The MPLS-OPS Archive

[Roger Clark Williams <rogerw@nordlink.com>]

Prajna, you need to completely separate IPsec and MPLS in your mind.
IPsec creates a completely new IP packet. The new header contains the
source address of the computer that is doing the IPsec encapsulation and
the destination address of the other-side IPsec decryption computer. That
is why it is called "encapsulation; there is a new header placed in
front of the now-encrypted old header and original data. So, after IPsec
is finished its encapsulation work you have:

NewHeader (OldHeader & Original Data)

The stuff within the parentheses has been encrypted, but from the point
of view of IP, it is just a bunch of bits being carried as data in an IP
packet. ( I realize this is only one of the two possibilities for IPsec,
but serves well enough for the explanation)

Now, that new packet is sent on arrives at the ingress PE. The PE sees an
HDLC header (assuming a normal serial connection for the moment) and an
IP header (the NewHeader). The PE treats that whole arrival as it would
treat any normal IP packet. It takes the previously assigned MPLS label
(also called a shim header, or a "Layer 2.5" header) and puts
that 32-bit label header between the HDLC and IP headers. The original
encrypted IP header and original data is seen as just data; it isn't even
looked at, it is just the packet payload. If you see this process as a
bit like the IPsec process above, just without encryption, you are right.
This is why MPLS is seen as an encapsulation or tunneling process in
general.

Now you have:
HDLCHeader-MPLSLabel-NewHeader (OldHeader & Original Data)

Or if you think about each layer as an encapsulation process you
have:
HDLC(MPLSLabel(NewHeader(OldHeader & Original Data)))

Now the labelled packet is switched across the MPLS network. At the far
end egress PE, the last label is stripped (the null label 3), and the
packet is forwarded based on standard IP - but using the NewHeader. When
the packet arrives at the IPsec decryption device (which was the
destination device address in the NewHeader), the IPsec decryption
process is done, revealing the OldHeader and Original Data. The packet is
forwarded using the OldHeader now. The OldHeader has another destination
address in it and the packet is forwarded as normal IP to that
address.

For a path you have:

InternalNet-----IPsecEncrypt---IngressPE-----CoreP------EgressPE-------IPsecDecrypt-----InternalNet

The MPLS portion is the PE-PE path. Everything else is normal IP

So: Two IP headers, and the MPLS label is put in front of the NewHeader,
not the now-encrypted OldHeader. The entire encrypted OldHeader and Data
is just the packet payload.

Does this make sense? If not, ask again. I will do what I can to make it
clear.

At 09:46 AM 5/24/2002, you wrote:

Hi Roger
Thanks a lot for the help.scenario seems pretty clear now.but just clear up one more doubt please.How exactly do you think the label insertion and swapping will happen if its an encrypted packet?if the packet is forwarded like any other IP packet,wher does mpls feature in all this(SP n/w)?
when u say how u do the encapsulation,do u mean that i can retain the IP address in a separate header which is required at the PE but where do labels feature then?
thanks & regards
prajna
 

----- Original Message -----

From: Roger Clark Williams

To: mpls-ops@mplsrc.com

Sent: Thursday, May 23, 2002 9:44 PM

Subject: Re: [MPLS-OPS]: ipsec

Pranja, IPsec will run over MPLS quite happily. Think of it this way: IPsec encapsulates the data and perhaps the original header as well (by way of encryption), and adds a new header. The data of this new packet is the old packet and header encrypted. From the point of view of the network, it is just data, just bits and bytes. From the IPsec customer side, it sees just a regular IP connection to a Service Provider. Everybody carries on just as normal - after the customer router does the IPsec encapsulation.

How you deal with the IPsec encapsulation is a different issue from MPLS. That still may require third-party verification, and certainly does require both customer sides to have the proper IPsec setup and relationship between them. The introduction of MPLS is the middle is not seen by the customer IPsec any more than normal IP traffic is bothered by or sees MPLS in the middle.

Encryption and decryption can occur anywhere on the customer site you want it to happen, even on the CE router. Two separate processes, MPLS and IPsec, but IPsec is still just IP to the MPLS functions.

I hope this helps.

Roger Williams

At 04:44 PM 5/23/2002, you wrote:

Hi

Have a doubt.anyone aware of IPSec over MPLS for better security?where exactly does the encryption and decryption occur?

Hoping someone would help me out.

Prajna

*********************************************************

Disclaimer

This message (including any attachments) contains

confidential information intended for a specific

individual and purpose, and is protected by law.

If you are not the intended recipient, you should

delete this message and are hereby notified that

any disclosure, copying, or distribution of this

message, or the taking of any action based on it,

is strictly prohibited.

*********************************************************

Visit us at http://www.mahindrabt.com

------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

*********************************************************
Disclaimer

This message (including any attachments) contains
confidential information intended for a specific
individual and purpose, and is protected by law.
If you are not the intended recipient, you should
delete this message and are hereby notified that
any disclosure, copying, or distribution of this
message, or the taking of any action based on it,
is strictly prohibited.

*********************************************************
Visit us at http://www.mahindrabt.com

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml