The MPLS-OPS Archive

[Hummel Heinrich <Heinrich.Hummel@icn.siemens.de>]

Hi, see my

 draft-hummel-mpls-hierarchical-lsp-01.txt http://search.ietf.org/internet-drafts/draft-hummel-mpls-hierarchical-lsp-01.txt

In this draft I am pursueing the establishment of Hierarchical-LSPs (H-LSPs), whereby an H-LSP is a label-switched sequence of already existing LSPs. The main application: VPNs which use a) a partial mesh of LSPs between "neighboring sites", plus H-LSPs between "non-neighboring" sites. Hereby the notorious O(n**2) problem is eliminated.

A particular ffs-aspect in this draft is the building of H-LSPs, which concatenate/label-switch IPSEC tunnels (rather than conventional LSPs).

The concatenation would occur on "safe ground only". The number of security associations is reduced (not n, only as many as there are"neighboring"sites.

Wouldn't this fit into your considerations, too ?

 

Regards

Heinrich Hummel

Siemens AG

-----Ursprüngliche Nachricht-----
Von: Roger Clark Williams [mailto:rogerw@nordlink.com]
Gesendet: Freitag, 24. Mai 2002 13:14
An: mpls-ops@mplsrc.com
Betreff: Re: [MPLS-OPS]: ipsec

Prajna, you need to completely separate IPsec and MPLS in your mind. IPsec creates a completely new IP packet. The new header contains the source address of the computer that is doing the IPsec encapsulation and the destination address of the other-side IPsec decryption computer. That is why it is called "encapsulation; there is a new header placed in front of the now-encrypted old header and original data. So, after IPsec is finished its encapsulation work you have:

NewHeader (OldHeader & Original Data)

The stuff within the parentheses has been encrypted, but from the point of view of IP, it is just a bunch of bits being carried as data in an IP packet. ( I realize this is only one of the two possibilities for IPsec, but serves well enough for the explanation)

Now, that new packet is sent on arrives at the ingress PE. The PE sees an HDLC header (assuming a normal serial connection for the moment) and an IP header (the NewHeader). The PE treats that whole arrival as it would treat any normal IP packet. It takes the previously assigned MPLS label (also called a shim header, or a "Layer 2.5" header) and puts that 32-bit label header between the HDLC and IP headers. The original encrypted IP header and original data is seen as just data; it isn't even looked at, it is just the packet payload. If you see this process as a bit like the IPsec process above, just without encryption, you are right. This is why MPLS is seen as an encapsulation or tunneling process in general.

Now you have:
HDLCHeader-MPLSLabel-NewHeader (OldHeader & Original Data)

Or if you think about each layer as an encapsulation process you have:
HDLC(MPLSLabel(NewHeader(OldHeader & Original Data)))

Now the labelled packet is switched across the MPLS network. At the far end egress PE, the last label is stripped (the null label 3), and the packet is forwarded based on standard IP - but using the NewHeader. When the packet arrives at the IPsec decryption device (which was the destination device address in the NewHeader), the IPsec decryption process is done, revealing the OldHeader and Original Data. The packet is forwarded using the OldHeader now. The OldHeader has another destination address in it and the packet is forwarded as normal IP to that address.

For a path you have:

InternalNet-----IPsecEncrypt---IngressPE-----CoreP------EgressPE-------IPsecDecrypt-----InternalNet

The MPLS portion is the PE-PE path. Everything else is normal IP

So: Two IP headers, and the MPLS label is put in front of the NewHeader, not the now-encrypted OldHeader. The entire encrypted OldHeader and Data is just the packet payload.

Does this make sense? If not, ask again. I will do what I can to make it clear.

At 09:46 AM 5/24/2002, you wrote:

Hi Roger
Thanks a lot for the help.scenario seems pretty clear now.but just clear up one more doubt please.How exactly do you think the label insertion and swapping will happen if its an encrypted packet?if the packet is forwarded like any other IP packet,wher does mpls feature in all this(SP n/w)?
when u say how u do the encapsulation,do u mean that i can retain the IP address in a separate header which is required at the PE but where do labels feature then?
thanks & regards
prajna
 

----- Original Message -----

From: Roger Clark Williams

To: mpls-ops@mplsrc.com

Sent: Thursday, May 23, 2002 9:44 PM

Subject: Re: [MPLS-OPS]: ipsec

Pranja, IPsec will run over MPLS quite happily. Think of it this way: IPsec encapsulates the data and perhaps the original header as well (by way of encryption), and adds a new header. The data of this new packet is the old packet and header encrypted. From the point of view of the network, it is just data, just bits and bytes. From the IPsec customer side, it sees just a regular IP connection to a Service Provider. Everybody carries on just as normal - after the customer router does the IPsec encapsulation.

How you deal with the IPsec encapsulation is a different issue from MPLS. That still may require third-party verification, and certainly does require both customer sides to have the proper IPsec setup and relationship between them. The introduction of MPLS is the middle is not seen by the customer IPsec any more than normal IP traffic is bothered by or sees MPLS in the middle.

Encryption and decryption can occur anywhere on the customer site you want it to happen, even on the CE router. Two separate processes, MPLS and IPsec, but IPsec is still just IP to the MPLS functions.

I hope this helps.

Roger Williams

At 04:44 PM 5/23/2002, you wrote:

Hi

Have a doubt.anyone aware of IPSec over MPLS for better security?where exactly does the encryption and decryption occur?

Hoping someone would help me out.

Prajna

*********************************************************

Disclaimer

This message (including any attachments) contains

confidential information intended for a specific

individual and purpose, and is protected by law.

If you are not the intended recipient, you should

delete this message and are hereby notified that

any disclosure, copying, or distribution of this

message, or the taking of any action based on it,

is strictly prohibited.

*********************************************************

Visit us at http://www.mahindrabt.com

------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

*********************************************************
Disclaimer

This message (including any attachments) contains
confidential information intended for a specific
individual and purpose, and is protected by law.
If you are not the intended recipient, you should
delete this message and are hereby notified that
any disclosure, copying, or distribution of this
message, or the taking of any action based on it,
is strictly prohibited.

*********************************************************
Visit us at http://www.mahindrabt.com

------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml