MPLS Security

5th Annual MCWG Forum October 16-20, 2006

Tuesday, October 17, 2006

Harmen van der Linde Product Manager MPLS Cisco - NSSTG havander@cisco.com
2005 Cisco Systems, Inc. All rights reserved.

Contributions By: Michael Behringer Monique Morrow

Topics
Multi-Protocol Label Switching (MPLS) MPLS Security Overview Framework Risks and Deployment Feature Set Conclusions

2005 Cisco Systems, Inc. All rights reserved.

Multi-Protocol Label Switching

Technology Overview Network Architecture MPLS Security

2005 Cisco Systems, Inc. All rights reserved.

Packet Network Evolution

IP over ATM Challenge IP + ATM Integration Cell Switching Routers IP/Tag Switching IETF Efforts MPLS Innovation and Deployment Traffic Engineering MPLS VPNs Fast Reroute Any Transport over MPLS (AToM) Widespread MPLS Deployments Multi-Service Edge MPLS High Availability with SSO/NSF/FRR MPLS + IPSec MPLS VPN and multicast

Technology Evolution

Service Evolution

Traditional ATM/FR Internet access Remote access VPNs

MPLS VPN services with full mesh and Hub & Spoke connectivity QoS Offerings 2 to 5 Classes

Network Convergence Many Services on converged MPLS core network Triple-play service converge

1995 - 1996

1996 - 2002

2002 and Beyond

2005 Cisco Systems, Inc. All rights reserved.

Multi-Protocol Label Switching (MPLS)

Established network infrastructure technology
Service provider networks and large enterprise networks

Two functional layers in MPLS architecture

Control plane Forwarding plane

MPLS control plane

Distributes labels and establishes label switched paths Multiple control protocols; LDP, BGP, and RSVP-TE

MPLS forwarding plane

Used for MPLS labeled data packet forwarding

MPLS Applications
Layer-3 VPNs, Layer-2 VPNs, Traffic Engineering (TE)

2005 Cisco Systems, Inc. All rights reserved.

MPLS Network Architecture

1. At Ingress Edge:
Label imposition: Classify & Label packets PE P

2. In the Core:
Label swapping or switching: Forward using labels (not IP addr); label indicates service class and destination

Edge Label Switch Router OR (ATM Switch/ Router) Provider Edge- PE PE Customer A Label Switch Router (LSR) or P (Provider) router Router OR ATM switch + label switch controller

3. At Egress Edge:
Label disposition: Remove labels and forward packets Customer B

2005 Cisco Systems, Inc. All rights reserved.

MPLS Security
MPLS Area Core MPLS High Availability Management Security

MPLS forwarding (data plane) MPLS signaling (control plane)

Layer-3 VPNs

MPLS High Availability

MPLS Management

MPLS Security

Layer-2 VPNs

Traffic Engineering

2005 Cisco Systems, Inc. All rights reserved.

MPLS Security Overview

Overview and Scope Cisco IP NGN Market Drivers and Positioning

2005 Cisco Systems, Inc. All rights reserved.

MPLS Security
Protection mechanisms for MPLS-specific network resources
Protection of MPLS forwarding and signaling

MPLS security protection areas

MPLS node access and resiliency Integrity and privacy of MPLS VPN service traffic

Focus areas in MPLS network infrastructure

MPLS core (Label between PE pairs) MPLS service edge (PE-CE link) MPLS network interconnect (Inter-AS/SP)

Incremental value-add and integral part of scalable and robust MPLS technology solution

2005 Cisco Systems, Inc. All rights reserved.

Scope
Focus on security capabilities for MPLS-specific network resources
Protection of MPLS forwarding and signaling

Incremental security functionality to existing MPLS functions Use of existing device and IP-level security capabilities assumed for basic level of security
CLI passwords, TACACS, ACLs, Firewalls, etc.

