Re: Network Upgrade

Jon R. Kibler wrote:
Mohit Sharma wrote:
Could you please help me seek more clarity over the security issues
MPLS over IPsec could have??? We're ISO 27001 certified and were
working in completely isolated VSAT networks, this MPLS would change
the entire risk assessment and all. Are their any things I need to
keep in mind??

The smartest way to deploy MPLS is to have the ISP install their managed
routers at each of your locations. Your router (which should be the same
model) then simply has an ethernet connection to the ISP router. The ISP
router then handles all the MPLS. All your router has to do is to supply
the ISP router with IP packets that have the appropriate DSCP QoS value
set so that packets are appropriately prioritized.

With properly configured MPLS, you should have a semi-private VPN. The
only risk with MPLS is that someone is able to sniff the MPLS traffic
at some point in the network. That is where IPSec comes into play.

What I usually do is to set up IPSec SAs between each company site router.
Typically, the SA is applied to the router interface that connects to the
ISP router. Then, assuming that you have properly configured ESP, all the
traffic that goes to the MPLS network has IPSec encryption and
authentication. Thus, the small risk of having MPLS traffic sniffed is
essentially eliminated.

The other issues are the management overhead of the IPSEC tunnels if you have lots of sites to do this with, and the fact that you loose some of the benefits of MPLS clouds in the first place, e.g. any-site-to-any-site connectivity and associated QOS. You either end up with hub-n-spoke functionality using MPLS as the transport if you deploy single tunnels per site, or partial mesh if you deploy multiple tunnels per site. You can do full mesh and keep the any-to-any connectivity (if not the QOS precisely) if you have a small enough set of sites, but maintaining 200 sites and 199 tunnels at each site for full mesh becomes a bit much.

Cisco - and presumably others soon - have developed their GET or group-encryption-tunnel tech last year to fix this issue. Only the payload gets encrypted, and the IP headers stay untouched enabling any MPLS based QOS functionality based on Layer 3/4 you could want.

Has anyone actually deployed this latter? Successfully?