In this chapter, you learn about the following:
Where IPsec can be used in an MPLS VPN environment and what the benefits are
Where PE-PE IPsec is applicable
How IPsec remote access works
When the idea of MPLS VPNs was first discussed, there was a strong notion of competition between MPLS VPNs and IPsec VPNs. Many people voiced concern that MPLS VPN technology does not add significant advantages over IPsec VPNs and, indeed, that it is inferior in some respects: by default, MPLS VPNs do not provide confidentiality on the network, for example.
Today, there is at least a strong market perception that MPLS VPNs are useful. Indeed, both MPLS VPNs and IPsec VPNs have significant deployments, and that suggests that both types have their benefits, albeit in different scenarios. The benefits of MPLS VPNs are primarily on the service provider side, where this technology allows highly scalable VPN architectures, with integrated QoS support. The VPN customer benefits indirectly through lower prices because the service provider can offer a VPN service more cheaply. IPsec VPNs have their main benefit in customer network security: data in transit are encrypted, authenticated, and integrity is maintained.
We will not engage here in an argument about which of the VPN technologies is better or more suitable for a given network. Instead, we will provide technical arguments on how the two VPN technologies can be used together. Both have advantages for different target groups?the VPN customer and the service provider. The combination of the two can result in a very compelling overall VPN architecture.
The first section of this chapter gives an overview of various deployment scenarios of IPsec together with MPLS. The subsequent sections give more detail on each of them. Finally, some practical decision guidelines are given on how to decide which way of mapping IPsec onto MPLS is the best for a given case.