This white paper compares MPLS- and IPSec-based VPN architectures. It begins by explaining the evolution of the two distinct VPN technologies, and the general goals for VPN architectures. Next, it presents the relative strengths of MPLS- and IPSec-based VPNs and explains where service providers can deploy each architecture for optimum advantage. The white paper concludes with a brief description of the integrated IPSec-to-MPLS VPN solution from Cisco Systems, which takes advantage of the respective strengths of the two architectures.
Two VPN Architectures?
In recent years, two Internet Engineering Task Force (IETF) working groups have been established, focusing on three important components of VPNs—Internet security, label
switching standardization, and quality of service (QoS). In the IETF’s Routing Area, the MPLS working group is developing mechanisms to support higher-layer resource reservation, QoS and definition of host behaviors. Concurrently, in the IETF’s Security Area, the IPSec working group is concentrating on the protection of the network layer by designing cryptographic security mechanisms that can flexibly support combinations of authentication, integrity, access control, and confidentiality. The IETF has left the issue of integrating MPLS and IPSec to the discretion of networking vendors. As a result, two VPN architectures have emerged—one based heavily on MPLS and the other on IPSec. MPLS and IPSec-based VPNs are complementary rather than mutually exclusive. Service providers can increase their service footprint and gain other competitive advantages by using the strengths of the two architectures.
Essential Attributes of VPNs
The service goal of VPNs is to provide customer connectivity over a shared infrastructure, with the same policies enjoyed in a private network. A VPN solution must protect against intrusion and tampering, deliver mission-critical data in a reliable and timely manner, and be manageable. Following are essential attributes of VPN architectures.
Scalability:
A service provider’s VPN deployments might range from small office configurations through the largest enterprise implementations,spread across the globe. The VPN architecture must adapt to meet customers’ ever-changing bandwidth and connectivity needs. In today’s fiercely competitive, dynamic market environment, service providers must be able to deploy and provision large service requests rapidly. This requires the ability to scale the VPN to accommodate unplanned growth and changes driven by customer demand. Service providers that have the potential to support tens of thousands of VPNs over the same network maximize their revenue and profit potential.
Security
It is essential that the VPN protect sensitive data so that it remains confidential. Security mechanisms used in VPNs include tunneling, encryption, traffic separation, packet authentication, user authentication, and access control.
QoS :
Support for QoS enables the VPN to prioritize mission-critical or delay-sensitive traffic such as voice and video, and also to manage congestion across varying bandwidth rates. QoS mechanisms include queuing, network congestion avoidance, traffic shaping, and packet classification.
Manageability:
Typical VPN management tasks include:
• Provisioning
• Distributing and installing VPN-enabled customer premises equipment (CPE) and VPN software clients where needed
• Installing security and QoS policies
• Managing and making changes to VPNs
• Billing
• Supporting service-level agreements (SLAs)
To perform these tasks, the service provider relies on an operations support system (OSS). An OSS with automated flow-through provisioning systems, reporting, and monitoring enables service providers to quickly fulfill VPN orders and support SLAs.
Reliability and Redundancy :
The VPN must be able to deliver the predictable and high service availability that business customers expect and require. A combination of reliability and redundancy is the key to maintaining business continuity and recovering from failures. Mechanisms
to improve service availability include enabling the VPN network to provide server stateful failover, VPN redirect, VPN session keepalive, VPN redundant server and backup sites. Some of these mechanisms may be offered by the service provider as a premium service at additional cost.
No comments:
Post a Comment