Professional Documents
Culture Documents
inShare
The Ingress router (LSR1) accepts the packets from the server and selects the best LSP based on their destination IP Address. It then selects an initial label (local significance) for each packet and then forwards the packets using MPLS. When Router2 receives the packets, it uses these labels to identify the LSPs from which it selects the next hops (R3 & R4) and labels (43 & 12). At the end of the path, the egress routers (R3 & R4) remove the final label and send the packet out to the local network. One of the great advantages offered by MPLS networks is the built-in Quality of Service mechanisms. MPLS service providers usually offer an end-to-end QoS policy to ensure their customer MPLS networks have guaranteed QoS through the MPLS network backbone. This allows delay-sensitive services such as VoIP to be implemented with guaranteed bandwidth between the endpoints. There really is no limitation to the type of services that can be run over a MPLS network. The QoS mechanisms and prioritisation services, allow the quick and effective forwarding of traffic between customer endpoints.
a routing protocol such as BGP or static routes. The Provider Edge router keeps a per-site forwarding table also known as VPN Routing and Forwarding tables or VRFs. At the Provider Edge router, each VRF serves a particular interface (or set of interfaces) that belongs to each individual VPN. Each Provider Edge router is configured by the service provider with its own VRF that is unique. Routers within the MPLS VPN network do not share VRF information directly.
The above diagram illustrates a typical MPLS VPN network where VRFs are unique for each VPN connected to a particular Provider Edge router Whats important about MPLS VPN services is that there is no boundary to the type of WAN technology used. This means you can run MPLS over ATM (Also known as MPLS IP VPN over ADSL), leased lines, Satellite links, wireless links and much more. This flexibility makes MPLS networks a preferred method of connecting offices between each other. The ISP provides the interface to which the local network is connected (usually a router with a LAN interface) and all thats required is to connect the provided interface to the local network, set the necessary equipment to use the new gateway (MPLS CE router) and everything magically works! Internet access is also possible through the MPLS IP VPN service where the service provider (ISP) typically announces the routes of customers that require direct access to the Internet, without affecting the performance of their intrasite VPN links. For example, this means that its possible to have a 1024Kbps MPLS link to your ISP which splits to a 512Kbps MPLS IP VPN link to your remote site and a further 512Kbps link to the Internet. The ISP completely separates these two virtual links, even though they run through the same interface. The link providing Internet access makes use of Network Address Translation (NAT) to translate the private network address space from the customers network. In this case, the customer reveals no more information to the Internet than it would with any normal connection to the Internet.
Resistance to Attacks
There is a growing concern as to how secure MPLS IP VPNs really are and how they can be protected from Internet attacks. Fortunately, the answer is pretty straight forward and doesnt require a lot of
technical analysis to see why. In pure MPLS IP VPN environments without Internet access, where the network is used to connect different sites, the core network and customer address space is concealed 100%. This means that no information is revealed to third parties or the Internet. With no information revealed, hackers are unable to obtain access to critical information such as router IP addresses in order to perform Denial of Service (DoS) attacks and bring down the network. In addition, service providers prevent their routers from being reachable via the Internet by using well-known techniques such as packet filtering, applying access control lists (ACLs) to limit access only to the ports of the routing protocol (e.g BGP) from specific areas within their network. In an environment where Internet access is provided to the custome r via the MPLS link, ISPs use similar mechanisms to lock down their Customer Edge routers that provide access to the Internet. In addition, the routing protocols used by the ISP have built-in mechanisms that are usually enabled and increase the security level even more. A few examples are the configuration of the MD5 authentication for routing protocols (BGP, OSPF e.t.c), configuration of maximum number of routes accepted per Virtual Routing and Forwarding instance (VRF) and a few more.
Change of packets that are in transit between the sites Eavesdropping anywhere between the CEs, PE or P routers.
PE-PE IPSec This method is by far less secure than the previous one examined. IPSec encryption occurs from the PE routers onwards, leaving the rest of the network unencrypted and therefore not providing true VPN security. PE-PE IPSec offers true protection against the following threats: - Eavesdropping between the PEs or P routers - Generally, point-to-point connections are easy to manage but when the scenario gets more complex with multiple endpoints. IPSec tunnels do have a considerable administrative overhead that shouldnt be taken lightly. For example, maintaining an IPSec topology between 5 sites requires the configuration of multiple Crypto IPSec tunnels on each router located at every site. Any changes made to one router (e.g internal routes or LAN IP Addressing) requires the reconfiguration of all other routers so that the IPSec tunnels continue working correctly.
Despite the advantages, one must keep in mind the following disadvantages DSL IP VPNs have: - In order to obtain high VPN speeds between sites, both CE routers must connect to the same ISP so they run on a common backbone. - CE Routers are directly exposed to the Internet and therefore are vulnerable to DoS attacks - QoS is not usually guaranteed. Because packets are routed through the ISP backbone using the same path and priority normal Internet users have, there is no QoS guarantee - Limited scalability. Site to Site DSL IP VPN is great for up to a few sites. Depending on the amount of users located on each site, more than one DSL connection might be required per site In our next article we will examine DSL IP VPNs in much greater depth, including DSL IP VPN requirements, their security encryption mechanisms, QoS methods, backup methods, and much more.