WHAT ARE MPLS NETWORKS?

Multi-Protocol Label Switching (MPLS) networks are the next-generation of networks designed to allow
customers create end-to-end circuits across any type of transport medium using any available WAN
technology. Until recent years, customers with the need to connect remote offices in locations across the country
were restricted to the limited WAN options service providers offered, usually Frame Relay or T1/E1 dedicated
links. The problem with these WAN technologies is that they are usually very expensive and complex to manage,
but also not very flexible, making them a headache for both the end customer and service provider. Worst of all,
as the distance between the customer’s end points increased, so did the monthly bill.

HOW MPLS NETWORKS WORK

MPLS works by tagging the traffic entering the MPLS network. An identifier (label) is used to help distinguish the
Label Switched Path (LSP) to be used to route the packet to its correct destination. Once the best LSP is
identified by the router, the packet is forwarded to the next-hop router. A different label is used for every hop and
the label is selected by the router (or switch) that is performing the forwarding operation.

Take for example the below diagram. It shows a simple MPLS network example where the central server is
sending packets to two remote hosts.

The Ingress router (LSR1) accepts the packets from the server and selects the best LSP based on their
destination IP Address. It then selects an initial label (local significance) for each packet and then forwards the
packets using MPLS. When Router2 receives the packets, it uses these labels to identify the LSPs from which
it selects the next hops (R3 & R4) and labels (43 & 12). At the end of the path, the egress routers (R3 & R4)
remove the final label and send the packet out to the local network.

One of the great advantages offered by MPLS networks is the built-in Quality of Service mechanisms. MPLS
service providers usually offer an end-to-end QoS policy to ensure their customer MPLS networks have
guaranteed QoS through the MPLS network backbone. This allows delay-sensitive services such as VoIP to be
implemented with guaranteed bandwidth between the endpoints.

There really is no limitation to the type of services that can be run over a MPLS network. The QoS mechanisms
and prioritisation services, allow the quick and effective forwarding of traffic between customer endpoints.
MPLS VPN BASICS

MPLS VPNs combine the power of MPLS and the Border Gateway Protocol (BGP) routing protocol. MPLS is
used to forward packets over the provider’s network backbone and BGP is used for distributing routes over the
backbone.

A MPLS VPN is compromised of the following equipment:

1. Customer Edge (CE) routers. These are placed at the customer site and are usually owned by the
customer. Some service providers also supply the CE equipment for a small rental fee.
2. Provider Edge (PE) routers. These are the provider’s edge routers to which the CE routers connect to. The
PE routers are always owned by the service provider
3. Provider (P) routers. These routers are commonly referred to as ‘transit routers’ and are located in the
service provider’s core network

Routing information is passed from the Customer Edge router to the Provider Edge router using either a routing
protocol such as BGP or static routes. The Provider Edge router keeps a per-site forwarding table also known
as ‘VPN Routing and Forwarding tables’ or VRFs. At the Provider Edge router, each VRF serves a particular
interface (or set of interfaces) that belongs to each individual VPN. Each Provider Edge router is configured by
the service provider with its own VRF that is unique. Routers within the MPLS VPN network do not share VRF
information directly.

The above diagram illustrates a typical MPLS VPN network where VRFs are unique for each VPN connected
to a particular Provider Edge router

What’s important about MPLS VPN services is that there is no boundary to the type of WAN technology used.
This means you can run MPLS over ATM (Also known as MPLS IP VPN over ADSL), leased lines, Satellite links,
wireless links and much more. This flexibility makes MPLS networks a preferred method of connecting offices
between each other. The ISP provides the interface to which the local network is connected (usually a router
with a LAN interface) and all that’s required is to connect the provided interface to the local network, set the
necessary equipment to use the new gateway (MPLS CE router) and everything magically works!

Internet access is also possible through the MPLS IP VPN service where the service provider (ISP) typically
announces the routes of customers that require direct access to the Internet, without affecting the performance
of their intrasite VPN links. For example, this means that it’s possible to have a 1024Kbps MPLS link to your ISP
which splits to a 512Kbps MPLS IP VPN link to your remote site and a further 512Kbps link to the Internet. The
ISP completely separates these two virtual links, even though they run through the same interface. The link
providing Internet access makes use of Network Address Translation (NAT) to translate the private network
address space from the customer’s network. In this case, the customer reveals no more information to the
Internet than it would with any normal connection to the Internet.

RESISTANCE TO ATTACKS

There is a growing concern as to how secure MPLS IP VPNs really are and how they can be protected from
Internet attacks. Fortunately, the answer is pretty straight forward and doesn’t require a lot of technical analysis
to see why.

In pure MPLS IP VPN environments without Internet access, where the network is used to connect different
sites, the core network and customer address space is concealed 100%. This means that no information is
revealed to third parties or the Internet. With no information revealed, hackers are unable to obtain access to
critical information such as router IP addresses in order to perform Denial of Service (DoS) attacks and bring
down the network.

