Home & Office

VPN over MPLS may raise issues

Eight million Hong Kong residents will be able to watch movies on their home computers by plugging into Ethernet outlets in their apartments, thanks to MPLS. But running VPNs over the network may cause problems, says a prominent researcher.
Written by Max Smetannikov, Contributor on
Plans to deploy virtual private networks using a new technology have sparked recent controversy, with the debate illustrating the need for technology managers to tune in to different ways carriers propose using Multiprotocol Label Switching.

MPLS is an advanced way of managing Internet traffic by letting carriers merge different types of data traffic over one IP backbone, improving their ability to offer different classes of service.

Today marks the biggest deployment yet of a VPN over MPLS: Eight million Hong Kong residents will be able to watch movies on their home computers by plugging into Ethernet outlets in their apartments.

But one influential researcher, Randy Bush, has gone so far as to say an up-and-coming technique for setting up MPLS-based VPNs would ruin the networks supporting them. The AT&T Labs scientist warns of network management problems and potential security issues that may arise as a result of errors by network operators running complex VPN setups.

Bush focused his criticism on a technique outlined in RFC 2547, an Internet Engineering Task Force informational document promoted by vendors such as Cisco Systems and Juniper Networks. The MPLS technique is supposed to provide businesses with IP VPNs that are as much as 30 percent cheaper to run than those using Asynchronous Transfer Mode or frame relay.

The technique uses Border Gateway Protocol (BGP), which sets up routing tables in large networks. The tables are code sequences that tell routers how to forward packets from one machine to another. Many ser vice providers already have trouble managing these tables to ensure good connectivity, because a change in one table affects many others.

Adding thousands of such tables — as proposed by Cisco and Juniper for individual VPN sessions — would make the risk of managing this software close to impossible, Bush said.

"It severely complicates the core," Bush said. "It's a serious issue of managing one BGP table — you want me to have how many thousand of them? But it is a great scam to sell more routers to hold all those BGP tables!"

If Bush is correct, business customers might run into problems after purchasing services from network providers using this provisioning scheme. Shopping for services such as VPNs could get complicated, with users having to understand finer points of data networking to en sure that the service they buy today will still be working tomorrow.

One key distinction I-managers need to make is between VPNs offered over low bandwidth, such as in re mote offices, and those offered over fatter pipes, such as in metro networks, said Irwin Lazar, a senior consultant of The Burton Group. The two networks tend to deploy MPLS in different layers of the network.

Most metro networks using MPLS that base services on VPN-type functionality provision these services in Layer 2 of the network and offer them over a high-bandwidth pipe. Layer 2, a "dumber" part of the data pipe, distinguishes between protocols, but does not participate in routing packets. Layer 3, a "smarter" layer that actually routes packets, is where the RFC 2547 technique would be deployed.

It is a Layer 2 MPLS VPN that Hutchison Global Crossing is using in Hong Kong. Executives at router vendor Riverstone Networks, which won the multimillion-dollar Hutchison contract, said for the time being they are steering clear of Layer 3 MPLS VPNs. "Trying to provision VPNs using the Layer 3 BGP approach is quite a complex task for an average service provider; the Layer 2 approach is a lot simpler and easier to provision," said Tim Wu, Riverstone's technical marketing director.

The Hong Kong system Riverstone helped build dynamically provides dedicated virtual circuits to millions of users. It enables services such as movies-on-demand, where individual users are assigned bandwidth streams with a guaranteed quality level.

Vendors supporting the RFC 2547 technique acknowledge that special routers and technical experts will be needed to manage the new services — such as VPN management — they plan to offer. Juniper already offers software that helps routers handle additional VPN routing information.

"In a sense, there is no free lunch," said Ross Callon, a Juniper engineer. "If you have 100,000 customers, each one of which has a private network and wants wide area connectivity, there is a lot of work that needs to be done somewhere, by somebody."

So customers shopping for VPNs should pick a carrier carefully, said Bush's colleagues at AT&T. AT&T plans to start offering VPNs based on RFC 2547 in 2002.

"There may be things within the standards that aren't there or are not spelled out; I think it is up to service providers like AT&T to fill in those gaps and be able to scale this," said Rose Klimovich, AT&T director of global Internet network services.

Editorial standards