Analysis of MPLS/VPN. Security. • Security Recommendations. • MPLS Security Architectures. Internet Access. Firewalling Options. • Attacking an MPLS Network. Contents. ➢ Analysis. ○ Threat Model for MPLS VPNs. ➢ Design. ○ Secure MPLS VPN designs. ○ IPSec and MPLS VPNs. Networks. A review of the implementation options for MPLS VPNs including the section below. See MPLS VPN Security for further discussion of IPSEC.
|Language:||English, Spanish, Arabic|
|Distribution:||Free* [*Sign up for free]|
Increasingly “Layer 3 MPLS VPNs“ are used in enterprise . In most security discussions the core is assumed to be trusted (e.g. ). .. enbillitaco.tk Cisco Systems, Inc. All rights reserved. Intelligent Information Network. MPLS VPN Security. Klaudia Bakšová. Systems Engineer, Cisco Systems. Why Is MPLS VPN Security Important? ▫ Customer Understand how secure MPLS VPNs* are. And what enbillitaco.tk pdf.
We want all the traffic from site D to the server to pass through the firewall, so that traffic from the extranet can be access controlled. However, we don't want traffic from C to pass through the firewall on the way to the server, since this is intranet traffic. It is possible to set up two routes to the server. One route, used by sites B and C, takes the traffic directly to site A. The second route, used by site D, takes the traffic instead to the firewall at site B. If the firewall allows the traffic to pass, it then appears to be traffic coming from site B, and follows the route to site A.
If every router in an SP's backbone had to maintain routing information for all the VPNs supported by the SP, there would be severe scalability problems; the number of sites that could be supported would be limited by the amount of routing information that could be held in a single router.
This condition may need to be relaxed somewhat when multicast routing is considered. So just as the VPN owners do not have a backbone or "virtual backbone" to administer, the SPs themselves do not have a separate backbone or "virtual backbone" to administer for each VPN. Site-to- site routing in the backbone is optimal within the constraints of the policies used to form the VPNs and is not constrained in any way by an artificial "virtual topology" of tunnels.
Security VPNs of the sort being discussed here, even without making use of cryptographic security measures, are intended to provide a level of security equivalent to that obtainable when a layer 2 backbone e. That is, in the absence of misconfiguration or deliberate interconnection of different VPNs, it is not possible for systems in one VPN to gain access to systems in another VPN.
Of course, the methods described herein do not by themselves encrypt the data for privacy, nor do they provide a way to determine whether data has been tampered with en route. If this is desired, cryptographic measures must be applied in addition. See, e. Security is discussed in more detail in Section Sites and CEs From the perspective of a particular backbone network, a set of IP systems may be regarded as a "site" if those systems have mutual IP interconnectivity that doesn't require use of the backbone.
In general, a site will consist of a set of systems that are in geographic proximity. However, this is not universally true. If two geographic locations are connected via a leased line, over which Open Shortest Path First OSPF protocol [ OSPFv2 ] is running, and if that line is the preferred way of communicating between the two locations, then the two locations can be regarded as a single site, even if each location has its own CE router.
This notion of "site" is topological, rather than geographical. If the leased line goes down, or otherwise ceases to be the preferred route, but the two geographic locations can continue to communicate by using the VPN backbone, then one site has become two. A CE device is always regarded as being in a single site though as we shall see in Section 3. A site, however, may belong to multiple VPNs.
A CE device may, for robustness, attach to multiple PE routers, of the same or of different service providers. While we speak mostly of "sites" as being the basic unit of interconnection, nothing here prevents a finer degree of granularity in the control of interconnectivity. However, this might require that the site have two attachment circuits to the backbone, one for the intranet and one for the extranet; it might further require that firewall functionality be applied on the extranet attachment circuit.
One of the forwarding tables is the "default forwarding table". The result of that lookup determines how to route the packet.
There is also the notion of a packet's "egress VRF", located at the packet's egress PE; this is discussed in Section 5. If an IP packet arrives over an attachment circuit that is not associated with any VRF, the packet's destination address is looked up in the default forwarding table, and the packet is routed accordingly.
