Arab Academy for Banking and Financial Sciences

Business Data Communication

Dr.Ali Al-Maqousi

Essay Paper
Group Section 203
"Multi Protocol Label Switch"
MPLS
May, 2006
Version 1.1

Prepared by Group Section 203 Team:

- Ahmad Al-Musallami
- Alaa Darawsheh
- Aminah Khaddam
- Hannan Mohsen
Business Data Communications MPLS Essay Paper – Group Sec 203

Table of Contents
• Table of Contents 2
• Executive Summary 3
• Introduction 3
• Definitions 4
• MPLS History 4
• MPLS Functions: 5
• MPLS Benefits: 5
• Original Drivers towards Label Switching: () 6
• How MPLS works () 7
• Connecting IPv6 Islands with IPv4 MPLS () 8
• Comparison of MPLS Vs IP and ATM () 9
• MPLS Infrastructure 11
• Security of the MPLS Infrastructure 14
• Protocol Applications & Integrations 17
•
Conclusion () 18
• Literature review 19
• Essay Contacts 20
• Document History 20

203-MPLS BDC v1.1.1.doc 2/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

Executive Summary
Some of today's present day networks are delivering IP services through an IP over ATM
infrastructure, or any other common infrastructure are facing performance and scalability
problems, which impact the ability of these networks to deliver these services.

The successful delivery of services can be measured in terms of network complexity and resulting
operational costs, as well as the performance that is required to deliver a satisfactory experience to
customers.

When the well-known limitations of the used models start to impact the operation of any network,
a new solution should be examined to overcome those limitations and a new transfer strategy
should be taken into consideration.

One of the most successful strategies used is the MPLS infrastructure. MPLS is a versatile solution
to address the problems facing the present day networks- speed, scalability, quality of service
(QoS) management and traffic engineering. It has emerged as an elegant solution to meet the
bandwidth management and service requirements for next generation IP based backbone networks.
It also can be existed over existing asynchronous transfer mode (ATM) or frame relay networks. (1)

Introduction

The Internet has evolves into a ubiquitous networks and inspired the development of a variety
of a new applications in business and in consumer markets. These new applications have driven
the demand for increased and guaranteed bandwidth requirements in the backbone of the network.

In addition to the traditional data services currently provided over the Internet, new voice and
multimedia services are being developed and deployed. The Internet has emerged as the network
of choice for providing these services. However, the demands placed on the network by these new
applications and services, in terms of speed and bandwidth, has strained the resources of the
existing Internet infrastructure. This transformation of the network toward a packet and cell based
infrastructure has introduced uncertainly into what has traditionally been a fairly deterministic
network.

Another challenge relates to the transport of bits and bytes over the backbone to provide
differentiated classes of services to users. The exponential growth in the numbers of users and the
volume of traffic adds another dimension to this problem. Class of service (CoS) and (QoS) issues
must be addressed to in order to support the requirements of the wide range of network users.
MPLS will play an important role in the routing, switching and forwarding of packets through the
next generation network in order to meet the service demands of the network users.

1
Ref#1

203-MPLS BDC v1.1.1.doc 3/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

Definitions
In general: MPLS is an Internet engineering task force (IETF)- specified framework that
provides for the efficient designation, routing, forwarding and switching of traffic flows
through the network.(2)

In the computer networking and telecommunications, Multi Protocol Label Switching

(MPLS) is a data-carrying mechanism which emulates some properties of a circuit-switched
network over a packet-switched network. MPLS operates at a OSI Model layer that is generally
considered to lie between traditional definitions of Layer 2 (data link layer) and Layer 3
(network layer), and thus is often referred to as a "Layer 2.5" protocol. It was designed to
provide a unified data-carrying service for both circuit-based clients and packet-switching
clients which provide a datagram service model. It can be used to carry many different kinds of
traffic, including IP packets, as well as native ATM, SONET, and Ethernet frames. (3)

