MPLS Versus IPSEC VPNs: Which one is right for you

Virtual private networks are a critical requirement for businesses as they distribute mission critical and sensitive traffic to remote locations. More and more often, customers are looking at mechanisms for securing traffic and for extending the reach of the enterprise to geographically dispersed locations. IPSEC has been around for quite some time and is offered by most service providers as a mechanism for tunneling traffic across the Internet to areas that the provider does not have points of presence. MPLS itself has been around for several years but is just now being widely deployed by service providers. This article will examine the similarities and differences between IPSEC and MPLS and provide insight as to when one should be used over the other.

The goal of a VPN is to provide connectivity over a shared infrastructure that is both secure and cost effective as a dedicated private network such as frame relay or ATM. In addition, the VPN solution must be scalable, highly available and easy to manage. An additional feature required may be quality of service.

IPSEC provides secure transmission of packets at the IP layer including authentication and encryption of the packets. This is accomplished by using the authentication header (AH) and encapsulating security payload (ESP) features of the IPSEC protocol. IPSEC utilizes what is called transport and tunnel modes. The difference between the two is that in transport mode only the IP payload is encrypted whereas in tunnel mode the entire IP datagram is encrypted.

MPLS provides secure transmission of packets at the IP layer as well. However there are no inherent encryption capabilities provided by MPLS VPN's. Customers' traffic is processed through virtual tunnels (called label switched paths). The customers must rely on the service providers to ensure that the data is secure and not visible to other customers sharing the same infrastructure.

Each of these technologies allows customers to provide connectivity to remotely dispersed locations over a shared IP infrastructure. While IPSEC does provide encryption and authentication, there is a trade off in performance. IPSEC tunnels can originate on the routers themselves or they can be offloaded to an outboard concentrator. When the IPSEC tunnels originate on the routers, there is a significant impact on the performance of the routers. This must be taken into consideration when choosing a routing platform that will be initiating IPSEC tunnels. In addition to the performance impact, there is the additional management overhead of configuring, maintaining and managing IPSEC tunnels across the IP cloud. IPSEC key distribution, key management and peering configuration can become overly complex in a large IPSEC deployment. MPLS on the other hand provides one common interface to an IP backbone that handles the virtual tunnel setup through the IP cloud. There is no performance impact on the edge router and virtually any common router can be used at the edge. The limitations on security over the MPLS backbone are a common concern with many enterprise customers, but to date no security flaws have been seen in an MPLS core. A significant drawback to MPLS is that providers cannot offer MPLS services out of region without partnering with other providers' MPLS offerings (this is possible but is difficult to deploy). Most providers offer IPSEC tunnels to customers located outside of their footprint.

In summary MPLS and IPSEC VPN's offer many of the same features and functionality. The choice of whether or not to use MPLS or IPSEC VPN's is dependent upon the size of the deployment and the reach of the providers offering the service. Management and cost are significant factors that must be evaluated. In general, if a large customer chooses MPLS, there will probably be some aspects of IPSEC used for extended reach. If encryption is required, MPLS is not a feasible choice.

Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over 10 years of experience providing strategic, business, and technical consulting services to clients. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.