Problem solve Get help with specific problems with your technologies, process and projects.

VPNs then and now: IPsec and MPLS

A brief history of VPN technologies and how they have changed in recent years.

Virtual Private Networks or VPNs have been around for quite some time. If you are an organization that interconnects remote sites over ATM, Frame-Relay or TDM (time division multiplexing) circuits via a carrier's backbone, then you already have deployed a virtual private network. Carriers' VPN solutions are deployed as partial mesh, full mesh and hub and spoke designs that provide point to point and multipoint connectivity for a multitude of services from multiple providers across the globe. I refer to these types of VPN solutions as private line VPNs, since the carrier provisioned circuit topology and interconnections define the VPN not an overlay technology such as IPSEC or MPLS.

So, if VPN technologies have been around for so long, why all the commotion surrounding alternative forms of VPNs? The answer is two fold. With the advancements in voice and video over IP, consumers realized they could converge real time applications (such as voice and video) and data onto one access circuit, the data circuit, thereby substantially lowering the cost of WAN circuits required for telecommunication. Secondly, carriers realized that with the evolution of convergent technologies, they no longer needed to deploy, maintain and support TDM and IP backbones. However, carriers' IP backbones provided no segmentation of customer traffic or the inherent security associated with that segmentation. Initially, IPSEC became the predominant mechanism for providing the underlying VPN architectures. Customers' traffic was encrypted but not necessarily segmented. By encrypting the traffic, the customer could build VPN networks over the Internet. However, IPSEC in general, is inefficient in that it requires significant overhead to encrypt the traffic. This is acceptable to low speed links but throughput is significantly impacted on high speed links. Most router vendors provide IPSEC capabilities embedded in the operating systems but there is significant performance degradation. Line speed IPSEC processing is still not where most customers would like it top be. MPLS on the other hand provides segmentation of traffic in the same manner as PVC's.

MPLS VPNs provide separation of one customer's traffic from another's by virtue of label switched paths (analogous to PVCs) and separate routing instances per customer. Physically this capability resides on a common platform but logically it is separate. With the advent of MPLS as a viable technology, customers can now build VPNs that support voice, video and data over a common interface. The security and segmentation is inherent to MPLS and there is no performance impact associated with IPSEC encryption. There are tremendous economies of scale associated with MPLS VPNs and as carriers migrate to high speed IP backbones that are capable of supporting real time services over IP, MPLS becomes a very good choice for cost effective VPN solutions.

The tips that I will write moving forward will investigate in detail the comparisons of VPN technology, the design aspects of MPLS, deployment tips for getting the most from an MPLS solution and technical aspects of MPLS architectures. Next tip, IPSEC versus MPLS: a technical discussion.

Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over 10 years of experience providing strategic, business, and technical consulting services to clients. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.

This was last published in March 2004

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.