Re: Network Upgrade

["Jon R. Kibler" <Jon.Kibler () aset com>]

James Lee Bell wrote:
> Jon R. Kibler wrote:
> > Mohit Sharma wrote:
> (snip)
> > > Could you please help me seek more clarity over the security issues
> > > MPLS over IPsec could have??? We're ISO 27001 certified and were
> > > working in completely isolated VSAT networks, this MPLS would change
> > > the entire risk assessment and all. Are their any things I need to
> > > keep in mind??
> >
> > The smartest way to deploy MPLS is to have the ISP install their managed
> > routers at each of your locations. Your router (which should be the same
> > model) then simply has an ethernet connection to the ISP router. The ISP
> > router then handles all the MPLS. All your router has to do is to supply
> > the ISP router with IP packets that have the appropriate DSCP QoS value
> > set so that packets are appropriately prioritized.
> >
> > With properly configured MPLS, you should have a semi-private VPN. The
> > only risk with MPLS is that someone is able to sniff the MPLS traffic
> > at some point in the network. That is where IPSec comes into play.
> >
> > What I usually do is to set up IPSec SAs between each company site 
> > router.
> > Typically, the SA is applied to the router interface that connects to the
> > ISP router. Then, assuming that you have properly configured ESP, all the
> > traffic that goes to the MPLS network has IPSec encryption and
> > authentication. Thus, the small risk of having MPLS traffic sniffed is
> > essentially eliminated.
>
> The other issues are the management overhead of the IPSEC tunnels if you 
> have lots of sites to do this with, and the fact that you loose some of 
> the benefits of MPLS clouds in the first place, e.g. 
> any-site-to-any-site connectivity and associated QOS. You either end up 
> with hub-n-spoke functionality using MPLS as the transport if you deploy 
> single tunnels per site, or partial mesh if you deploy multiple tunnels 
> per site. You can do full mesh and keep the any-to-any connectivity (if 
> not the QOS precisely) if you have a small enough set of sites, but 
> maintaining 200 sites and 199 tunnels at each site for full mesh becomes 
> a bit much.
>
> Cisco - and presumably others soon - have developed their GET or 
> group-encryption-tunnel tech last year to fix this issue. Only the 
> payload gets encrypted, and the IP headers stay untouched enabling any 
> MPLS based QOS functionality based on Layer 3/4 you could want.
>
> Has anyone actually deployed this latter? Successfully?

If you apply QoS before you apply IPSec, IPSec will copy the existing DSCP,
so there is not any loss of QoS.

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.