex route lookup based on destination IP address but by a looking at simple labels. This label also had a priority attribute.
The effects were as follows:
– Internet service providers could offer QoS using the priority attribute
– Traffic engineering was possible which enabled efficient and reliable network operations while simultaneously offering network resource utilization and traffic performance
– ISPs could offer traffic isolation which is packaged as MPLS VPNs
There is currently no provision for encryption in MPLS networks and if the customer data requires encryption, other protocols like IPSec may be used.
If ISPs had an IP core they could now “upgrade” their network to offer the above services. If ISPs had moved to an ATM core, their ATM switches could be configured to handle MPLS traffic. MPLS can co-exist with ATM switches and eliminate complexity by mapping IP addressing and routing information directly into ATM switching tables.
In an MPLS network, incoming packets are assigned a “label” by a “label edge router (LER)”. Packets are forwarded along a “label switch path (LSP)” where each “label switch router (LSR)” makes forwarding decisions based solely on the contents of the label. At each hop, the LSR strips off the existing label and applies a new label which tells the next hop how to forward the packet.
Label Switch Paths (LSPs) are established by network operators for a variety of purposes, such as to guarantee a certain level of performance, to route around network congestion, or to create IP tunnels for network-based virtual private networks. In many ways, LSPs are no different than circuit-switched paths in ATM or Frame Relay networks, except that they are not dependent on a particular Layer 2 technology.
MPLS is currently in use in large “IP only” networks and major applications of MPLS are telecommunication traffic engineering and MPLS VPN.
So, the answer to the questions posed at the beginning of this blog;
1. Why was MPLS developed?
To bring the speed, QoS capabilities & traffic engineering capabilities of switched networks to the ISP core, which were generally IP based
2. What are MPLS networks used for? Where do MPLS VPNs come in?
– ISPs market MPLS as a network which can offer it’s customers QoS capabilities. SLAs on QoS are now possible.
– MPLS VPNs are marketed by ISPs as a cheaper and much more scalable option compared to leased lines. Corporates can just plug in each of their offices to the MPLS cloud. Adding another network to the cloud is non-cumbersome.
– ISPs are able to manage the traffic on their core network in an efficient way. Traffic is spread out over network in such a manner that ensures that entire network is utilized and not only the “best paths” i.e. better network utilization through traffic engineering.
3. What kind of security do you get when you use an MPLS network?
– As already mentioned, MPLS networks do not encrypt traffic.
– MPLS VPN is called a ‘Trusted VPN’ where you trust the service provider core. Your information might be compromised if any of the following happens:
a) There is an insider (ISP insider) attack on the MPLS network
b) The network elements in the core are not properly secured against unauthorised access
c) The network elements in the core are mis-configured