Packets forwarded according to the default forwarding table include packets from neighboring P or PE routers, as well as packets from customer-facing attachment circuits that have not been associated with VRFs.
Intuitively, one can think of the default forwarding table as containing "public routes", and of the VRFs as containing "private routes".
One can similarly think of VRF attachment circuits as being "private", and of non-VRF attachment circuits as being "public". If a particular VRF attachment circuit connects site S to a PE router, then connectivity from S via that attachment circuit can be restricted by controlling the set of routes that gets entered in the corresponding VRF. If there are multiple attachment circuits leading from S to one or more PE routers, then there might be multiple VRFs that could be used to route traffic from S.
To properly restrict S's connectivity, the same set of routes would have to exist in all the VRFs. Alternatively, one could impose different connectivity restrictions over different attachment circuit from S.
In that case, some of the VRFs associated with attachment circuits from S would contain different sets of routes than some of the others. We allow the case in which a single attachment circuit is associated with a set of VRFs, rather than with a single VRF.
This can be useful if it is desired to divide a single VPN into several "sub-VPNs", each with different connectivity restrictions, where some characteristic of the customer packets is used to select from among the sub-VPNs. For simplicity though, we will usually speak of an attachment circuit as being associated with a single VRF. In general, to determine the attachment circuit over which a packet arrived, a PE router takes note of the physical interface over which the packet arrived, and possibly also takes note of some aspect of the packet's layer 2 header.
For example, if a packet's ingress attachment circuit is a Frame Relay VC, the identity of the attachment circuit can be determined from the physical Frame Relay interface over which the packet arrived, together with the Data Link Connection Identifier DLCI field in the packet's Frame Relay header. Although the PE's conclusion that a particular packet arrived on a particular attachment circuit may be partially determined by the packet's layer 2 header, it must be impossible for a customer, by writing the header fields, to fool the SP into thinking that a packet that was received over one attachment circuit really arrived over a different one.
In the example above, although the attachment circuit is determined partially by inspection of the DLCI field in the Frame Relay header, this field cannot be set freely by the customer. In some cases, a particular site may be divided by the customer into several "virtual sites". The SP may designate a particular set of VRFs to be used for routing packets from that site and may allow the customer to set some characteristic of the packet, which is then used for choosing a particular VRF from the set.
For example, each virtual site might be realized as a VLAN. Another way to accomplish this is to use IP source addresses. In this case, the PE uses the IP source address in a packet received from the CE, along with the interface over which the packet is received, to assign the packet to a particular VRF. Again, the customer would only be able to select from among the particular set of VRFs that that customer is allowed to use.
If it is desired to have a particular host be in multiple virtual sites, then that host must determine, for each packet, which virtual site the packet is associated with. It can do this, e. When we speak of a PE "learning" routes from a CE, we are not presupposing any particular learning technique.
The PE may learn routes by means of a dynamic routing algorithm, but it may also "learn" routes by having those routes configured i. In this case, to say that the PE "learned" the routes from the CE is perhaps to exercise a bit of poetic license. The procedures to be used for populating the VRFs with the proper sets of routes are specified in Section 4.
If there are multiple attachment circuits leading from a particular PE router to a particular site, they might all be mapped to the same forwarding table. But if policy dictates, they could be mapped to different forwarding tables. For instance, the policy might be that a particular attachment circuit from a site is used only for intranet traffic, while another attachment circuit from that site is used only for extranet traffic. Perhaps, e. In this case, the two attachment circuits would be associated with different VRFs.
Note that if two attachment circuits are associated with the same VRF, then packets that the PE receives over one of them will be able to reach exactly the same set of destinations as packets that the PE receives over the other. If an attachment circuit leads to a site which is in multiple VPNs, the attachment circuit may still associated with a single VRF, in which case the VRF will contain routes from the full set of VPNs of which the site is a member.
We allow each VPN to have its own address space, which means that a given address may denote different systems in different VPNs. If two routes to the same IP address prefix are actually routes to different systems, it is important to ensure that BGP not treat them as comparable.