MPLS stands for Multiprotocol Label Switching. Multiprotocol because it might be applied
with any Layer 3 network protocol, although almost all of the interest is in using MPLS with IP
traffic. MPLS is the solution to any problem they might conceivably have.(4)

MPLS combines the speed and performance of packet-switched networks with the intelligence
of circuit-switched networks to provide a best-of-breed solutions for integrating voice, video
and data. Like circuit-switched networks, MPLS establishes the end-to-end connection path
before transferring information, and paths may be selected based on application requirements
such as bandwidth required or maximum latency. Like packet networks, multiple applications
and customers can share a single connection, greatly improving link utilization. MPLS
implementations can vary widely, from simple "best effort" data delivery to advanced networks
which guarantee delivery of information including re-routing to an alternate path within 50
milliseconds.(5)

MPLS History
Background (6)

A number of different technologies were previously deployed with essentially identical goals,
such as frame relay and ATM. MPLS is now replacing these technologies in the marketplace,
mostly because it is better aligned with current and future technology and needs.

In particular, MPLS dispenses with the cell-switching and signalling-protocol baggage of

ATM. MPLS recognizes that small ATM cells are not needed in the core of modern networks,
since modern optical networks (as of 2001) are so fast (at 10 Gbit/s and well beyond) that even
full-length 1500 byte packets do not incur significant real-time queuing delays (the need to reduce
such delays, to support voice traffic, having been the motivation for the cell nature of ATM).

2
Ref#1
3
Ref#2
4
Ref#3
5
Ref#4
6
Ref#2

203-MPLS BDC v1.1.1.doc 4/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

At the same time, it attempts to preserve the traffic engineering and out-of-band control that
made frame relay and ATM attractive for deploying large scale networks.

MPLS was originally proposed by a group of engineers from Cisco Systems, Inc.; it was called
"Tag Switching" when it was a Cisco proprietary proposal, and was renamed "Label Switching"
when it was handed over to the IETF for open standardization.

One original motivation was to allow the creation of simple high-speed switches, since it was
at one point thought to be impossible to forward IP packets entirely in hardware. However,
advances in VLSI have made such devices possible. The systemic advantages of MPLS, such as
the ability to support multiple service models, do traffic management, etc, remain

MPLS Functions:
MPLS performs the following functions:
1. Specifies mechanisms to manage traffic flow of various granularities, such as flows
between different hardware, machines or even flows between different applications.
2. Remains independent of the layer 2 and layer 3 protocols.
3. Provides a means to map IP addresses to simple, fixed-length labels used by different
packet forwarding and packet switching technology.
4. Interfaces to existing routing protocols such as Resource Reservation Protocol (RSVP) and
Open Shortest Path First (OSPF).
5. Support the IP, ATM and Frame Relay layer 2 protocols.(7)

MPLS Benefits:
Comparing MPLS with existing IP core and IP/ATM technologies, MPLS has many
advantages and benefits:

• The performance characteristics of layer 2 networks

• The connectivity and network services of layer 3 networks
• Improves the price/performance of network layer routing
• Improved scalability
• Improves the possibilities for traffic engineering
• Supports the delivery of services with QoS guarantees
• Avoids need for coordination of IP and ATM address allocation and routing information

7
Ref#1

203-MPLS BDC v1.1.1.doc 5/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

Original Drivers towards Label Switching: (8)

- Designed to make routers faster
*ATM switches were faster than routers.
* Fixed Length Label lookup faster than longest match used by IP routing.
*Allows a device to do the same job as the router with performance of ATM switch.
- Enabled IP + ATM integration
* Mapping of IP to ATM had become very complex, hence simplified by replacing
ATM singalling protocols with IP control protocols.

8
Ref#6

203-MPLS BDC v1.1.1.doc 6/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

How MPLS works (9)

MPLS works by prepending packets with an MPLS header, containing one or more 'labels'. This is
called a label stack.

Each label stack entry contains four fields:

• a 20-bit label value.

• a 3-bit experimental field reserved for future use.
• a 1-bit bottom of stack flag. If this is set, it signifies the current label is the last in the stack.
• an 8-bit TTL (time to live) field.

