How would deploying VPLS help secure an organizations network that spans a metro area or perhaps different cities?
What is unique about IPv6 when it comes to IPSEC as opposed to IPv4? What is VTI (Virtual Tunnel Interface)? What advantage do IPv6 routers have over IPv4 routers when it comes to secure transmissions?
Expert Answer
VPLS over an organisation can do much harm than good ( looking into the security issues). Let us see how VPLS came into existence.
When MPLS VPN technology did not fit all the needs of incumbent service providers, which had to transport legacy traffic, such as ATM-based video surveillance, across their infrastructure. Early adopters also discovered that even though IP was ubiquitous at the time when MPLS VPN technology was introduced, large enterprises still had to support small but significant amounts of non-IP traffic. Even worse, some IP-based applications (including server clustering in disaster-recovery solutions) required transparent LAN communication.
VPLS is a technology that provides any-to-any bridged Ethernet transport among several customer sites across a service provider infrastructure.
All sites on the same VPN are connected to the VPLS service and belong to the same LAN bridging domain. Frames sent by workstations attached to the site LANs are forwarded according to IEEE 802.1 bridging standards. VPLS offers none of the layer 3 security or isolation features offered by layer 3 VPN technologies, including MPLS VPN and IPSec.
If a customer has applications that use non-IP protocols (including legacy Microsoft or AppleTalk networks), VPLS is the best alternative, as long as the customer understands its security implications. To implement a secure solution on top of a VPLS backbone, each customer site should use a router to connect to the VPLS backbone. A managed router service will achieve the maximum value-add, if the customer will go that route.
VPLS is also a perfect fit for disaster recovery scenarios, where you need to create an impression that servers located at different sites belong to the same LAN.
2. IPsec is an optional in IPv6, but in IPv4 it is required feature.
IPv6 IPsec support is based on extension header which is different from IPv4, it may more closer to the kernal level implementation
3. A virtual tunnel interface provides a termination point for a site-to-site IPsec VPN tunnel and allows it to behave like other routable interfaces. In addition to simplifying the IPsec configuration, it enables many common capabilities to be used because the endpoint is associated with an actual interface.
Traffic being routed to a virtual tunnel interface is encrypted prior to being sent through the tunnel. Traffic arriving from a virtual tunnel interface is decrypted prior to its exposure to the routing system.
The virtual tunnel interface on the Brocade vRouter is compatible with third party VTI/route-based VPN connections and is sometimes required for connectivity with public cloud offerings.
4. Advantages of IPv6 over IPv4
IPSec, which provides confidentiality, authentication and data integrity, is baked into in IPv6 routers. Because of their potential to carry malware, IPv4 ICMP packets are often blocked by corporate firewalls, but ICMPv6, the implementation of the Internet Control Message Protocol for IPv6, may be permitted because IPSec can be applied to the ICMPv6 packets.
IPv6 can run end-to-end encryption. While this technology was retrofitted into IPv4, it remains an optional extra that isn’t universally used. The encryption and integrity-checking used in current VPNs is a standard component in IPv6, available for all connections and supported by all compatible devices and systems. Widespread adoption of IPv6 will therefore make man-in-the-middle attacks significantly more difficult.