Leverage existing security capabilities of lower layer protocols where possible

Instead of replication of functionality focus on integration of MPLS with existing security capabilities
For example, LDP use of TCP MD5 authentication capabilities

2005 Cisco Systems, Inc. All rights reserved.

10

Cisco IP NGN Secure Network Layer

Application Layer
Gaming Data Center PresenceBased Telephony Web Services Mobile Apps IP Contact Center

MPLS Security Service Exchange

Open Framework Self Identity Policy Billing MPLS Service MPLS Network Service MPLS Core Edge Inter-connect for Enabling Triple Play on the Move
(Data, Voice, Video, Mobility)

Mobility

Network Layer

Customer Element

Access/ Aggregation

Intelligent Edge

Multiservice Core

Transport

Intelligent Networking
2005 Cisco Systems, Inc. All rights reserved.
11

Operational Layer

Service Layer

MPLS Security Evolution

Initial MPLS Deployments Service Provider MPLS technology adoption Code features and stability Large & Widespread MPLS Deployments MPLS scale and enhanced features Enterprise MPLS technology adoption Manageability and operations Next-Generation MPLS Deployments Complexity of new enhanced services (Extranets, mcast) MPLS network convergence MPLS network inter-connects

Challenges

Security Focus

MPLS as a secure technology replacement for legacy Layer-2 technologies (FR/ATM)

Inter-AS MPLS network connects New RFP compliance reqs Enterprise network security

Increasing service configuration complexity New security reqs for support of converged triple play services

1996 - 2002

2002 - 2005

2005 and Beyond

2005 Cisco Systems, Inc. All rights reserved.

12

MPLS Security Drivers

MPLS Customers
Service Provider Segment Tier-1 (Global) Tier-2 (National) Enterprise Segment Financials Education/Research Other Government Segment Government agencies and institutions
Regulations driving new network security requirements US Homeland Security Regulatory compliance Extranet security User traffic segmentation Regulatory compliance Extranet security MPLS technology value-add Extranet partner connectivity Sarbanes-Oxley Act Financial application access Secure campus connectivity Network convergence Network convergence and network interconnect Triple play and public/private services convergence Inter-AS/SP network inter-connect

MPLS Security Drivers

Examples

2005 Cisco Systems, Inc. All rights reserved.

13

Concerns and Goals

Concerns
Service Provider Market Segment
Unauthorized customer VPN access Public Internet traffic access/impact on private MPLS VPNs

Goals
Customer VPN traffic separation Public Internet and private VPN traffic separation

Enterprise Market Segment

Unauthorized access to internal user VPNs Public Internet traffic access/impact on private LAN traffic

User group VPN traffic separation WAN and extranet VPN traffic separation and privacy

Federal Market Segment

Unauthorized access to internal user VPNs WAN/public Internet traffic access/impact on private LAN traffic

User group VPN traffic separation WAN and VPN traffic separation and privacy

2005 Cisco Systems, Inc. All rights reserved.

14

MPLS Security Framework

Service Provider View Enterprise View Threat Model

2005 Cisco Systems, Inc. All rights reserved.

15

Threat Model
Security Threats Malicious user behavior Security Vulnerability Description

Denial of Service (DoS) attacks

MPLS network resources become unavailable to authorized users

Intrusion attacks

MPLS network resources become available to unauthorized users

Unintended human error and mis-configuration

MPLS device misconfiguration

MPLS network resources become available to unauthorized users

2005 Cisco Systems, Inc. All rights reserved.

16

MPLS Security Framework

Trusted Zone

External Network

MPLS Network
External Network Interface External Network Interface

External Network

Control Plane Forwarding Plane

MPLS core signaling LDP, RSVP, and BGP

MPLS edge signaling BGP, LDP, RIP, OSPF

MPLS packet forwarding

IP or MPLS packet forwarding

2005 Cisco Systems, Inc. All rights reserved.

17

MPLS Security Service Provider View

Trusted Zone

Customer Network

MPLS Network
External Service Interface External Network Connect Interface

Peer SP Network

MPLS Edge Security Security for VPN service interface Focus on control plane access and resources on PE router

MPLS Core Security Security for end-to-end (PE-PE) MPLS traffic integrity Focus on MPLS packet forwarding

MPLS Inter-AS Security Security for network interconnect interface Focus on data/control plane access on ASBR

2005 Cisco Systems, Inc. All rights reserved.

18

MPLS Security Enterprise View

Trusted Zone

Extranet Customer Network

MPLS Network
Extranet Service Interface External WAN Interface

SP MPLS Network

Extranet Edge Security Security of extranet VPN interface Focus on data/control plane access across interface with partner

MPLS Core Security Security for end-to-end (PE-PE) MPLS traffic integrity Focus on MPLS traffic segmentation