These MPLS labeled packets are forwarded (switched is the correct term) after a Label
Lookup/Switch instead of a lookup into the IP table. Label Lookup and Label Switching may be faster
than usual RIB lookup because it can take place directly into fabric and not CPU.

The exit points of an MPLS network are called Label Edge Routers (LER). Routers that are
performing routing based only on Label Switching are called Label Switch Routers (LSR). Remember
that a LER is not usually the one that is popping the label. For more information see Penultimate Hop
Popping.

Devices that function as ingress and/or egress routers are often called PE (Provider Edge) routers.
Devices that function only as transit routers are similarly called P (Provider) routers. The job of a P
router is significantly easier than that of a PE router, so they can be less complex and may be more
dependable because of this.

When an unlabeled packet enters the ingress router and needs to be passed on to an MPLS tunnel,
the router first determines the forwarding equivalence class the packet should be in, and then inserts
one (or more) labels in the packet's newly created MPLS header. The packet is then passed on to the
next hop router for this tunnel.

When a labeled packet is received by an MPLS router, the topmost label is examined. Based on the
contents of the label a swap, push or pop operation can be performed on the packet's label stack.
Routers can have rebuilt lookup tables that tell them which kind of operation to do based on the
topmost label of the incoming packet so they can process the packet very quickly. In a swap operation
the label is swapped with a new label, and the packet is forwarded along the path associated with the
new label.

9
Ref#12

203-MPLS BDC v1.1.1.doc 7/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

In a push operation a new label is pushed on top of the existing label, effectively "encapsulating"
the packet in another layer of MPLS. This allows the hierarchical routing of MPLS packets. Notably,
this is used by MPLS VPNs.

In a pop operation the label is removed from the packet, which may reveal an inner label below.
This process is called "decapsulation". If the popped label was the last on the label stack, the packet
"leaves" the MPLS tunnel. This is usually done by the egress router, but see PHP below.

During these operations, the contents of the packet below the MPLS Label stack are not examined.
Indeed transit routers typically need only to examine the topmost label on the stack. The forwarding of
the packet is done based on the contents of the labels, which allows "protocol independent packet
forwarding" that does not need to look at a protocol-dependent routing table and avoids the expensive
IP longest prefix match at each hop.

At the egress router, when the last label has been popped, only the payload remains. This can be an
IP packet, or any of a number of other kinds of payload packet. The egress router must therefore have
routing information for the packet's payload, since it must forward it without the help of label lookup
tables. An MPLS transit router has no such requirement.

In some special cases, the last label can also be popped off at the penultimate hop (the hop before
the egress router). This is called Penultimate Hop Popping (PHP). This may be interesting in cases
where the egress router has lots of packets leaving MPLS tunnels, and thus spends inordinate amounts
of CPU time on this. By using PHP, transit routers connected directly to this egress router effectively
offload it, by popping the last label themselves. Since the egress router will do a higher-layer routing
table lookup anyway, the amount of higher-layer work needed for a previously popped packet remains
the same, and the actual label popping need not be done.

MPLS can make use of existing ATM network infrastructure, as its labeled flows can be mapped
to ATM virtual circuit identifiers, and vice-versa.

Connecting IPv6 Islands with IPv4 MPLS (10)

Many service providers are looking for ways to provide new revenue-generating services to their
customers. One such service is IPv6. Some enterprise customers are beginning to experiment with this
new version of IP, but are reluctant to deploy it broadly. Interconnecting multiple sites that use IPv6
can be challenging. Also, most service providers would prefer to carry this traffic without making
major modifications to their core network.

