Security impacts on establishing MPLS/BGP VPNs

Abstract

Multi‐protocol label switching (MPLS) is considered as the future routing technology of the Internet. Service providers with MPLS‐enabled core infrastructure benefits from the capabilities of this promising protocol to offer incremental value‐added services to their end clients. Virtual private network (VPN) is among many of the services provided by MPLS. Security is not guaranteed with VPN implementation, but it is implied, that is, the users expect to receive a secure connection. Two security concerns of importance for VPNs are customer edge (CE) and provider edge (PE) security. The customer edge is the connection from the customer site to the provider's site. PE is the connection between two providers' site. In this paper, we describe testbed experiences and procedures to study security issues in provider edge MPLS/BGP VPN networks. First, we investigate security constraints in configuring a BGP/MPLS VPNs where the provider's core transport infrastructure supports MPLS. Secondly, we consider the use of GRE tunnel with IPsec in the case where no MPLS support exists in provider's infrastructure. We present the performance results on establishing a secure VPN between two PEs in terms of protocol packet overhead and latency. Copyright © 2008 John Wiley & Sons, Ltd.