MPLS warnings should be taken seriously

Multi-protocol Label Switching (MPLS) is an emerging standard that presents a number of issues for service providers planning to or considering implementing them.

Two prominent Internet researchers from AT&T Labs say Layer 3 MPLS virtual private networks (VPNs) – based on RFC 2547 and the BGP (Border Gateway Protocol) – present a potential routing table management nightmare. What’s more, Layer 2 and Layer 3 MPLS VPNs are a security risk because they don’t encrypt data.

The two researchers also hold leadership positions within the IETF, so their warnings about MPLS should be taken seriously.

The problem with RFC 2547, according to these researchers, is that ISPs must manage a special BGP routing table for each MPLS VPN and store parts of that routing table at every location where the VPN is accessed. This means that ISPs could be managing thousands of routing tables, a situation that’s nearly impossible to administer and scale, the researchers say.

This problem can be circumvented by implementing MPLS VPNs at Layer 2, they say. But that approach is prone to security risks because the information is not automatically encrypted; if it is sent to the wrong person, it can be read by that person.

MPLS VPNs are also susceptible to leaked traffic if a connection is disrupted, the researchers say.

They recommend establishing VPNs with encrypted tunnels such as IPSec and forgetting about MPLS altogether, which wipes out one of the killer applications for MPLS.