A technique available in JUNOS 5.4 allows you to connect IPv6 sites over an IPv4 Multi-protocol
Label Switching (MPLS) enabled backbone. Juniper Networks supports the MP-BGP over IPv4
approach detailed in the IETF Internet draft Connecting IPv6 Domains across IPv4 Clouds with BGP.
With this technique, IPv6 islands are connected to each other across an IPv4 backbone enabled with
MPLS label stacking while Multi-Protocol Border Gateway Protocol (MP-BGP) is used to announce

10
Ref#7

203-MPLS BDC v1.1.1.doc 8/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

the IPv6 routes across these MPLS tunnels. This feature can be implemented with label-switched
paths (LSPs) using Label Distribution Protocol (LDP) or Resource Reservation Protocol (RSVP).

Pv6 packets are carried over an IPv4 MPLS tunnel. To enable this service, you need to deploy
Provider Edge (PE) routers that can run IPv4, MPLS, and BGP toward the core and IPv6 toward the
edge. Since only the PE routers need to run a dual stack of IPv4 and IPv6, the other provider (P) core
routers do not need to be upgraded. As a result, this MPLS tunneling technique allows for
interoperability with routers from other vendors.

Because of this flexible method of implementation, it is now more attractive for providers to carry
IPv6 traffic over their existing core networks and for customers to roll out IPv6 to more sites.

Comparison of MPLS Vs IP and ATM (11)

Comparison of MPLS versus IP

MPLS cannot be compared to IP as a separate entity because it works in conjunction with IP and IP's
IGP routing protocols. MPLS gives IP networks simple traffic engineering, the ability to transport
Layer3 (IP) VPNs with overlapping address spaces, and support for Layer2 pseudo wires (with Any
Transport Over Mpls - ATOM - see Martini draft). Routers with programmable CPUs and without
TCAM/CAM or another method for fast lookups may also see a limited increase in performance.

MPLS relies on IGP routing protocols to construct its label forwarding table, and the scope of any IGP
is usually restricted to a single carrier for stability and policy reasons. As there is still no standard for
carrier-carrier MPLS it is not possible to have the same MPLS service (Layer2 or Layer3 VPN)
covering more than one operator.

Comparison of MPLS versus ATM

MPLS cannot be compared directly to ATM as they are totally different technologies with different
goals. MPLS allows a very smooth migration for IP only services on ATM networks, without the need
to support of complex signalling and routing protocols like PNNI. As a large proportion of the data
transported over ATM networks in the late 1990s was IP, it was cheaper to upgrade some switches to
support MPLS instead of PNNI.

MPLS packets can be much larger than ATM cells (with the difference that they have variable length,
ATM cells have fixed size of 53 bytes). Today's networks usually must be able to transport packets at
least 1500 bytes long (because this is the ubiquitous maximum size for Ethernet) but any MPLS
payload size (being the size of the encapsulated payload plus the size required for all the labels) that
the network interfaces in use will allow, can be transported. (Note that this requires the use of "baby
jumbo packets" if Ethernet is used as the transport for MPLS). This compares well with the 48-byte
cell of ATM, and reduces encapsulation overheads, particularly in the case of small packets: for
example, it allows a minimum-length TCP packet to reside in a single MPLS packet, rather than two
cells as in ATM.

11
Ref#2

203-MPLS BDC v1.1.1.doc 9/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

The 16 bits of VCI and 8 bits of VPI in the ATM cell are replaced by a single label field of 20 bits,
packed into a 32 bit label header. The 32 bit MPLS label field also contains an 8 bit time-to-live field,
a "top of stack" bit, and three spare bits for expansion.

Although fewer bits are available for the label, labels can be stacked to create arbitrarily complex
MPLS label stacks. This makes addressing and trucking in MPLS vastly more flexible than in ATM,
as there is no need to impose an arbitrary boundary between VP and VC switching (12)

12
Ref#5

203-MPLS BDC v1.1.1.doc 10/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

MPLS Infrastructure

- MPLS Network Model (13)

Internet

LER

LER IP
LSR
LSR

IP
LSR MPLS
LSR

LER IP

LSR = Label Switched Router

LER = Label Edge Router

- Components of MPLS architecture (14)

- MPLS Label
The 32-bit MPLS label is located after the Layer 2 header and before the IP header. The
MPLS label contains the following fields:

• The label field (20-bits) carries the actual value of the MPLS label.
• The CoS field (3-bits) can affect the queuing and discard algorithms applied to the
packet as it is transmitted through the network.
• The Stack (S) field (1-bit) supports a hierarchical label stack.
• The TTL (time-to-live) field (8-bits) provides conventional IP TTL functionality. This
is also called a "Shim" header.

