MPLS lays foundation for new VPN services

Though new uses for Multi-protocol Label Switching keep emerging, a consensus is building that the killer application for the technology is VPNs.

Carriers that initially looked to exploit MPLS traffic engineering capabilities to simplify management are now turning to the technology to deliver IP VPN services that some claim could cost half as much as frame relay. VPNs are enabled by MPLS’ technique for designating packets for transmission over explicit routes, a technique that can also be used to construct tunnels through IP backbones and the Internet that shield one company’s traffic from that of others.

Cisco Systems Inc. says most of its 80-plus MPLS customers use the technology to support VPNs, but the services are not without detractors.

Critics consider the fact that these VPNs could be built without an encryption scheme such as IP Security (IPSec) to be a major flaw and also warn that building Layer 3 VPNs with MPLS could overwhelm service providers’ routing table management capabilities. Layer 3 VPNs entail service providers handling all the routing on behalf of the customer, whereas the Layer 2 variety puts routing responsibilities on the customer.

“There are issues surrounding the size of routing tables” in Layer 3 MPLS VPNs, says Ben Crosby, a senior technologist at Alcatel SA, which offers MPLS on its 7670 Routing Switch Platform. “Use of RFC 2547 VPNs makes the issues that much more apparent.”

RFC 2547 and 2547bis use MPLS to dedicate paths over a carrier’s network for customer-specific VPNs. These specifications use Border Gateway Protocol (BGP) to generate information about each MPLS VPN on a service provider’s network. They create and store routing tables for each VPN on routers and switches throughout the carrier’s backbone.

Buying into MPLS VPNs

However, routing table management and other criticisms of RFC 2547 are specific to Internet implementations and do not affect private IP backbones, vendors and carriers stress. Despite the caveats, carriers such as Global Crossing Ltd. and Cable & Wireless PLC are developing services based on RFC 2547.

Global Crossing says RFC 2547 is optimal for supporting large-scale IP, or Internet, VPNs vs. edge-based IP VPNs, though the carrier is still looking to sign the first customer for the MPLS-based ExpressRoute VPN service it launched last month.

Global Crossing has deployed Juniper routers along the edge of its IP network that are dedicated to supporting its MPLS VPN service.

“We have separated our traffic by deploying routers that are just VPN routers vs. Internet routers,” says Mike Fuqua, a vice-president at the carrier. Fuqua points out that ExpressRoute VPN traffic does not travel over the Internet but only over Global Crossing’s IP backbone. This in a sense keeps traffic more secure, but observers say users should know that if their traffic is not encrypted using IPSec or another encryption technology, there could be security risks.

Separately, Cable & Wireless is developing a VPN service based on RFC 2547 that will probably be available by February. The service provider says the network architecture will be similar to Global Crossing’s in that it will have dedicated MPLS VPN routers along the edge of its global IP network, says Chris Liljenstolpe, senior director of network technology.

Like Global Crossing, Cable & Wireless claims RFC 2547 VPNs are optimal for large business users – those that may need to support hundreds or thousands of sites. But Cable & Wireless is also planning to couple its service with a network-based firewall that will offer an additional level of security.

Customers could use the network-based firewall to securely access the Internet via the same dedicated line used for their VPNs, or they could add network encryption. The firewall offering will roll out after the initial VPN service is available.

Layer 2 VPNs

Service providers are also expected to deliver Layer 2 VPNs based on MPLS. Carriers, using products from the likes of Cisco and Juniper Networks Inc., will set up Layer 2 connectivity by way of something such as frame relay or ATM virtual circuits, while details of how routing is done within the private customer network will be the customer’s responsibility.

Such VPNs encapsulate data link protocols including Ethernet, frame relay and ATM in MPLS. The IETF draft documents specifying this are commonly referred to as Draft Martini.

In a Draft Martini deployment, Layer 2 virtual LAN information is mapped to an MPLS tag by a label edge router at a customer’s site, then routed over label switch routers in a service provider’s network.

Businesses could use such a service to connect remote sites as if they were all on one large Layer 2 VLAN, vendors say. Vendors say security is inherent because nodes in the public network forward traffic based only on MPLS information instead of IP addresses, creating VPN-like tunnels.

This application is also meant to streamline operations for service providers by supporting legacy network services, such as virtual circuit-based, point-to-point frame relay, on an MPLS infrastructure.

“MPLS makes more effective use of providers’ dollars. It lets providers build out [new services] using the latest equipment while still providing existing services,” says Eric Peterson, director of protocol development at equipment maker Unisphere Networks Inc.