Professional Documents
Culture Documents
Harmen van der Linde Product Manager MPLS Cisco - NSSTG havander@cisco.com
2005 Cisco Systems, Inc. All rights reserved.
Topics
Multi-Protocol Label Switching (MPLS) MPLS Security Overview Framework Risks and Deployment Feature Set Conclusions
Technology Evolution
Service Evolution
MPLS VPN services with full mesh and Hub & Spoke connectivity QoS Offerings 2 to 5 Classes
Network Convergence Many Services on converged MPLS core network Triple-play service converge
1995 - 1996
1996 - 2002
MPLS Applications
Layer-3 VPNs, Layer-2 VPNs, Traffic Engineering (TE)
2. In the Core:
Label swapping or switching: Forward using labels (not IP addr); label indicates service class and destination
Edge Label Switch Router OR (ATM Switch/ Router) Provider Edge- PE PE Customer A Label Switch Router (LSR) or P (Provider) router Router OR ATM switch + label switch controller
3. At Egress Edge:
Label disposition: Remove labels and forward packets Customer B
MPLS Security
MPLS Area Core MPLS High Availability Management Security
Layer-3 VPNs
MPLS Management
MPLS Security
Layer-2 VPNs
Traffic Engineering
MPLS Security
Protection mechanisms for MPLS-specific network resources
Protection of MPLS forwarding and signaling
Incremental value-add and integral part of scalable and robust MPLS technology solution
Scope
Focus on security capabilities for MPLS-specific network resources
Protection of MPLS forwarding and signaling
Incremental security functionality to existing MPLS functions Use of existing device and IP-level security capabilities assumed for basic level of security
CLI passwords, TACACS, ACLs, Firewalls, etc.
10
Mobility
Network Layer
Customer Element
Access/ Aggregation
Intelligent Edge
Multiservice Core
Transport
Intelligent Networking
2005 Cisco Systems, Inc. All rights reserved.
11
Operational Layer
Service Layer
Challenges
Security Focus
Inter-AS MPLS network connects New RFP compliance reqs Enterprise network security
Increasing service configuration complexity New security reqs for support of converged triple play services
1996 - 2002
2002 - 2005
12
Examples
13
Goals
Customer VPN traffic separation Public Internet and private VPN traffic separation
Unauthorized access to internal user VPNs Public Internet traffic access/impact on private LAN traffic
User group VPN traffic separation WAN and extranet VPN traffic separation and privacy
Unauthorized access to internal user VPNs WAN/public Internet traffic access/impact on private LAN traffic
User group VPN traffic separation WAN and VPN traffic separation and privacy
14
15
Threat Model
Security Threats Malicious user behavior Security Vulnerability Description
Intrusion attacks
16
External Network
MPLS Network
External Network Interface External Network Interface
External Network
17
Customer Network
MPLS Network
External Service Interface External Network Connect Interface
Peer SP Network
MPLS Edge Security Security for VPN service interface Focus on control plane access and resources on PE router
MPLS Core Security Security for end-to-end (PE-PE) MPLS traffic integrity Focus on MPLS packet forwarding
MPLS Inter-AS Security Security for network interconnect interface Focus on data/control plane access on ASBR
18
MPLS Network
Extranet Service Interface External WAN Interface
SP MPLS Network
Extranet Edge Security Security of extranet VPN interface Focus on data/control plane access across interface with partner
MPLS Core Security Security for end-to-end (PE-PE) MPLS traffic integrity Focus on MPLS traffic segmentation
WAN Edge Security Security of WAN interface with SP Focus on data/control plane access across PE-CE link with SP
19
Security Threats
CE PE P ASBR ASBR P PE CE
MPLS Service Edge (PE Router) Malicious user behavior Unintended human error and misconfiguration
Control plane DoS attacks Unauthorized control plane access (e.g., SNMP, CDP) Unintended VPN Route leakage due to VRF mis-configuration PE router access due to incorrect/missing access configuration