- LSP - Label Switch Path

An LSP is a specific path traffic path through an MPLS network. An LSP is provisioned
using Label Distribution Protocols (LDPs) such as RSVP-TE or CR-LDP. Either of these
protocols will establish a path through an MPLS network and will reserve necessary
resources to meet pre-defined service requirements for the data path.

- LDP - Label Distribution Protocol

13
Ref#8
14
Ref#9

203-MPLS BDC v1.1.1.doc 11/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

A label distribution protocol (LDP) is a specification which lets a label switch router (LSR)
distribute labels to its LDP peers.

- CR-LDP and RSVP-TE

CR-LDP and RSVP-TE are both signaling mechanisms used to support Traffic Engineering
across an MPLS backbone. RSVP is a QoS signaling protocol that is an IETF standard and
has existed for quite some time.

RSVP-TE extends RSVP to support label distribution and explicit routing while CR-LDP
proposed to extend LDP (designed for hop-by-hop label distribution to support QoS
signaling and explicit routing).

- FEC - Forwarding Equivalency Class

Forwarding Equivalency Class (FEC) is a set of packets which will be forwarded in the
same manner (e.g., over the same path with the same forwarding treatment). Typically
packets belonging to the same FEC will follow the same path in the MPLS domain.

Example: is a set of unicast packets whose destination addresses match a particular IP

address prefix and whose Type of Service bits are the same

- MPLS Protocol Stack Architecture (15)

ƒ Network layer (IP) routing protocols
ƒ Edge of network layer forwarding
ƒ Core network label-based switching
ƒ Label schematics and granularity
ƒ Signaling protocol for label distribution
ƒ Traffic engineering
ƒ Compatibility with various Layer-2 forwarding paradigms (ATM, frame relay,
PPP)

15
Ref#1

203-MPLS BDC v1.1.1.doc 12/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

- Hierarchical Routing in MPLS (16)

•External Routers A,B,C,D,E,F - Talk BGP

•Internal Routers 1,2,3,4,5,6 - Talk OSPF
Domain #2
C D
1
6

2 3 4 5

A B E F
Domain #1 Domain #3

Note: Internal routers in domains 1 and 3 not

Steps:
• When IP packet traverses domain #2, it will contain two labels, encoded as a “label stack”
• Higher level label used between routers C and D, which is encapsulated inside a lower level
label used within Domain #2
• Operation at C
– C needs to swap BGP label to put label that D expects
– C also needs to add an OSPF label that 1 expects
– C therefore pushes down the BGP label and adds a lower level label

16
Ref#8

203-MPLS BDC v1.1.1.doc 13/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

Security of the MPLS Infrastructure

MPLS infrastructure is secure through the following Terms:

Address Space and Routing Separation

Figure 1 Format of a VPN IPv4 Address

64 Bits 32 Bits

Route Distinguisher IPv4 Address

VPN IPv4 Address

MPLS allows distinct VPNs to use the same address space, which can also be private address space
[RFC1918]. This is achieved by adding a 64-bit route distinguisher (RD) to each IPv4 route, making
VPN-unique addresses also unique in the MPLS core. This “extended” address is also called a “VPN-
IPv4 address” and is shown in Figure 1. Thus, customers of an MPLS service do not need to change
current addressing in their networks.

Routing separation between the VPNs can also be achieved. Every PE router maintains a separate
Virtual Routing and Forwarding instance (VRF) for each connected VPN. Each VRF on the PE router
is populated with routes from one VPN, through statically configured routes or through routing
protocols that run between the PE and the CE router. Because every VPN results in a separate VRF,
there will be no interferences between the VPNs on the PE router.

