IPsec: CE to CE

The use of CE-CE IPsec may be implemented if required by the end customer. MPLS VPNs forward user information over the network in the same format as it is received from the CE, as with any other data-transparent transport network (ATM, Frame Relay, or HDLC).

Various data-encryption mechanisms have been available for some time, including software-and hardware-based encryption and the most typically used within the IP world?IPsec.

Full link encryptors may be used as long as they are inserted in the lines between the routers such that the original data stream, in particular the header information, is available for the routers to perform their forwarding decisions. As such, information is "in the clear" on the cables between the encryptor/decryptor and the attached router.

However, a more typical approach in an IP environment is to use the IPsec mechanisms, which encrypt the data and still produce an output IP packet that can be switched by the routers. In addition, IPsec also can provide support for verification of the endpoints of the data flow, thus providing a high degree of certainty that the information is actually being received by the intended party.

IPsec PE-PE

The applicability of IPsec between PEs is when the core may not be pure MPLS, but rather IP based. The principle behind the use of IPsec between PEs is to protect against misbehaving transit nodes.

However, with PE-PE IPsec, snooping on the link is possible. Recall that your weakest link is between the PE and CE.

The best practice is to implement CE-CE IPsec when required, or consider an alternative technology implementation such as MPLS over L2TPv3, which we will discuss in the next section.

Table 5-3 compares security aspects between IPsec CE-CE and IPsec PE-PE.