WAN Edge Security Security of WAN interface with SP Focus on data/control plane access across PE-CE link with SP

2005 Cisco Systems, Inc. All rights reserved.

19

Security Threats
CE PE P ASBR ASBR P PE CE

MPLS Service Edge (PE Router) Malicious user behavior Unintended human error and misconfiguration
Control plane DoS attacks Unauthorized control plane access (e.g., SNMP, CDP) Unintended VPN Route leakage due to VRF mis-configuration PE router access due to incorrect/missing access configuration

MPLS Core (P routers)

Control plane DoS attacks (e.g., LDP)

MPLS Inter-AS Edge (ASBR)

Unauthorized VPN/IGP access via label spoofing Control plane DoS attack

Unintended P router access due Unintended VPN Route leakage to incorrect ACL configuration due to incorrect VPN route distribution ASBR router access due to incorrect/missing access configuration

2005 Cisco Systems, Inc. All rights reserved.

20

MPLS Security Risks and Deployment

Security Risk MPLS Deployment Scenarios Network Complexity versus Capital Costs

2005 Cisco Systems, Inc. All rights reserved.

21

MPLS Security and Risks

MPLS security associated with MPLS deployment and risk
Risk of MPLS design or configuration error

MPLS deployment components

Network design, implementation, and operation

Basic risk components

Security vulnerability event Probability of event Impact of event

MPLS security focused on mitigating potential security vulnerability events

Minimizing probability and associated impacts of potential events

2005 Cisco Systems, Inc. All rights reserved.

22

MPLS Deployment Framework

Identify/analyze potential security vulnerabilities in MPLS network infrastructure Identify MPLS security capabilities that need to be implemented Design and specify device command parameters

Monitor and analyze network anomalities, which could indicate a security attack

Network Design

Set up and configuration of security policies and commands in MPLS network

Network Operation

Network Implementation

2005 Cisco Systems, Inc. All rights reserved.

23

MPLS Deployment Risk

MPLS network deployment complexity level determines perceived security risks
More complexity requires more detailed design, and associated network implementation and operation More complexity increases the possibility of design and configuration errors

Influencing factors of MPLS deployment complexity

Network architecture (e.g., physical v.s. logical separation) Networking services run on top of MPLS network

Types of networking services

Public IP services (Internet) Private (VPN) connectivity services
2005 Cisco Systems, Inc. All rights reserved.
24

Public and Private Connectivity Services

Service Characteristics Access to the Internet Connectivity to anybody anywhere on the Internet Best effort traffic Business Focus Focus on ubiquitous IP connectivity General public access to web sites, email, etc. Examples at&t: Managed Internet Service (MIS) Sprint Nextel: Internet Access Verizon Business: Dedicated Internet Access

Public IP Connectivity Services

Private IP VPN Connectivity Services

Connectivity to selective set of end-nodes connected to same VPN QoS support

Focus of secure and reliable connectivity Service Level Agreements (SLAs)

at&t: IPeFR, eVPN Masergy: Private IP Sprint Nextel: MPLS VPN Verizon Business: Private IP

2005 Cisco Systems, Inc. All rights reserved.

25

MPLS Deployment Scenarios

Shared MPLS Core & Edge
Public/Private PE

Shared MPLS Core & Separate Edge

Public PE Private PE

Separate MPLS Core & Edge

Public PE Private PE

MPLS Core

MPLS Core

MPLS Core

MPLS Core

MPLS Core Network

Single MPLS core for both public IP and private VPN traffic Optional BGP/Internet free core

Single MPLS core for both public IP and private VPN traffic Optional BGP/Internet free core

Separate MPLS cores for public IP and private VPN traffic Optional BGP/Internet free core

MPLS Edge Network

PE routers terminate both public IP and private VPN connections

Dedicated PE routers used for termination of public IP and private VPN connections

Dedicated PE routers used for termination of public IP and private VPN connections

2005 Cisco Systems, Inc. All rights reserved.

26

Current MPLS Deployments

Internal survey of key SP customers on deployment of public and private MPLS services
Separate MPLS core & edge Shared MPLS core & separate edge Shared MPLS core & edge
31%

38%

31%

Separate MPLS Core & Edge Shared MPLS Core & Separate Edge Shared MPLS Core & Edge

No common MPLS deployment preference

Balanced distribution of various MPLS deployment scenarios
Source: Internal 2006 MPLS Security Survey by Michael Behringer.