Across the MPLS core to the other PE routers, this separation is maintained by adding unique VPN
identifiers in multiprotocol BGP (MP BGP), such as the route distinguisher. VPN routes are
exclusively exchanged by MP-BGP across the core, and this BGP information is not redistributed to
the core network; it is redistributed only to the other PE routers, where the information is kept again in
VPN-specific VRFs. Thus, routing across an MPLS network is separate per VPN.

Hiding of the MPLS Core Structure

The internal structure of the MPLS core network (provider edge (PE) and provider (P) elements)
should not be visible to outside networks (Internet or any connected VPN). This makes attacks more
difficult. If an attacker does not know the target, he/she can only guess the IP addresses to attack or try
to find out about addressing through a form of intelligence. Because most DoS attacks do not provide
direct feedback to the attacker, a network attack is difficult.

MPLS does not reveal unnecessary information to the outside, not even to customer VPNs. Core
addressing can be conducted with private addresses [RFC1918] or public addresses. Because the
interface to the VPNs—and potentially the Internet—is BGP, there is no need to reveal any internal
information. The only information required in the case of a routing protocol between PE and CE is the
address of the PE router. If this is not desired, static routing can be configured between the PE and CE.
With this measure, the MPLS core can be kept completely hidden.

Customer VPNs will have to advertise their routes as a minimum to the MPLS core, to ensure
reachability across the MPLS cloud. Although this could be seen as too “open,” the following must be
noted: First, the information known to the MPLS core is not about specific hosts, but networks
(routes); this offers some degree of abstraction. Second, in a VPN-only MPLS network (such as one
with no shared Internet access), this is equal to existing Layer 2 models in which the customer must

203-MPLS BDC v1.1.1.doc 14/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

trust an SP to some degree. Also, in a FR or ATM network, routing information about the VPNs can
be seen on the core network.
Resistance to Attacks

The MPLS core can be attacked in two basic ways:

• By attacking the PE routers directly

• By attacking the signaling mechanisms of MPLS (mostly routing)

To attack an element of an MPLS network, it is first necessary to know its address. As discussed in
Section 3.2, it is possible to hide the addressing structure of the MPLS core to the outside world. Thus,
an attacker does not know the IP address of any router in the core that he/she wants to attack. The
attacker could now guess addresses and send packets to these addresses. However, because of the
address separation of MPLS, each incoming packet will be treated as belonging to the address space of
the customer. Thus it is impossible to reach an internal router, even through IP address guessing. This
rule has only one exception, which is the peer interface of the PE router.
The routing between the VPN and the MPLS core can be configured two ways:

1. Static—In this case the PE routers are configured with static routes to the networks behind each CE,
and the CEs are configured to statically point to the PE router for any network in other parts of the
VPN (mostly a default route). There are now two subcases: The static route can point to the IP address
of the PE router, or to an interface of the CE router (for example, serial0).
2. Dynamic—Here a routing protocol (for example, Routing Information Protocol [RIP], Open
Shortest Path First [OSPF], BGP) is used to exchange the routing information between the CE and the
PE at each peering point. In the case of a static route from the CE router to the PE router, which points
to an interface, the CE router does not need to know any IP address of the core network, not even of
the PE router. This has the disadvantage of a more extensive (static) configuration, but from a security
point of view is preferable to the other cases.

In all other cases, each CE router needs to know at least the router ID (RID; peer IP address) of the PE
router in the MPLS core, and thus has a potential destination for an attack. One could imagine various
attacks on various services running on a router. In practice, access to the PE router over the CE/PE
interface can be limited to the required routing protocol by using ACLs (access control lists). This
limits the point of attack to one routing protocol, for example BGP. A potential attack could be to send
an extensive number of routes, or to flood the PE router with routing updates. Both could lead to a
DoS, however, not to unauthorized access.

To restrict this risk, it is necessary to configure the routing protocol on the PE router as securely as
possible. This can be done in various ways:

• By ACL, allow the routing protocol only from the CE router, not from anywhere else—Furthermore,
no access other than
that should be allowed to the PE router in the inbound ACL on each CE interface.

