MPLS
• Acronym stands for Multiprotocol Label Switching
• Consider a large ISP network:-
– Every router contains a full routing table (the full
Internet routing table currently contain ~350,000
prefixes and growing. It had ~283,000 when I gave
this lecture in 2009 and 315,000 in 2010)
• Every router requires lots of RAM or (worse) expensive
hardware route cache
• Because every IP packet is routed individually (stateless), every
packet requires a search of the routing table. On a router
expected to handle 100’s of Gigabits of traffic this can be
significant performance killer
MPLS
• Consider the steps needed to route IP packets in a
large network:-
1. Packet is received on input port
2. IP routing table (possibly very large) is searched for
longest matching route. IP Next Hop is determined
3. Is IP Next Hop on a directly connected interface ?
– Yes…Go to step 4
– No (iBGP route)…Go to step 2, searching for route to IP Next
Hop (recursive route lookup)
4. Forward packet out of interface determined in Step #3
5. Go to step 1 (cycle begins again on next router on
path)
This cycle repeats at each router along the path until the
destination is reached.
MPLS
• There are clearly some inefficiencies here:-
– There will usually be two IP routing table lookups
performed at each router along the path
– The full routing table is required at every router along
the path
• Requires lots of memory
• Slows down recovery in the event of a network failure
– Full mesh iBGP required (or route reflectors or BGP
confederations)
MPLS
• There is some scope for improving on this:-
– The first (iBGP) routing table lookup actually returns the
address of the egress router. This can be regarded as
assigning each packet to a Forwarding Equivalency
Class (the set of all packets destined for a particular
egress router)
– If some indication of this FEC this could be “attached”
to the packet by the ingress router, it could simplify the
routing process on subsequent routers by saving each
of them from making the same FEC decision as the
ingress router. Then only the second routing table
lookup (to find the next-hop towards the egress router)
would be needed, halving the routing workload on each
router
MPLS
• RFC 3031 describes the MPLS architecture which
(broadly) achieves this objective (among others)
• In MPLS networks, the ingress router attaches a label
to the incoming packet identifying a path to be
followed through the carrier network to the target
egress router (as identified by the iBGP lookup)
– Every packet destined for the same egress router will
be assigned the same label. The label, therefore,
becomes our FEC identifier
MPLS
• Subsequent router don’t look at the IP header at all.
Instead, they just look at the label and select an
output interface based on it. This is much more
efficient because
– The LFIB (Label Forwarding Information Base) will be
much smaller than the full IP routing table
– Labels are “atomic” values (rather than having “network”
and “host” parts) and can therefore be looked up in
hardware very fast
– The initial determination of FEC (Label) can be based
on more than just destination IP address. For
example…ingress router or ingress port or QoS parameter
etc…
– The path for some traffic to follow can (optionally) be
predetermined (Traffic Engineering)
MPLS
• Labels have only local significance (i.e. between a pair
of directly connected routers).
• The Label Distribution Protocol (LDP, defined in RFC
3036) provides a mechanism for routers to exchange
information about the labels they support
– Typically, each router will associate a label with every
non-BGP route in its IP routing table and will advertise
these labels to their immediate neighbours
• As well as determining the output interface from the
label, routers along the way will swap labels
– The LFIB on a router will contain the fields:-
• Incoming Tag
• Outgoing Interface
• Outgoing Tag
MPLS Architecture
„CE‟ routers. There is nothing
special about these: they just do
ordinary IP routing and know
nothing about MPLS
„PE‟ routers. When a packet
arrives in from a customer, the
„P‟ routers. These only do label
egress PE is determined from the
switching. They only run OSPF
BGP routing table. From this, the
among themselves and the PE
egress PE is selected and a label
routers. Their routing tables are
is applied to switch the packet to
relatively small (only each other
it (this is where OSPF comes in)
and the PE routers)
MPLS In Action
Label Format
• MPLS Labels are inserted in between the L2 header
and the L3 header
• There can be more than one label (a label stack).
For ordinary IP routing there is only a single label.
Other applications (of which more later) use multiple
labels
Label Format
• The structure of the label is very simple:-
• Label – 20-bit label value
• EXP – The “experimental” bits
– There is (now) nothing experimental about them: they
are used to carry the IP precedence value. This allows
for a maximum of 7 levels of IP precedence
• S – The Bottom Of Stack bit
• TTL – Time to Live
Routing
• Consider again the simple network we looked at
during the “BGP” lecture:-
AS#2
2.2.2.1 2.2.2.2 3.3.3.1 3.3.3.2
1.1.1.2 4.4.4.1
R2 R3 R4
(Lo0=9.9.9.2) (Lo0=9.9.9.3) (Lo0=9.9.9.4)
This is now a ‘P’ router, only
1.1.1.1
label
performing 4.4.4.2 switching. It no
longer needs to be included in the
iBGP mesh. The only routes it
has are the OSPF routes to the
R1 R5
loopback interfaces on all of the
192.168.1.0/24 192.168.3.0/24
PEs
AS#1 AS#3
MPLS VPNs
• So far, we have only discussed using MPLS to
accelerate IP routing and to simplify routing within the
carrier’s core network. However, this is not the only
“trick” MPLS can do. One of its most significant
features is that it allows carriers (in particular ISPs) to
offer Virtual Private Networks to customers.
• A VPN “appears” to the end-user as a completely
closed IP network, but is provided over a shared
carrier IP network
– Customers can use their own IP address space. It
doesn’t matter if it overlaps with that of other
customers
MPLS VPNs
– The only routes that will be visible to each customer are
those originating from their own sites on the VPN
(although – in theory – it is possible for the carrier to
selectively “merge” multiple VPNs together)
MPLS VPNs
Sites on the “Blue” VPN can all
see each other but can‟t see sites
on the “Yellow” VPN.
PE routers maintain separate
Two MPLS labels are used to
routing tables (called VRFs) for
implement MPLS VPNs
each VPN. Each VRF has a unique
• The first label identifies the VPN
Route Distinguisher (RD)…a 32 bit
to which the packet belongs. It is
value which is prepended to the IP
only used on the egress router
address to form a VPNv4 address.
• The second is the that are
It is these addresses“normal”
MPLS in the core for switching)
routed label (used via iBGP
MPLS VPN Architecture
VPN_A VPN_A
MP-iBGP sessions
10.2.0.0 11.5.0.0
PE PE CE
CE P P
VPN_B VPN_A
10.2.0.0
CE 10.1.0.0
VPN_A
CE
11.6.0.0
CE
VPN_B P CE
PE P PE VPN_B
10.1.0.0 CE 10.3.0.0
• P routers (LSRs) are in the core of the MPLS cloud
• PE routers use MPLS with the core and plain IP with
CE routers
• P and PE routers share a common IGP
• PE router are MP-iBGP fully meshed
MPLS Address Separation
VPN-IPv4 updates are translated
P P into IPv4 address and inserted into
update for the VRF corresponding to the RT
Site-1 Net1 value
VPN-A PE-1 PE-2
update for
VPN Backbone IGP Net1
Site-2
P P VPN-A
update for update for
Site-1
CE-1
Net1 Net1
VPN-B
VPN-IPv4 update: VPN-IPv4 update:
RD1:Net1, Next- RD2:Net1, Next- Site-2
hop=PE-1 hop=PE-1 VPN-B
SOO=Site1, RT=Yellow, SOO=Site1, RT=Green,
Label=10 Label=12
• MP-BGP assign a RD to each route in order to make
them unique
• In order to propagate them all
• MP-BGP assign a Route-Target in order for remote PEs
to insert such route to the corresponding routing table
(VRF)
• Route-Target is the colour of the route
MPLS Advantages
• For Carriers…
– It is possible to statistically multiplex customer traffic on
(expensive) WAN links
• Carriers can sell more capacity than they have
• Carriers can offer (and charge for) different grades of service
• Should be cheaper than equivalent TDM services
– Routing on core routers is greatly simplified.
• Higher performance for a given CPU power ( hardware price)
is achieved and less memory is required
• There is greater routing platform stability because core routers
are oblivious to customer/internet routing topology changes)
– Traffic Engineering techniques allow for better
utilisation of redundant links (traffic can be explicitly
routed over nominated paths, allowing network
operators to balance traffic)
MPLS Advantages
– Truly multipurpose: can be used to carry voice, video
and data traffic
– It allows ISPs to securely (?) offer Virtual Private
Networks (VPNs) over the same infrastructure they are
using to carry their Internet traffic
– Adding new sites to an existing VPN is very easy…just
pop it into the correct VPN and the network does the
rest
– Highly scalable. The number of routes on each PE is
proportional to the number of attached customers. The
number of routes on each P is proportional to the
number of PEs. Neither depends on the total number
of customers in the network
• The only place this matters is on the MP-iBGP route reflectors.
Even these can be partitioned if necessary
MPLS Advantages
• For end-users…
– “Any-to-any” connectivity
• No need to “trombone” site-to-site traffic in and out of a central
location or no need to build (and pay for and set up) a full
mesh of L2 point-to-point connections
– Cheaper (in theory, at least)
– Makes capacity planning easier (arguably)
• No longer necessary to think about required bandwidth
between each pair of locations. It is sufficient to ensure that
each network location has enough capacity “into the cloud”
MPLS Disadvantages
• For Carriers…
– Requires a great deal more network expertise than
traditional carrier services
• The line of demarcation between the customer network and the
carrier network is much more “grey”. Carriers have to become
much more involved in solving problems than was traditionally
the case
– Core network design is more complicated
MPLS Disadvantages
• For end-users…
– Full end-to-end control over routing is lost
• The carrier network sits in the middle, participating in the
routing process. This introduces difficulties integrating the
carrier’s routing protocol (typically BGP) into the end user’s
(OSPF, RIP, EIGRP…)
– It becomes necessary to mark traffic to ensure that the
carrier prioritises mission-critical traffic appropriately
• The “any-to-any”ness of the network does away with the end
user’s control over packet order in the carrier customer
direction.
– Non-IP protocols can’t be directly carried
– Probably slower reconvergence than is attainable using
an L2 network
– Arguably less secure than pure L2 services
Security of MPLS
• It is possible to make compelling cases for both for
and against the security of MPLS relative to other
WAN technologies (Leased Lines, Frame Relay, ATM,
Metro Ethernet)
+ Its label-swapping semantics are comparable to ATM or
Frame Relay
+ Typically the MPLS core routers are “invisible” (i.e. no
attack surface presented)
+ It is not possible for customers to inject labeled packets
into the network: the PEs won’t accept them
+ Considerably more flexibility possible with regard to
what sites can see each other (although few carriers
will “productise” the full range of possibilities)
+ MPLS can be used to provide emulated L2 services
(EoMPLS, VPLS)
Security of MPLS
- Unlike L2 WANs, the PE routers (at least) are reachable
and it requires positive action on the part of the carrier
to secure them
- The customer has no way of knowing what the PEs are
accessible to (up to and including the entire Internet)
- Potentially vulnerable to Internet routing instability if
the Internet routing table is carried on the core
- Provisioning errors are less immediately visible and
more likely to result in usable connectivity
• Read RFC 4381 – “Analysis of the Security of
BGP/MPLS IP Virtual Private Networks (VPNs)