2005 Cisco Systems, Inc. All rights reserved.

27

Future MPLS Deployment Plans

Future MPLS deployment plans indicate increasing network consolidation
Increasing number of shared MPLS core deployments
19%

31%

50%

Common MPLS core for public and private services Migration of both public and private services onto single MPLS edge

Separate MPLS Core & Edge Shared MPLS Core & Separate Edge Shared MPLS Core & Edge

Source: Internal 2006 MPLS Security Survey by Michael Behringer.

2005 Cisco Systems, Inc. All rights reserved.

28

Network Complexity versus Capital Costs

Logical Separation Network Complexity (Risk)
Shared MPLS Core & Edge
Public/Private PE

Simplifications for implementing MPLS security mechanisms reducing MPLS deployment risks. MPLS security mechanism enable secure logical separation of MPLS traffic forwarding and signaling Shared MPLS Core & Separate Edge

MPLS Core

Public PE

Private PE

MPLS Core

Separate MPLS Core & Edge

Public PE Private PE

Lower cost MPLS deployments with reduced complexity and increased resiliency

Goal

MPLS Core

MPLS Core

Physical Separation

Capital Costs
2005 Cisco Systems, Inc. All rights reserved.
29

MPLS Security Features

Core Network Security Service Edge Security Network Inter-Connect Security

2005 Cisco Systems, Inc. All rights reserved.

30

Feature Portfolio
Security Focus
MPLS VPN traffic separation Network Topology hiding MPLS control plane protection VPN address space separation and route control PE-CE link control plane access

Feature Areas
MPLS traffic forwarding MPLS packet TTL hiding Control plane session authentication

MPLS Core

MPLS Service Edge

Control plane policing VPN route control BGP session prefix filtering and control Control plane session authentication Control plane policing VPN route control Control plane session authentication

MPLS Network Inter-Connect

MPLS VPN traffic separation ASBR link control plane protection

2005 Cisco Systems, Inc. All rights reserved.

31

MPLS Security Core Network

Requirement
VPN traffic separation MPLS control plane protection (access control) MPLS control plane authentication

Available Feature Capabilities

Comments

MPLS labeled packet forwarding using different FECs, Native MPLS capability LSPs, and label imposition/dispositioning Selective enablement of BGP/LDP on core I/Fs Selective IGP route assignment/distribution MD5 authentication of LDP sessions MD5 authentication of iBGP sessions ACL route filtering in edge network assumed -

MPLS Core Network Security

BGP Route Reflector PE Router PE Router

P Router

P Router

LDP Session iBGP Session

MPLS Core Network

2005 Cisco Systems, Inc. All rights reserved.
32

Infrastructure Access-Lists (ACLs)

CE
.2 1.1.1.0/30 .1

PE
VPN

PE
VPN

CE
.1 1.1.1.8/30 .2

CE
.2 1.1.1.4/30 .1

PE
VPN

PE
VPN

CE
.1 1.1.1.12/30 .2

Example:
deny ip any 1.1.1.0 0.0.0.255 permit ip any any

This Is VPN Address Space, Not Core!

Caution: This also blocks packets to the CEs!

Alternatives: List all PE interfaces in ACL or use secondary interface on CE

2005 Cisco Systems, Inc. All rights reserved.

33

Best Practices MPLS Core Security

Dedicated management access to P and PE routers
Out-of-band or in-band

Use AAA for device access Logging device configuration changes

Limited access to logging facility

Use command authorization where possible

Keep logs in a secure place Malicious employee might change logs too

Use access-control list on PE routers for blocking any potential external traffic Option of use MD5 authentication for LDP
May be required as part of security conformance policies

2005 Cisco Systems, Inc. All rights reserved.

34

MPLS Security Service Edge

Requirement
PE-CE link control plane protection (access control) VPN route access control and address space separation PE-CE link control plane authentication

Available Feature Capabilities

Selective control plane prefix filtering Control Plane Policing (CoPP) VPN address space separation via VRFs BGP max-prefix limit (per eBGP session) VRF max route (per VRF) MD5 authentication of eBGP sessions

Comments
ACL protocol port filtering on PE router assumed VRF ~ customer RIB Filtering control of BGP RIB and VPN route updates -