• Where available, configure Message Digest 5 (MD5) authentication for routing protocols—This is
available for BGP [RFC2385], OSPF [RFC2154], and RIP2 [RFC2082], for example. It prevents
packets from being spoofed from parts of the customer network other than the CE router. Note that
this requires that the SP and customer agree on a shared secret between all CE and PE routers. The
problem here is that it is necessary to do this for all VPN customers—it is not sufficient to do this for
the customer with the highest security requirements.

203-MPLS BDC v1.1.1.doc 15/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

• Configure, where available, parameters of the routing protocol, in order to further secure this
communication—In BGP, for example, it is possible to configure dampening, which limits the number
of routing interactions. Also, a maximum number of routes accepted per VRF should be configured
where possible.

It should be noted that although in the static case the CE router does not know any IP address of the
PE router, it is still attached to the PE router via some method; therefore, it could guess the address of
the PE router and try to attack it with this address.

In summary, it is not possible to intrude from one VPN into other VPNs, or the core. However, it is
theoretically possible to exploit the routing protocol to execute a DoS attack against the PE router.
This in turn might have a negative impact on other VPNs. Therefore, PE routers must be extremely
well secured, especially on their interfaces to the CE routers. ACLs must be configured to limit access
only to the port(s) of the routing protocol, and only from the CE router. MD5 authentication in routing
protocols should be used on all PE/CE peering. It is easily possible to track the source of such a
potential DoS attack.

Impossibility of Label Spoofing

Within the MPLS, network packets are not forwarded based on the IP destination address, but based
on labels that are pretended by the PE routers. Similar to IP spoofing attacks, where an attacker
replaces the source or destination IP address of a packet, it is also theoretically possible to spoof the
label of an MPLS packet. In the first section, the assumption was made that the core network is
secured by the SP. (If this assumption cannot be made, IPSec must be run over the MPLS cloud.) Thus
in this section the emphasis is on whether it is possible to insert packets with (wrong) labels into the
MPLS network from the outside, that is, from a VPN (CE router) or from the Internet. Principally, the
interface between any CE router and its peering PE router is an IP interface (that is, without labels).
The CE router is unaware of the MPLS core, and thinks it is sending IP packets to a simple router. The
“intelligence” is done in the PE device, where based on the configuration, the label is chosen and
pretended to the packet. This is the case for all PE routers, toward CE routers as well as the upstream
SP. All interfaces into the MPLS cloud require only IP packets, without labels.

For security reasons, a PE router should never accept a packet with a label from a CE router. In Cisco
routers, the
Implementation is such that packets that arrive on a CE interface with a label will be dropped. Thus it
is not possible to insert fake labels, because no labels at all are accepted.
There remains the possibility to spoof the IP address of a packet that is being sent to the MPLS core.
However, because there is strict addressing separation within the PE router, and each VPN has its own
VRF, this can harm only the VPN that the spoofed packet originated from; in other words, a VPN
customer can attack himself/herself. MPLS does not add any security risk here.

203-MPLS BDC v1.1.1.doc 16/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

Protocol Applications & Integrations

- Other protocols MPLS support besides IP? (17)
By definition, Multiprotocol Label Switching supports multiple protocols. At the Network
Layer MPLS supports IPv6, IPv4, IPX and AppleTalk. At the Link Layer MPLS supports
Ethernet, Token Ring, FDDI, ATM, Frame Relay, and Point-to-Point Links. It can essentially
work with any control protocol other than IP and layer on top of any link layer protocol.

