Traditional encryption on the Internet, such as that provided by Internet Protocol Security (IPsec), a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session and which also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session, is intended for providing users with security for sensitive data and applications. IPsec was designed for authenticating and encrypting IP packets between two routers. IPsec was not designed for networks that carry a mix of IP and MPLS traffic for Layer 2 and Layer 3 services or for network level encryption and security between a multitude of routers communicating together.
The US Congress and Senate are requiring utility companies to expand investment in cyber-security to protect the evolving “Smart Grid”. As well, North American Electric Reliability Corporation (NERC) Standards defined national standards for security through NERC-CIP (NERC Critical Infrastructure Protection) requirements, of which encryption/authentication is an important aspect. Likewise, similar requirements are appearing worldwide for corresponding applications, for example, specifications and requirements through the IEC (International Electrotechnical Commission).
Beyond encryption of IP data packets there is a need to effect security on all types of mission critical traffic that may be transported over an IP/MPLS network. Such traffic includes teleprotection Layer 2 circuits for current differential relays in a utility network. Typically, MPLS is used as the key transport technology to enable proper QoS and high availability (e.g. fast re-route, or primary/backup LSPs) for mission critical applications. It also provides enhanced network services by offering one-to-many, many-to-one, or many-to-many type services. An adequate encryption and authentication solution must support the wide variety of traffic and associated services that may exist when using MPLS as the primary transport technology in the IP/MPLS network.
Therefore, it would be useful to have a method which could encrypt any type of MPLS traffic between a multitude of networking devices by selectively encrypting services within MPLS packets end-to-end across an IP/MPLS network.