In addition to connecting to headquarters, most organizations also want to provide each end point with Internet access. Since the IPsec VPN itself runs over the public Internet, this is a straightforward addition requiring no additional equipment. There are options for connecting MPLS VPNs to the Internet, usually involving the deployment of a separate Internet connection.
Although IPsec VPNs typically place equipment at the customer premises, many service providers do offer IPsec VPN services where they are responsible for management of the IPsec gateway. In a managed offering such as this, the service provider will typically provide a performance guarantee of some sort.
MPLS and IPsec are not, as some vendors position them, competitive technologies; rather, each is useful for different functions. The MPLS (IP VPN) is useful in creating fixed, site-to-site connections, but less practical for creating client-to-site, remote site or telecommuting environments. Moreover, the IP VPN is less robust in terms of the providing security to data being transported. IPsec, on the other hand, was designed from the ground up to provide an ultra-secure connection. When a VPN is created using the IPsec protocol, data is secured both by encryption and authentication.
MPLS VPN vs. IPsec VPN
|Feature||MPLS VPN (IP VPN)||IPsec VPN|
|Full mesh connectivity||Yes||Yes|
|QoS and bandwidth management||Yes (CoS)||Yes (CoS)|
|AES-256 bit encryption||No||Yes|
|Service provider contract requiremnent||Yes||No|
|Cost to deploy||$$$$||$$|
|Monthly bandwidth cost||$$||$|
Finding an optimal path through the network, whether it is the Internet or a service provider's proprietary net, is a vital concern. In terms of re-routing, MPLS has the ability to store a secondary path through the network. If the main path is inaccessible, MPLS can reroute traffic to a backup path. However, if the backup path is also down, a new path must be created manually. One the other hand, IPsec uses dynamic routing protocols. It automatically detects path failures, and routes around them.
IPsec is firmly established and mature, and it offers end-to-end authentication and encryption to provide the best security environment. MPLS, on the other hand, is a newer specification, but does have use as a replacement for ATM or Frame Relay in connecting major fixed locations. Because it runs over the public Internet, IPsec can be implemented virtually anywhere; MPLS is limited to connectivity within the service provider's network.
Because of its labeling technique, traffic does move efficiently through the service provider network. Also, it offers strong bandwidth and service level guarantees. IPSec VPNs however, can also include bandwidth management functionality - and the rapidly decreasing cost of additional bandwidth makes it possible and cost-effective to deploy enough bandwidth on the IPsec VPN to achieve the same level of performance (if not more) than the MPLS VPN, and at lower cost.
On the downside, MPLS lacks the strong encryption and authentication of IPsec. That's not to say that an MPLS network has no security at all. MPLS does inherently provide for separation of VPN streams, which creates a level of privacy that is established through a strategy of isolation, which makes it difficult for an attacker to gain access to one area through a separate VPN opening. But while MPLS VPNs separate traffic, they do not encrypt packets or provide for authentication. If rigorous security is desirable, traffic can be encrypted before encapsulated into MPLS, using IPsec.