Abstract

Multi-Protocol Label Switching (MPLS) is an evolving network technology that is used to provide Traffic Engineering (TE) and high speed networking. Internet service providers, which support MPLS technology, are increasingly required to provide high Quality of Service (QoS) guarantees and security. One of the aspects of QoS is fault tolerance. It is defined as the property of a system to continue operating in the event of failure of some of its parts. Fault tolerance techniques are very useful to maintain the survivability of the network by recovering from failure within acceptable delay and minimum packet-loss while efficiently utilizing network resources. On the other hand, with the increasing deployment of MPLS networks, security concerns have been raised. The basic architecture of MPLS networks does not support security aspects such as data confidentiality, data integrity, and availability. MPLS technology has emerged mainly to provide high speed packet delivery. As a result security considerations have not been discussed thoroughly until recent demands for security have emerged by most providers and researchers. In this thesis, we propose a new method that has a two-fold objective: to provide fault tolerance and to enhance the security in MPLS networks. Our approach uses a modified (k, n) threshold sharing scheme (TSS) combined with multi-path routing. An IP packet entering MPLS network is partitioned into n MPLS packets, which are each assigned to disjoint or maximally disjoint Label Switched Path (LSP) across the MPLS network. Receiving MPLS packets from k out of n LSPs are sufficient to reconstruct the original IP packet. From the security point of view, the modified TSS provides data confidentiality, integrity, availability and IP spoofing. In addition, fault tolerance in MPLS is supported using reasonable resources. The recovery from node/link failure and/or transmission errors is provided with no delay or packet loss. Packet re-ordering may not be required if packets are lost due to failure. However, sequencing is considered in our approach to identify packets with transmission errors. In order to provide fault tolerance, our scheme requires n > k . However, for security purposes, if the target is only to provide data confidentiality, then only a modified (k, k ) TSS algorithm is sufficient and consequently no significant redundant bandwidth is required. To verify that our approach does not require long processing time, we conducted simulations that show the modified TSS processing time does not significantly affect the packet transmission time. RSVP-TE is the MPLS signaling protocol used to establish LSPs. Extensions required to support multi-path routing in RSVP-TE are also studied. The impact of multi-path routing and modified TSS on MPLS security and fault tolerance is investigated and compared with single routing. The connection intrusion probability and connection failure probability have shown lower values when multi-path routing is used. The application of IPSec security protocol in MPLS networks is also investigated. Finally, we applied the modified threshold sharing scheme on MPLS multicast networks, where both the source specific tree approach and the group shared tree approach are considered.