A debate at the Next Generation Networks conference in Boston earlier this month pitted IPSec (Internet Protocol Security) VPNs (virtual private networks) based on equipment placed at each network site against network-based Multi-protocol Label Switching (MPLS) VPNs that sort traffic into discrete customer streams within a service provider’s network.
Neither technology won the debate, but the discussion did reveal strengths and weaknesses of each. These results can prove useful to anyone trying to sort through wide area networking choices.
An IPSec VPN is one that creates encrypted IP tunnels from site to site across a public network. A Multi-protocol Label Switching (MPLS) VPN service assigns each corporate user its own IP space and moves traffic along Layer 2 MPLS flows. Both enable users to create fully meshed networks for less than it would cost to set up private line, frame relay or ATM (Asynchronous Transfer Mode) networks. Some carriers claim they could cut the cost in half.
IPSec VPNs offer several benefits. They require each site to have devices that authenticate users and encrypt and decrypt traffic, which makes these VPNs very secure. Any changes users make to lists of authorized users or security policies take effect immediately because users control all the equipment. They are well suited to supporting remote access for mobile users who may be calling in over insecure networks. Sites can tie into the VPN over plain old Internet access links, which are relatively inexpensive.
The downside is that they require an initial capital outlay for equipment at each site, and they require ongoing management, monitoring and maintenance. Part of this continuing effort includes managing keys that are used to encrypt traffic. As these networks grow, they require more work to manage unless the gear comes with tools to automate policy distribution.
Encapsulating VPN traffic using this method increases packet-header size, and can increase the size of some packets making them so large that they must be fragmented. This can slow down traffic.
But network-based VPNs do have advantages, as well. They require no new network gear as long as each site already has a WAN (wide area network) router, so there is no initial capital outlay.
Network-based services are well suited for multiprotocol traffic because non-IP traffic is readily converted by customer routers. These services can support frame relay, ATM and even Ethernet access lines, as well.
The service provider configures and manages, monitors and maintains the network. The downside of that is these services cost more per month than simple Internet access. Also, users have to wait for the service provider to make any additions or changes to user lists.
As you can see there is no hands-down winner, but knowing these pluses and minuses can help you make a choice.