In addition, service providers prevent their routers from being reachable via the Internet by using well-known
techniques such as packet filtering, applying access control lists (ACLs) to limit access only to the ports of the
routing protocol (e.g BGP) from specific areas within their network.

In an environment where Internet access is provided to the customer via the MPLS link, ISP’s use similar
mechanisms to lock down their Customer Edge routers that provide access to the Internet. In addition, the routing
protocols used by the ISP have built-in mechanisms that are usually enabled and increase the security level
even more. A few examples are the configuration of the MD5 authentication for routing protocols (BGP, OSPF
e.t.c), configuration of maximum number of routes accepted per Virtual Routing and Forwarding instance (VRF)
and a few more.

MPLS IP VPN ENCRYPTION

While MPLS IP VPN provides a scalable model in which customers can securely connect remote sites between
each other, there have been quite a few discussions about the encryption services offered by service providers
for these circuits.

The fact is that MPLS IP VPN usually do not offer any encryption services. The MPLS VPN architecture makes
it pretty impossible to hack into the MPLS circuits and expose the internal network(s) and routes, unless a major
bug or configuration flaw exists somewhere in the provider’s network.

Encryption of the MPLS VPN is performed using IPSec, which essentially is a suite of protocols designed to
provide a secure IP based pathway between two or more endpoints. You can read more on IPSecurity on
Firewall.cx’s dedicated IPSecurity article.

Below are two examples of IPSec encryption between two sites connected via MPLS VPN:

CE-CE IPSEC
 In this example, the IPSec is used between the CE’s on each end, therefore the entire path between the CEs is
protected. This setup offers the best possible protection against possible hacking attempts. Packets enter the
CE router and are immediately encrypted. When packets are decrypted on the other end, they are located directly
at the customers LAN network.

CE-CE IPSec offers true protection against the following threats:

 Anti-Replay. Replay of legitimate packets that have been recorded previously

 Change of packets that are in transit between the sites
 Eavesdropping anywhere between the CEs, PE or P routers.

PE-PE IPSEC

This method is by far less secure than the previous one examined. IPSec encryption occurs from the PE routers
onwards, leaving the rest of the network unencrypted and therefore not providing true VPN security.

PE-PE IPSec offers true protection against the following threats:

 Eavesdropping between the PEs or P routers

 Generally, point-to-point connections are easy to manage but when the scenario gets more complex with multiple
endpoints. IPSec tunnels do have a considerable administrative overhead that shouldn’t be taken lightly. For
example, maintaining an IPSec topology between 5 sites requires the configuration of multiple Crypto IPSec
tunnels on each router located at every site. Any changes made to one router (e.g internal routes or LAN IP
Addressing) requires the reconfiguration of all other routers so that the IPSec tunnels continue working correctly.

ATM (DSL) IP VPN NETWORKS

There is no doubt about the flexibility, security and scalability of MPLS IP VPN networks. Thousands of Enterprise
customers are moving from the old and expensive leased-line solutions to the much cheaper MPLS VPN
alternative for all the previously mentioned reasons.

While MPLS networks have gained popularity during these last years, ATM IP VPN networks (referred to as
‘DSL IP VPNs’ from now on) are starting to gain considerable attention to the point where they are offered as an
alternative to MPLS VPNs!

DSL IP VPNs rely on the customer’s direct Internet connection to create a VPN IPSec tunnel between two
endpoints. A typical scenario is a customer with two sites that require connectivity between each other. Both
sides are equipped with a fast DSL connection using static IP addresses. The configuration is performed on the
Customer Edge routers to create an IPSec tunnel between the two sites.

In most cases, the end result is pretty much the same as any MPLS network, but one could argue about the
security offered by such a setup, especially when the CE routers are directly connected to the Internet. Tests
performed by large vendors such as Cisco Systems have proven that the security provided in these solutions is
directly comparable with that of an MPLS VPN, considering of course proper configuration of the CE routers has
been performed.
 The advantages offered by DSL IP VPNs is that the costs are extremely low and equal to that of each side’s
connection to the Internet. Companies seeking to cut costs on data telecommunication services are already
moving to this new trend which has become extremely popular in Europe and Asia.

Despite the advantages, one must keep in mind the following disadvantages DSL IP VPNs have:

 In order to obtain high VPN speeds between sites, both CE routers must connect to the same ISP so they run
on a common backbone.
 CE Routers are directly exposed to the Internet and therefore are vulnerable to DoS attacks
 QoS is not usually guaranteed. Because packets are routed through the ISP backbone using the same path and
priority normal Internet users have, there is no QoS guarantee
 Limited scalability. Site to Site DSL IP VPN is great for up to a few sites. Depending on the amount of
users located on each site, more than one DSL connection might be required per site

In our next article we will examine DSL IP VPNs in much greater depth, including DSL IP VPN requirements,
their security encryption mechanisms, QoS methods, backup methods, and much more.