- MPLS brings the traffic engineering capabilities of ATM to packet-based network. (18)
- MPLS was not designed to replace ATM but, the practical reality of the dominance of IP-based
protocols coupled with MPLS's inherent flexibility has led many service providers to migrate
their ATM networks to one based on MPLS. (19)
- MPLS can co-exist with ATM switches and eliminate complexity by mapping IP addressing
and routing information directly into ATM switching tables. (20)
- The followings classes may be more appropriate for the initial deployment of MPLS QoS:
i. High-priority, low-latency "Premium" class (Gold Service)
ii. Guaranteed-delivery "Mission-Critical" class (Silver Service)
iii. Low-priority "Best-Effort" class (Bronze Service)
- Cisco 7600 Series routers (21)

17
Ref#9
18
Ref#9
19
Ref#9
20
Ref#9
21
Ref#11

203-MPLS BDC v1.1.1.doc 17/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

Conclusion (22)
- MPLS solution is spreading all over the world, and have a great potentials to
dominate because of its benefits to leverage the endless demands of switching speed
and QoS.
- MPLS has not yet been implemented at Jordan, or at least we were not able to find
any organization that adopted it, and following are some of the reasons for that:
i. Lack of expertise in the technology that is still considered relatively new,
even though it is supported by one leader vendor of Routing technology all
over the world (Cisco Systems, Inc.).
ii. Resistance for change because of getting used to the existing technology.
iii. Lack or limited actual need for such a solution.
iv. Immaturity of the telecommunications infrastructure to create the added
value of the solution.

22
Ref#10

203-MPLS BDC v1.1.1.doc 18/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

Literature review
Ref#1 – MPLS, The International Engineering Consortium, http://www.iec.org, AMusallami
Ref#2 – http://en.wikipedia.org/wiki/MPLS, Hanan Mohsen
Ref#3 – http://www.netcraftsmen.net/welcher/papers/mplsintro.html, Hanan Mohsen
Ref#4 – http://www.nortel.com/solutions/providers/enabling_tech/mpls/technology.html, Hanan
Mohsen
Ref#5 – http://www.mier.com/reports/cisco/MPLS-VPNs.pdf, Hanan Mohsen
Ref#6 – http://www.ripe.net/ripe/meetings/ripe-39/presentations/mpls-arch/sld003.html, Hanan
Mohsen
Ref#7 – http://www.juniper.net/techpubs/software/junos/junos56/feature-guide-56/html/fg-ipv6-over-
mpls.html, Hanan Mohsen
Ref#8 – MPLS Archtecture, (Aminah & Hanan)
Ref#9 – Irwin Lazar. Requirements for Traffic Engineering Over MPLS,
http://www.ietf.org/rfc/rfc2702.txt, http://www.mplsrc.com/contact.shtml - Alaa Darawsheh
Ref#10 – Gorup Section 203
Ref#11 – http://www.cisco.com/go/routing, 2006-05-06 Amusallami

203-MPLS BDC v1.1.1.doc 19/20 8/21/2006-2:48:48 PM

Business Data Communications MPLS Essay Paper – Group Sec 203

Essay Contacts

Contact Email Telephone

Ahmad Al-Musallami AMusallami@Idealsoft.com.jo +962-788-519272
AMusallami@Hotmail.com
Alaa Darawsheh Alaa_Darawshed@Yahoo.com +962-795-023399

Aminah Khaddam WaseemBayyari@Yahoo.com +962-796-382005

Hanan Mohsen HananMohsen@Hotmail.com +962-795-601424

Document History
- Ver 0.0 2006/03/26 AMusallami, create the document skeleton.
- Ver 0.1 29/4/2006 H. Mohsen , (Executive Summary, Introduction, Definitions, MPLS History, How MPLS
works, Connecting IPv6 Islands with IPv4 MPLS, Comparison of MPLS vs IP and ATM).
- Ver 0.5 30/04/2006 Aminah provide with documents about MPLS Architecture.
- Ver 1.0 03/05/2006 Alaa Darawseh add the Security part.
- Ver 1.1 06/05/2006 AMusallami, Add the (Literature review), Add MPLS Infrastructure, Add References, Add
Conclusion, Add Protocol Applications & Integrations, Add Table of contents .

*** *** ***

203-MPLS BDC v1.1.1.doc 20/20 8/21/2006-2:48:48 PM