MPLS Service Edge Security

BGP Route Reflector PE Router PE Router CE Router

P Router

P Router

LDP Session iBGP Session eBGP Session

MPLS Core Network

MPLS Edge Network

Customer Edge Network

35

2005 Cisco Systems, Inc. All rights reserved.

Controlling VPN Route Maximum

Potential Security Vulnerability: Injection of too many routes into VPN table (VRF)
Potential memory overflow Potential (control plane) DoS attack

Protection Mechanism: Specify maximum number of VPN routes for VPN route table (VRF)
VPN routing table (VRF) Maximum of 500 VPN prefixes

ip vrf vpn01
Send warning message when maximum routes 500 80 (400) threshold is reached80%

2005 Cisco Systems, Inc. All rights reserved.

36

Controlling BGP Prefix Maximum

Potential Security Vulnerability: Injection of too many BGP prefix updates
Potential memory overflow Potential (control plane) DoS attack

Protection Mechanism: Specify maximum number of BGP prefix for a specific BGP neighbor session
Remote BGP neighbor Accept maximum of BGP 500 prefixes, if more reset BGP session Restart BGP session after 2 minutes

router bgp 10 neighbor 140.0.250.2 maximum-prefix 500 80 restart 2

Send warning message when 80% (400) threshold is reached

2005 Cisco Systems, Inc. All rights reserved.

37

MPLS VPN Configuration

Reduce potential MPLS VPN configuration errors via automation of service configuration and validation on PE routers

2005 Cisco Systems, Inc. All rights reserved.

38

MPLS Network Monitoring

2005 Cisco Systems, Inc. All rights reserved.

39

Best Practices MPLS Edge Security

Access-list configuration of PE routers
Disable external traffic destined to MPLS core or edge nodes

Control plane traffic filtering on PE routers

Control Plane Policing (CoPP)

Disable selective control plane protocols on VRF-enabled interfaces

E.g., disable SNMP, CDP access for CE routers

Configuration of max allowable VRF routes Configuration of max number of BGP prefix updates per eBPG peer In case dynamic routing is configured across PE-CE link option to use MD5-based BGP session authentication
May be required as part of security conformance policies

2005 Cisco Systems, Inc. All rights reserved.

40

MPLS Security Network Inter-Connect

Requirement
PE-CE link control plane protection (access control) VPN route access control and address space separation ASBR link control plane authentication

Available Feature Capabilities

VPNv4 route filtering Control Plane Policing (CoPP) VPN address space separation via VRFs BGP max-prefix limit (per eBGP session) VRF max route (per VRF) MD5 authentication of eBGP sessions

Comments
ACL protocol port filtering on PE router assumed VRF ~ VPN-specific RIB Filtering control of BGP RIB and VPN route updates -

MPLS Network Connect Security

BGP Route Reflector PE Router ASBR Router ASBR Router

P Router

P Router

LDP Session iBGP Session eBGP Session

MPLS Core Network

MPLS Edge Network

External MPLS Network

41

2005 Cisco Systems, Inc. All rights reserved.

Wrap-up
IETF References Conclusions

2005 Cisco Systems, Inc. All rights reserved.

42

IETF
IETF L3VPN Working Group:
Working on Layer 3 VPN architectures, such as MPLS IP VPNs, IP VPNs using virtual routers, and IPsec VPNs http://www.ietf.org/html.charters/l3vpn-charter.html

IETF L2VPN Working Group:

Working on Layer 2 VPN architectures, such as VPLS and VPWS http://www.ietf.org/html.charters/l2vpn-charter.html

RFC4381
Analysis of MPLS VPN Security

RFC2196
Site Security Handbook

RFC2385
Protection of BGP Sessions via the TCP MD5 Signature Option

RFC3013
Recommended Internet Service Provider Security Services and Procedures
2005 Cisco Systems, Inc. All rights reserved.
43

Conclusions
MPLS security covers protection mechanisms for MPLS forwarding and signaling MPLS security requires holistic approach including network design, implementation, and operation Level of MPLS network deployment complexity determines perceived network security risks Growing importance of MPLS security as a result of network and service convergence

2005 Cisco Systems, Inc. All rights reserved.

44

 2005 Cisco Systems, Inc. All rights reserved.

45