What are the advantages and disadvantages of MPLS when compared to an IPSec Internet VPN? In this article, we consider MPLS vs Internet VPN, which technology represents the better option and why? In the early 2000's, the IPSec based VPN was the default service provider product offered within the telecoms marketplace. At its heart, the IPSec based WAN enabled businesses to leverage a single public IP backbone (or the wider Internet) by encrypting data between their office sites and remote users.
The underlying platform worked well for the smallest of business right up to the larger Enterprise multinational organisation. However, a new acronym arrived to disrupt the industry, a contender called MPLS (Multi Protocol Label Switching).
We've written previous articles on the evolution of MPLS and VPLS but suffice to say, the protocol provides telcos with the capability to traffic engineer their internal networks enabling better use of their infrastructure and bandwidth (there are other benefits). Check out this article to learn more. With this interesting information said, the benefits to business surrounded some unique selling points that opened up the possibility of doing more with the WAN. Let us discuss why your organisation might select one technology over the other and why a hybrid of both services is becoming the norm.
The Internet vs Public IP
There is a clear distinction to be aware of here - not all IPSec VPN services are equal. The difference surrounds whether your organisation is provisioning WAN services across a single IP backbone or a mixture of multiple service providers.
Fig 1 shows the potential latency impact of using multiple ISP connections.
The preference would always be provision an IPSec VPN over a single backbone. When traffic traverses a single service provider, performance levels are more predictable offering assurances from traffic throughput to latency and support fix times. Conversely, sending traffic which traverses multiple networks is not predictable thus resulting in application performance issues.
Comparing MPLS vs IPSec VPN
- Private network
- Connectionless any to any topology
- Support for QoS (Quality of Service)
- Granular per application service levels
- Support for jitter, important for voice and data
- End to end separation of traffic
- Leverage any Internet service connection, though a single backbone is recommended
- Make use of all available connectivity from a home broadband circuit through to full 1Gbps Ethernet - providing a connection exists, you are good to go with fast start implementation and ease of setup
- Access to the wide array of productised public cloud based products
- Split tunneling allows access to both Internet and VPN across a single circuit
With the above in mind, the reasons for the explosive growth of MPLS services is clear.
The privacy of MPLS VPN means there is no requirement to encrypt your business traffic unless added security is a requirement. Added encryption over MPLS is mostly found in financial and government institutions where maximum possible security is always of utmost importance. As a default setting, the majority of UK and global business find MPLS VPN security acceptable since each service provider customer is kept separate regarding traffic routing via VRF tables.
IIPSec is fundamentally designed to create secure tunnels through public Internet connectivity. There are a couple of key elements to be aware of when provisioning an Internet VPN. The first surrounds encryption. The current levels of encryption supported by security services such as AES mean that your data is inherently secure. A tutorial on IPSec is out of scope for this article, but the following IPSec Wiki article will assist. IPSec will operate in VPN only mode which means any traffic outside of an authenticated endpoint will be dropped. The alternative is split tunnel mode which allows companies to benefit from both secure tunnels and local Internet access. The downside? A firewall is required. Whether or not your IT team believe IPSec to be secure enough is open to opinion.
One of the key original selling points of an MPLS WAN surrounded the any to any connectionless topology. The ability for every site to communicate with each other was a fundamental shift from legacy technologies such as Frame Relay hub and spoke deployments. On the flip side, an IPSec WAN is capable of any to any topology but at the cost of processing power. As the number of sites increases, the processor takes an additional hit where each new location requires a tunnel to every other site creating overhead. In this respect, an IPSec VPN is not as scalable when compared to an MPLS network architecture.
3. MPLS Application Priority - QoS (Quality of Service)
When MPLS hit the market, the marketing would have us believe that QoS (Quality of Service) was going to be the cure for all application performance woes. In short, QoS allows the Enterprise to protect their critical apps such as voice, video and Citrix (as an example). To help IT Managers relate the power of QoS back into business benefits, most SLA's reflect latency, jitter and throughput per QoS setting. As of writing this article, QoS is still a crucial aspect of WAN provision but is becoming less of a selling point for high bandwidth Ethernet services avoiding congestion issues. With this said, bandwidth is only part of the story as using QoS enables us to predict and ensure performance. All organisations will have a varying experience with some reporting Ethernet ISP bandwidth providing more than adequate performance and others stating that QoS was a miraculous network enhancing feature.
IPSec VPNs do not, as a rule, allow Quality of Service. As with everything in life, there is always an exception. This Cisco article explains how QoS is achieved within IPSec WAN deployments. However - I have personally not witnessed a public based VPN using QoS over IPSec. With this in mind, the general service provider implementation will not prioritise your applications which will mean there is a level of trust required when provisioning services such as voice and video. In the majority of tier1 ISP networks, we would be somewhat confident in the performance of delay-sensitive apps over national VPN deployments. In the Global space, it may be difficult to deploy an international IPSec VPN without using multiple provider backbones (as we mentioned at the beginning of this article) which would not be recommended unless your application performance does not need to reach a certain level of general performance. The Enterprise business will not trust any technology outside of private based QoS enabled VPN for their mission critical voice, video and commercial applications.
4. SLA (Service Level Agreements)
Our discussion on SLAs leads on from point 3 - QoS. A key fundamental difference between a public based VPN and private WAN surrounds the guarantees on performance and fix times. A private based MPLS network is more predictable from the perspective of service provider traffic usage. Therefore, the perception is that the core network is better engineered for current and future capacity. When combined with end to end application quality of service, the performance SLA can cover latency and jitter on a global basis. The public VPN will often provide latency service levels between global locations, but these are an average between regions rather than city areas. The fix times for both IPSec VPN and MPLS are similar in many respects with each service provider offering flexible capability. When using multiple ISPs, the SLA will vary depending on the providers ability.
5. Cloud based services
One of the biggest advantages of public based VPNs is access to the massive growth of productised cloud-based services. If you have recently read up on MPLS, you may have been surprised by blog posts suggesting the product's demise. In part, this is due to the growth of cloud services which are not widely available from closed off private VPN services. It is true that some MPLS service providers are offering cloud services, but these products are limited when compared to the wider Internet. The cloud is creating the resurgence of Internet and public WAN services as organisations rush to gain a competitive edge from new applications and increase in user productivity. Voice, video, collaboration, CRM, storage, backup and so forth are all available for a low monthly OPEX fee. The challenge for the Enterprise is to adopt the cloud while maintaining particular performance levels for intersite applications. As IPSec often operates in tunnel only mode (i.e. no split tunneling), the tunnel will need to terminate within a cloud provider's infrastructure. This way of working is highly prevalent and pretty much supported by most cloud services.
6. The Hybrid WAN outcome
The hybrid VPN is now a buzz topic in the industry alongside technologies such as SDN (Software Defined Networks). The hybrid capability allows business to procure a single circuit (or diverse) into a hybrid WAN providers network with access to MPLS, The Internet, Point to Point / Multipoint and so forth. The reasons why IPSec remains a traditional VPN method are clear, largely because of an ability to terminate connectivity over low-cost circuits including fast start solutions. And, the benefits of a private based MPLS capability are also clear as we have discussed.
The hybrid solution allows organisations to take advantage of multiple connectivity types including ADSL broadband, 3G and 4G from one provider and one hardware device. While the MPLS vs VPN (IPSec) conundrum will always be a discussion point, the marketplace is moving forward allowing the best of both worlds in the form of hybrid connectivity.