VPLS: A secure LAN cloud solution for some, not all

Ivan Pepelnjak, IT expert
15 May 2009

VPLS (virtual private LAN service) is one of the most recent buzzwords to enter the service-provider acronym world, and some vendor marketing departments are touting it as the latest VPN panacea. Not surprisingly, some service providers believe the hype and are now offering VPLS in environments where it could do much more harm than good.

Security experts have already realized the \'opportunities\' (read: attack vectors) offered by an enterprise-wide LAN cloud and demonstrated practical VPLS-based attacks. Demonstrations of these VPLS-based attacks can be seen on slides 23 to 31 in the All your packets belong to us presentation given at ShmooCon 2009. In addition to security threats, it\'s vital to understand the advantages, limitations and threats of VPLS in order to offer a range of secure services matching your customers\' expectations.

The evolution of VPLS from previous networking technologies

Before addressing how service providers can offer secure VPLS solutions, it\'s important to know how VPLS developed. When the emerging service provider networking vendors tried to replace \'old-world\' technologies like (frame relay and ATM) with \'new-world\' IP, they focused on IP-based virtual private networks (VPNs), which were successfully implemented with MPLS VPN technology.

But MPLS VPN technology did not fit all the needs of incumbent service providers, which had to transport legacy traffic, such as ATM-based video surveillance, across their infrastructure. Early adopters also discovered that even though IP was ubiquitous at the time when MPLS VPN technology was introduced, large enterprises still had to support small but significant amounts of non-IP traffic. Even worse, some IP-based applications (including server clustering in disaster-recovery solutions) required transparent LAN communication.

Networking vendors tried to cover all service provider needs and introduced technologies that enabled point-to-point transport of any traffic across the service provider infrastructure, including AToM (Any Transport over MPLS) and L2TPv3 (Layer 2 Tunneling Protocol version 3). These point-to-point offerings allowed service providers to create pseudowires carrying Ethernet, ATM or frame relay data across their MPLS or IP infrastructure, addressing the legacy needs of enterprise customers. With all the building blocks in place, it wasn\'t long before someone tried to replicate the Local Area Network Emulation (LANE) idea from the ATM world and build a technology that would dynamically create MPLS pseudowires to offer any-to-any bridged LAN service -- and VPLS was born.

VPLS lacks layer 3 security features

VPLS is a technology that provides any-to-any bridged Ethernet transport among several customer sites across a service provider infrastructure. All sites on the same VPN are connected to the VPLS service and belong to the same LAN bridging domain. Frames sent by workstations attached to the site LANs are forwarded according to IEEE 802.1 bridging standards. VPLS offers none of the layer 3 security or isolation features offered by layer 3 VPN technologies, including MPLS VPN and IPSec.

VPLS layer 2 switching problems

The networking industry made numerous attempts to implement layer 2 switching -- previously known as bridging -- across lower-speed WAN networks. All of these attempts, including WAN bridges, bridge routers (WAN bridges with limited routing functionality called b routers) and ATM-based LANE, have failed because of the inherent limitations of bridging. As I wrote in the article \'Making the case for Layer 2 and Layer 3 VPNs,\' \'the world is not flat, and Layer 2 services cannot cover the needs of an entire network.\'


No Comments Yet! Be the first to share what you think!