Otherwise, BGP might choose to install only one of them, making the other system unreachable. We meet these goals by the use of a new address family, as specified below. This ensures that if the same address is used in several different VPNs, it is possible for BGP to carry several completely different routes to that address, one for each VPN.
An RD is simply a number, and it does not contain any inherent information; it does not identify the origin of the route or the set of VPNs to which the route is to be distributed.
The purpose of the RD is solely to allow one to create distinct routes to a common IPv4 address prefix. Other means are used to determine where to redistribute the route see Section 4. The RD can also be used to create multiple different routes to the very same system.
We have already discussed a situation in which the route to a particular server should be different for intranet traffic than for extranet traffic. This allows BGP to install multiple different routes to the same system, and allows policy to be used see Section 4. The RDs are structured so that every Service Provider can administer its own "numbering space" i.
An RD consists of three fields: a 2-byte type field, an administrator field, and an assigned number field. The value of the type field determines the lengths of the other two fields, as well as the semantics of the administrator field. The administrator field identifies an assigned number authority, and the assigned number field contains a number that has been assigned, by the identified authority, for a particular purpose.
For example, one could have an RD whose administrator field contains an Autonomous System number ASN , and whose 4-byte number field contains a number assigned by the SP to whom that ASN belongs having been assigned to that SP by the appropriate authority. However, the structure is not meaningful to BGP; when BGP compares two such address prefixes, it ignores the structure entirely. The configuration may cause all routes leading to the same CE to be associated with the same RD, or it may cause different routes to be associated with different RDs, even if they lead to the same CE.
The RDs are encoded as follows: - Type Field: 2 bytes - Value Field: 6 bytes The interpretation of the Value field depends on the value of the type field. At the present time, three values of the type field are defined: 0, 1, and 2.
The Assigned Number subfield contains a number from a numbering space that is administered by the enterprise to which the ASN has been assigned by an appropriate authority. If this IP address is from the public IP address space, it must have been assigned by an appropriate authority use of addresses from the private IP address space is strongly discouraged. The Assigned Number subfield contains a number from a numbering space which is administered by the enterprise to which the IP address has been assigned.
The Assigned Number subfield contains a number from a numbering space which is administered by the enterprise to which the ASN has been assigned by an appropriate authority. Routes learned from a CE routing peer over a particular attachment circuit may be installed in the VRF associated with that attachment circuit. Exactly which routes are installed in this manner is determined by the way in which the PE learns routes from the CE.
In particular, when the PE and CE are routing protocol peers, this is determined by the decision process of the routing protocol; this is discussed in Section 7. These are carried in BGP as attributes of the route.
Whether it actually gets installed depends upon the outcome of the BGP decision process, and upon the outcome of the decision process of the IGP i. A Route Target attribute can be thought of as identifying a set of sites. Though it would be more precise to think of it as identifying a set of VRFs. Associating a particular Route Target attribute with a route allows that route to be placed in the VRFs that are used for routing traffic that is received from the corresponding sites.
The two sets are distinct, and need not be the same. However, the format of the latter is inadequate for present purposes, since it allows only a 2-byte numbering space. It is desirable to structure the format, similar to what we have described for RDs see Section 4.
They are structured similarly to the RDs. Note that a route can only have one RD, but it can have multiple Route Targets. In BGP, scalability is improved if one has a single route with multiple attributes, as opposed to multiple routes. How does a PE determine which Route Target attributes to associate with a given route? There are a number of different possible ways. The PE might be configured to associate all routes that lead to a specified site with a specified Route Target.
Or the PE might be configured to associate certain routes leading to a specified site with one Route Target, and certain with another. This gives the customer the freedom to specify in real time, within agreed-upon limits, its route distribution policies.
It also assigns and distributes an MPLS label. When the PE processes a received packet that has this label at the top of the stack, the PE will pop the stack, and process the packet appropriately. If R is an aggregate of a set of routes in the VRF, the PE will know that packets from the backbone that arrive with this label must have their destination addresses looked up in a VRF. On the other hand, if R is not an aggregate, then when the PE looks up the label, it learns the egress attachment circuit, as well as the encapsulation header for the packet.
