The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2002-Feb> msg00128



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

Re: IPSec and MPLS

  • From: Mathew Lodge <mathew@cplane.com>
  • Date: Tue, 19 Feb 2002 16:52:52 -0800
  • Resent-Date: Tue, 19 Feb 2002 20:36:13 -0500
  • To: <alfred.denzler@netsurfer.ch>, <mpls-ops@mplsrc.com>
  • X-Sender: lodge@127.0.0.1

At 08:18 PM 2/19/2002 +0100, Alfred Denzler wrote:
>I'm planning to introduce an IP encrytion service on our MPLS network, and
>would like to here your opinion of how IPSec and MPLS are matching. They are
>both used to build VPN's over a public network and it seems pointless to use
>them in combination! Except when we want to encrypt VPN traffic over an MPLS
>network.

Most service provider networks offer a combination of MPLS RFC2547bis VPNs 
and IPSec VPNs because they are often complimentary technologies. MPLS IP 
VPN connections are great for the customers that you can reach "on net" -- 
i.e. they are in locations where your network goes. For customer sites in 
locations where you have no presence ("off net"), IPSec VPNs are an 
excellent compliment to MPLS.

Also, MPLS IP VPNs offer no easy way to connect remote users who are on the 
road, dialing into the network or using 802.11 wireless connections at 
airports / Starbucks / wherever, or just plain Ethernet in a client's 
office. Giving them IPSec clients on their PCs and allowing them to join 
the VPN through an IPSec tunnel is an excellent solution where MPLS 2547 
offers no capability.

>- What is the impact on performance when turning on IPSec on a CE? (not
>directly related to MPLS)

Payload encryption is a major CPU hog unless there is dedicated crypto 
hardware in the CE.

>- Is IPsec really scalabel in VPN's with 100-200 sites?

Entirely depends on your key sharing approach.

>- As a consequence of using IPSec in an MPLS network, can I still offer CoS
>or
>are there any restrictions? (queuing,traffic classification, DSCP in IPSec
>header)

Most IPSec tunnel mode implementations copy the DSCP from the data packet 
header to the encapsulating packet header. Of course, if you are worried 
about traffic analysis, this may be a bad thing, but if you are more 
concerned about QoS, it is a good thing.

>- How is key management solved if encryption happens on a managed CE and key
>management has to be done by the customer?

Best option is IPSec management software at that point.

Cheers,

Mathew

>

| Mathew Lodge                 | mathew@cplane.com     |
| Director, Product Management | Ph: +1 408 789 4068   |
| CPLANE, Inc.                 | http://www.cplane.com | 

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

  • References: