When networking a computer system, protocols play an important role. An example is the Internet protocol, which was published in a first specification in 1981, and is the indispensable basis for the smooth sending and receiving of data packets. But what is behind the RFC standard? And how does the Internet protocol actually work?
There are basically two types of data transfers: With connectionless data transfer, data is sent at any time and without limits from the desired device to a target system without the path of the packages being set in advance. Each interconnected network node (usually a router) automatically knows how to forward the data stream. Connectionless data transfer offers a high degree of flexibility, but no guarantee that the necessary resources will be available.
In contrast, the path of the data packages in connection-oriented data transfer is decided from the beginning. The network nodes involved (generally switches) receive the corresponding information for the forwarding of the data from the preceding station, until the point when the packages have arrived at the target computer at the end of their path. In this way, the time-consuming routing process necessary for a connectionless transfer is considerably accelerated. It also allows for optimal control of available network resources and their distribution amongst individual participants. The so-called multiprotocol label switching (MPLS) allows this to be used for TCP/IP networks as well, though these are technically in the connectionless network category.
What is MPLS (multiprotocol label switching)?
In the mid-1990s, large communication networks were characterised by a much higher proportion of voice communication (telephony) than data communication (internet). Telecommunication providers at this time were still operating separate networks for both transfer types, which was quite expensive, but also didn’t ensure a comprehensive quality of service. The high quality, connection-oriented communication networks stood in contrast to connectionless data networks, which lacked the necessary bandwidth. The introduction of the ATM protocol (Asynchronous Transfer Mode) largely solved this problem by allowing the voice and data to be transferred via a shared infrastructure. But multiprotocol label switching really provided a solution in the late 1990s for using available bandwidths efficiently.
To accomplish this, MPLS finally relieved the overloaded routing systems: Instead of defining the optimal route of a data package by the individual intermediate stations, as was done before, the new method offered the possibility to pre-define paths that define a package’s way from the input point (ingress router) to the starting point (egress router). The relay points (label switched router) recognise these paths by evaluating labels that contain the appropriate routing and service information, and are assigned to the respective data package. The evaluation takes place using the appropriate hardware (e.g. a switch) above the backup layer (layer 2), while the time-consuming routing on the switching layer (layer 3) is left out.
Thanks to the generalised MPLS extension, the technology originally developed only for IP networks is now also available for other network types, such as SONET/SDH (Synchronous Optical Networking / Synchronous Digital Hierarchy) or WSON (Wavelength Switched Optical Network).
How does multiprotocol label switching work?
The use of MPLS in IP networks requires a logical and physical infrastructure consisting of MPLS-capable routers. The labeling process operates primarily within an autonomous system (AS) – a congregation of different IP networks that are managed as a unit and connected via at least one common interior gateway protocol (IGP). Administrators of such systems are generally internet providers, universities, or international companies.
Before the individual paths can be built, the IGP being used needs to ensure that all routers of the autonomous system can reach one another. Then the corner points of the paths, which are also referred to as label switched paths (LSP), are defined. These previously mentioned ingress and egress routers are usually at the inputs and outputs of a system. Activation of the LSPs is then either manual, semi-automatic, or fully automatic:
- Manual configuration: Each note that an LSP runs through needs to be individually configured; this approach is ineffective for large networks.
- Semi-automatic configuration: Only some intermediate stations (for example, the first three hops) need to be configured manually, while the rest of the LSPs receive information from the interior gateway protocol.
- Fully automatic configuration: The interior gateway protocol assumes the entire determination of the path in the fully automatic version; no path optimization is achieved, though.
Data packages sent in a configured MPLS network receive an additional MPLS header from the ingress router. This is inserted between the information of the second and third layers, and is also referred to as a push operation. During the transfer, the individual hops involved exchange the label with a customised version with its own connection information (i.e. latency, bandwidth, and destination hop) – this procedure is often called a swap operation. At the end of the path, the label is removed from the IP header as part of a pop operation.
The structure of multiprotocol label switching headers
MPLS extends the normal IP header by the so-called MPLS label stack entry, which is also known as the MPLS shim header. This entry is very short, with a length of 4 bytes (32 bits), which is why it can quickly be processed. The corresponding header line, which is inserted between the layer 2 and layer 3 headers, looks as follows:
|Bits 0-19||Bits 20-22||Bit 23||Bits 24-31|
The additional 32 bits of the MPLS label stack entry add four pieces of information to an IP package for the next network hop:
- Label: The label contains the core information of the MPLS entry, which makes it the largest component with a length of 20 bits. As mentioned before, a label on the path is always unique, and only mediates between two specific routers. It’s then adapted accordingly for the data transfer to the next intermediate station.
- Traffic Class (TC): Using the traffic class field, the header provides information about differentiated services (DiffServ). This formula can be used for the classification of IP packages to guarantee service quality. For example, the 3 bits of the network scheduler can communicate whether a data package is prioritised or can be subordinated.
- Bottom of Stack (S): The bottom of stack defines whether the underlying transmission path is a simple path or whether multiple LSPs are nested. If the latter is the case, then a package can receive multiple labels grouped together in the so-called label stack. The bottom of stack flag then informs the router that other labels are following, or that the entry contains the last MPLS label in the stack.
- Time to Live (TTL): The last 8 bits of the MPLS label stack entry shows the lifespan of the data package. In this way, it’s possible to control how many routers the package can go through on its path (the limit is 255 routers).
The role of multiprotocol label switching today
In the 1990s, MPLS helped providers with the rapid development and growth of their networks. But the initial speed advantage for data transfer has been pushed to the background with the new generation of high-performance routers with integrated network processors. As a procedure that can guarantee quality of service, though, it’s still used today by many service providers. This has to do with so-called traffic engineering – a process that deals with the analysis and optimisation of data streams. In addition to the classification of individual data connections, an analysis of the bandwidths and capacities of individual network elements also takes place. Based on the results, the data load can then be optimally distributed to strengthen the entire network.
Another important area of application is virtual private networks (VPN) – self-contained, virtual communication networks that use public network infrastructures like the internet as a transport medium. In this way, devices can merge in a network without physically connecting with one another. There are two different types of such MPLS networks:
- Layer 2 VPNs: Virtual private networks on the data link layer can either be designed for point-to-point connections or for remote access. Layer 2 logically serves the user of such a VPN as an interface for establishing a connection. The point-to-point tunneling protocol (PPTP) or the layer 2 tunneling protocol (L2TP) serve as basic protocols. This gives service providers the option to offer their customers SDH-like services and Ethernet.
- Layer 3 VPNs: Network-based layer 3 VPNs represent a simple solution for service providers to offer various customers completely routed network structures based on a single IP infrastructure (regardless of the private IP address ranges). The quality of service is ensured by way of customers being managed separately by individual MPLS labels and predefined package paths. The network hops are also spared routing.
Operators of large WAN networks (Wide Area Network) profit from provider offers that are based on multiprotocol label switching: Correctly configured, the strategic label switched paths optimise data traffic and ensure to the greatest extent possible that all users can have the bandwidth that they need at any time – while their own effort remains limited. For campus networks, such as university or enterprise networks, the method is also a suitable solution, if the necessary budget is available.
An overview of the benefits of MPLS VPNs
Multiprotocol label switching competes as a technology for virtual networks with the IP protocol stack extension IPsec, among others. The security upgrade of the internet protocol is characterised, in particular, by its own encryption mechanisms and low costs. The implementation of infrastructure by means of IPsec isn’t the responsibility of the provider, though, but rather the user – as opposed to the MPLS method. This requires a higher level of effort, giving the MPLS method an advantage. This isn’t the only benefit of ‘label’ networks, as the following list shows:
- Low operating effort: Operating the MPLS network is the task of the provider, like the IP configuration and the routing. Customers profit from a finished infrastructure, and save a lot of effort that would otherwise be incurred by setting up their own network.
- First-class performance: The predefined data paths ensure very fast transfer rates, only subject to small fluctuations. Service level agreements (SLA) are met between providers and customers, guaranteeing the desired bandwidth and quick assistance with problems.
- High flexibility: VPNs based on multiprotocol label switching give internet providers a lot of leeway for the distribution of resources, which also pays off for their customers. This way, very specific performance packages can be agreed upon, and networks can easily be extended at any time.
- Option to prioritise services: Thanks to MPLS infrastructure, providers can offer various quality of service steps. The leased bandwidth is in no way static, but can be classified (class of service). This way, the desired services can be prioritised, such as VoIP, to guarantee a stabile transfer.
How secure are MPLS networks?
The advantages of MPLS and the technology based on virtual private networks are especially interesting for companies and institutions that are spread over several sites and want to grant their customers access to their network. As a result, such virtual networks are often the first choice when building an IT infrastructure. This allows users to combine into one network without requiring a physical connection or public, routed IP address on the internet.
Basically, a multiprotocol label switching VPN is only available to users who have the appropriate data for setting up the connection. This fact alone doesn’t make the virtual networks immune to unauthorised access, though: The ‘private’ attribute isn’t used in such networks for secrecy and encryption, but to make the IP addresses only accessible internally. Without additional encryption, all information is transferred in plaintext. But a corresponding certification also doesn’t offer one hundred percent protection, even if the normal internet traffic via the transfer router (also called the ‘Provider Edge’ (PE)) runs between the MPLS network and customer LAN. Some possible risks when using the MPLS infrastructures are listed below:
- MPLS packages land in the wrong VPN: Software errors and misconfigurations are commonly the cause of IP packages with MPLS labels leaving the actual VPN and becoming visible in another network. In this case, the router falsely forwards the package to an untrustworthy system to which an IP route exists. It’s also possible that targeted data packages with altered labels (MPLS label spoofing) can be looped into a foreign VPN if the provider edge router accepts the corresponding packages.
- Connection of an unauthorised transfer router: If various VPNs are connected to the MPLS infrastructure, there is also the risk that a provider edge will be wrongfully integrated with another customer’s VPN. This can either happen via an unintended misconfiguration or through a targeted attack. As a result, further network-based attacks can easily be carried out by the foreign user.
- Logic structure of the provider network is visible: If an attacker gets a look at the logic structure of the MPLS network that the service provider has built, then attacks on the transfer router are incredibly probable – especially if its addresses are visible.
- Denial of service attack to the PE router: As an important node for the involved networks, the provider edge router is a particularly vulnerable target for denial of service attacks that compromise the availability of the VPN service. In this case, continuous routing updates, for example via EIGRP (enhanced interior gateway routing protocol) or OSPF (open shortest path first), can cause the overloading of the router by the deliberate overflow of small data packages.
In addition to encryption, each VPN should have additional security mechanisms to protect the provider edge router against external attacks. The primary recommendation for this is the establishment of a demilitarised zone between two firewalls, and the use of network monitoring systems. In addition, regular updates of software and hardware, as well as security measures against unauthorised physical access to the gateways, should be the standard.