In this case, no lookup in the VRF is done. We would expect that the most common case would be the case where the route is NOT an aggregate. The case where it is an aggregate can be very useful though if the VRF contains a large number of host routes e. Whether or not each route has a distinct label is an implementation matter.
There are a number of possible algorithms one could use to determine whether two routes get assigned the same label: - One may choose to have a single label for an entire VRF, so that a single label is shared by all the routes from that VRF. Then when the egress PE receives a packet with that label, it must look up the packet's IP destination address in that VRF the packet's "egress VRF" , in order to determine the packet's egress attachment circuit and the corresponding data link encapsulation.
This enables one to avoid doing a lookup in the egress VRF, though some sort of lookup may need to be done in order to determine the data link encapsulation, e. The choice of algorithm is entirely at the discretion of the egress PE, and is otherwise transparent.
This requires either that a label switched path exist between those two routers or else that some other tunneling technology e. This tunnel may follow a "best effort" route, or it may follow a traffic-engineered route. Between a given pair of routers, there may be one such tunnel, or there may be several, perhaps with different Quality of Service QoS characteristics.
All that matters for the VPN architecture is that some such tunnel exists. If the tunnel follows a best-effort route, then the PE finds the route to the remote endpoint by looking up its IP address in the default forwarding table. Inbound filtering should be used to cause such routes to be discarded. The outbound route filtering mechanism of [ BGP-ORF ] can also be used to advantage to make the filtering more dynamic.
As a result of these distribution rules, no one PE ever needs to maintain all routes for all VPNs; this is an important scalability consideration. All the usual techniques for using route reflectors to improve scalability e. Route reflectors are the only systems that need to have routing information for VPNs to which they are not directly attached. We outline below two different ways to partition the set of VPN-IPv4 routes among a set of route reflectors. Each route reflector is preconfigured with a list of Route Targets.
For redundancy, more than one route reflector may be preconfigured with the same list. A route reflector uses the preconfigured list of Route Targets to construct its inbound route filtering. Note that route reflectors should accept ORFs from other route reflectors, which means that route reflectors should advertise the ORF capability to other route reflectors.
A service provider may modify the list of preconfigured Route Targets on a route reflector. To reduce the frequency of configuration changes on route reflectors, each route reflector may be preconfigured with a block of Route Targets. Another method is to have each PE be a client of some subset of the route reflectors. A route reflector is not preconfigured with the list of Route Targets, and does not perform inbound route filtering of routes received from its clients PEs ; rather, it accepts all the routes received from all of its clients PEs.
The route reflector keeps track of the set of the Route Targets carried by all the routes it receives. When the route reflector receives from its client a route with a Route Target that is not in this set, this Route Target is immediately added to the set. On the other hand, when the route reflector no longer has any routes with a particular Route Target that is in the set, the route reflector should delay by a few hours the deletion of this Route Target from the set.
The route reflector uses this set to form the inbound route filters that it applies to routes received from other route reflectors.
The route reflector may also use ORFs to install the appropriate outbound route filtering on other route reflectors. Just like with the first approach, a route reflector should accept ORFs from other route reflectors. To accomplish this, a route reflector advertises ORF capability to other route reflectors. Each scenario was implemented for two times according to the 2. Customer Edge router CE. Two customer routers. Second customer autonomous system named AS-3 contains A.
Generation of this traffic started when the simulation started and continued till the end of the simulation Figure8. Figure7 shows the initial configuration: 2. Parameters related to the VPN : delay, load and throughput.
Optimally the routing protocols must and multi-topology. IS-IS provide the ability to design large have fast convergence time. This reduces the Protocol Convergence Duration complexity and resources needed to run both protocols. With OSPF For the Large service provider network the following acceptable but still IS-IS have advantages that make service comparison was made: providers engineers prefer it rather than OPSF. Pepelnjak, J. Guichard, and J.
IS-IS 5. El Hachimi, M. Breton, and M.