by
Mohamed Saad , Network Engineer - CCIE#53414 , DNV GL SE
MPLS-based VPNs:
• Scalability—A well-executed MPLS-based VPN deployment is capable of supporting tens of thousands of VPNs
over the same network. MPLS-based VPNs scale well because they do not require the full-mesh, end-to-end site
peering across the network.
• Security—MPLS provides traffic separation between VPNs by using unique route distinguishers. Route distinguishers are assigned automatically when the VPN is provisioned and are placed in packet headers to provide traffic separation. They are not seen by end users within the VPN group. MPLS VPN privacy is similar to the privacy in traditional WAN infrastructures such as Frame Relay and ATM. Miercom, which provides independent testing and analysis of networking services, has demonstrated that MPLS allows VPNs to be created through the core while providing security through data isolation. Additionally, networks can be designed so that customer routers have no knowledge of the core network, and likewise, the core routers have no knowledge of the customer edge.
VPN IPSec protocol
a framework of open standards, provides any combination of the following network security services:
• Data confidentiality—Encrypts packets before transmission
• Data integrity—Authenticates packets to help ensure that the data has not been altered during transmission
• Data origin authentication—Authenticates the source of received packets, in conjunction with data integrity
service
• Antireplay—Detects aged or duplicate packets, rejecting them to avoid replay attacks
The IPSec standard also defines several new packet formats, such as encapsulation security payload (ESP), for confidentiality. ESP supports any type of symmetric encryption, including standard56-bit Data Encryption Standard (DES), the more secure Triple DES (3DES) standard, and the emerging Advanced Encryption Standard (AES). IPSec parameters are communicated and negotiated between network devices in accordance with the Internet Key Exchange (IKE) protocol.
The IPSec protocol provides protection for IP packets by allowing network designers to specify the traffic that needs protection, define how that traffic is to be protected, and control who can receive the traffic. IPSec VPNs replace or augment existing private networks based on traditional WAN infrastructures such as leased-line, Frame Relay, or ATM. IPSec VPNs fulfill the same requirements as these WAN alternatives, such as support for multiple protocols,high reliability, and scalability. The advantage of IPSec is that it meets network requirements more cost-effectively and with greater flexibility by using today’s most pervasive transport technologies: the public Internet, service provider IP backbones, and MPLS-based networks.
it is totally deferant IP VPN use another protocols such as IPSEC and GRE or both of them for layer3 connectivity, and use L2TP for layer2 connectivity
MPLS VPN it can be used for L3 or L2 VPN and it is perefared for Service provider envioroment it is very effecient and powerfull solution, but it is lake for encryption for data secuirty and if you need to add this feature you must use your own mechanismes
by
Shahzad Ayub , Senior Network Security Engineer , solutions by stc
IP VPN required full mesh connectivity which makes it complex and QoS implementation is complex in IP VPN whereas MPLS VPN provides point to cloud single point of connecitivity and we can implement per VPN Qos in MPLS VPN.