We have already discussed IPsec in the previous section. Here, we will discuss how IPsec complements WAN technology. Layer-3 encryption is well-suited to environments where you have low-bandwidth connections and do not have the devices to support encryption at Layer-2 or Layer-1 levels. Organizations are running WAN technology in a different way, for example, with ATMs, Frame-Relay, Metro-Ethernet and MPLS-based solutions. The ultimate security question is: Who do you trust with your business-critical data? If your answer is the service provider, then you probably do not need to encrypt your data. However, if your answer is nobody, then you must transmit data to an encrypted service provider.
Let's look at the MPLS VPN provider, which is widely deployed in WAN technology. The primary benefit of this service provider is faster transport techniques with proper isolation between customers. The terminology includes VPN, but this does not mean that your data is being encrypted by default.
As the following diagram shows, two customers can use the same subnet and connect to the same router of services provided with proper isolation:
To secure data transmission over MPLS, you can take an IPsec approach from CE to CE for securing the VPN customer's traffic across an untrusted infrastructure. Introducing IPsec prevents the insertion of bogus CE into the VPN and the leakage of traffic from the secured VPN to a non-trusted VPN. This added a complexity and scalability issue for large-scale deployment.
The Dynamic Multi-point VPN (DMVPN) model works with the principle of the Next Hop Resolution Protocol (NHRP). Every IPsec node holds information about how to reach the next hop server, which returns the address of the target IPsec node to the originating node. This is a very scalable way to dynamically establish IPsec tunnels on demand. This is pretty much a scalable solution that is independent to underlying WAN infrastructures:
You must consider performance before leveraging IPSec for high-speed link encryption. The routers' throughput capabilities are restricted to the IPSec encryption engine limits, rather than using an encryption solution that can leverage the maximum aggregate throughput capabilities of the router. Using IPsec encryption adds 57 bytes of overhead to encapsulate the IP header of the original packet and to add an additional authentication header and trailer. Using IPsec along with GRE adds an extra overhead of 76 bytes. More overhead directly translates into less bandwidth throughput.