Re: Network Upgrade

["Jon R. Kibler" <Jon.Kibler () aset com>]

Mohit Sharma wrote:
> Thanks a million Jon, . I read about MPLS and fortunately its
> available in India infact all over India by a leading and realible
> ISP. I am planning to speak with them and negotiate a bulk deal.
> They're also offering Managed service so no intervention and skillful
> labor would be required from our side.
>
> Could you please help me seek more clarity over the security issues
> MPLS over IPsec could have??? We're ISO 27001 certified and were
> working in completely isolated VSAT networks, this MPLS would change
> the entire risk assessment and all. Are their any things I need to
> keep in mind??

The smartest way to deploy MPLS is to have the ISP install their managed
routers at each of your locations. Your router (which should be the same
model) then simply has an ethernet connection to the ISP router. The ISP
router then handles all the MPLS. All your router has to do is to supply
the ISP router with IP packets that have the appropriate DSCP QoS value
set so that packets are appropriately prioritized.

With properly configured MPLS, you should have a semi-private VPN. The
only risk with MPLS is that someone is able to sniff the MPLS traffic
at some point in the network. That is where IPSec comes into play.

What I usually do is to set up IPSec SAs between each company site router.
Typically, the SA is applied to the router interface that connects to the
ISP router. Then, assuming that you have properly configured ESP, all the
traffic that goes to the MPLS network has IPSec encryption and
authentication. Thus, the small risk of having MPLS traffic sniffed is
essentially eliminated.

The issues I have typically encountered with using MPLS are usually
limited to dynamic routing protocols and fragmentation. Fragmentation is
especially a problem if you are using MLPPP over MPLS (to do channel
bonding). The fragmentation issue is the easiest to fix. I have found
that if I set MTU to 1416 and TCP MSS to 1376 on the LAN side of the
company's border router (before anything is encrypted, etc.), that
virtually eliminates all fragmentation (and associated PMTUD) issues.

Dynamic routing is the bigger issue. I am currently having a go-around
with a customer's ISP over just this issue. Typically most ISPs do not
allow any IGP (such as OSPF) to be propagated over MPLS (if yours does,
you are VERY lucky!). So what usually occurs is that the ISP's router
at each location redistributes your IGP into BGP and remote BGP back
into your IGP (mutual redistribution). The trick on your side is to get
the contract written such that the ISP is responsible for the transport
of your dynamic routing information, and all 'magic' that must occur
to propagate your route tables is the ISP's responsibility.

One other issue is router sizing. I have found that if the total WAN
bandwidth that a site handles is <= ~3.0Mbps, you will need something
about like a Cisco2811. For bandwidths between ~3.0Mbps and 12.0Mbps,
you need to look at something like a Cisco2821. For > 12.0Mbps, you
will need at least something like a Cisco2831. Also, you will want to
have the K9SEC IOS image (for strong crypto) and the maximum amount of
RAM the router will support. Also, the ISP should have an equivalent
router (same model) on their half of the connection using a similar
IOS release level, but the strong crypto would not be an ISP router
requirement since all the crypto is between your routers.

I hope this helps!

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.