Unintended P router access due Unintended VPN Route leakage to incorrect ACL configuration due to incorrect VPN route distribution ASBR router access due to incorrect/missing access configuration
20
21
22
Monitor and analyze network anomalities, which could indicate a security attack
Network Design
Network Operation
Network Implementation
23
at&t: IPeFR, eVPN Masergy: Private IP Sprint Nextel: MPLS VPN Verizon Business: Private IP
25
MPLS Core
MPLS Core
MPLS Core
MPLS Core
Single MPLS core for both public IP and private VPN traffic Optional BGP/Internet free core
Single MPLS core for both public IP and private VPN traffic Optional BGP/Internet free core
Separate MPLS cores for public IP and private VPN traffic Optional BGP/Internet free core
Dedicated PE routers used for termination of public IP and private VPN connections
Dedicated PE routers used for termination of public IP and private VPN connections
26
38%
31%
Separate MPLS Core & Edge Shared MPLS Core & Separate Edge Shared MPLS Core & Edge
27
31%
50%
Common MPLS core for public and private services Migration of both public and private services onto single MPLS edge
Separate MPLS Core & Edge Shared MPLS Core & Separate Edge Shared MPLS Core & Edge
28
Simplifications for implementing MPLS security mechanisms reducing MPLS deployment risks. MPLS security mechanism enable secure logical separation of MPLS traffic forwarding and signaling Shared MPLS Core & Separate Edge
MPLS Core
Public PE
Private PE
MPLS Core
Lower cost MPLS deployments with reduced complexity and increased resiliency
Goal
MPLS Core
MPLS Core
Physical Separation
Capital Costs
2005 Cisco Systems, Inc. All rights reserved.
29
30
Feature Portfolio
Security Focus
MPLS VPN traffic separation Network Topology hiding MPLS control plane protection VPN address space separation and route control PE-CE link control plane access
Feature Areas
MPLS traffic forwarding MPLS packet TTL hiding Control plane session authentication
MPLS Core
Control plane policing VPN route control BGP session prefix filtering and control Control plane session authentication Control plane policing VPN route control Control plane session authentication
31
Comments
MPLS labeled packet forwarding using different FECs, Native MPLS capability LSPs, and label imposition/dispositioning Selective enablement of BGP/LDP on core I/Fs Selective IGP route assignment/distribution MD5 authentication of LDP sessions MD5 authentication of iBGP sessions ACL route filtering in edge network assumed -
P Router
P Router
PE
VPN
PE
VPN
CE
.1 1.1.1.8/30 .2
CE
.2 1.1.1.4/30 .1
PE
VPN
PE
VPN
CE
.1 1.1.1.12/30 .2
Example:
deny ip any 1.1.1.0 0.0.0.255 permit ip any any
33
Use access-control list on PE routers for blocking any potential external traffic Option of use MD5 authentication for LDP
May be required as part of security conformance policies
34
Comments
ACL protocol port filtering on PE router assumed VRF ~ customer RIB Filtering control of BGP RIB and VPN route updates -
P Router
P Router
Protection Mechanism: Specify maximum number of VPN routes for VPN route table (VRF)
VPN routing table (VRF) Maximum of 500 VPN prefixes
ip vrf vpn01
Send warning message when maximum routes 500 80 (400) threshold is reached80%
36
Protection Mechanism: Specify maximum number of BGP prefix for a specific BGP neighbor session
Remote BGP neighbor Accept maximum of BGP 500 prefixes, if more reset BGP session Restart BGP session after 2 minutes
37
Reduce potential MPLS VPN configuration errors via automation of service configuration and validation on PE routers
38
39
Configuration of max allowable VRF routes Configuration of max number of BGP prefix updates per eBPG peer In case dynamic routing is configured across PE-CE link option to use MD5-based BGP session authentication
May be required as part of security conformance policies
40
Comments
ACL protocol port filtering on PE router assumed VRF ~ VPN-specific RIB Filtering control of BGP RIB and VPN route updates -
P Router
P Router
Wrap-up
IETF References Conclusions
42
IETF
IETF L3VPN Working Group:
Working on Layer 3 VPN architectures, such as MPLS IP VPNs, IP VPNs using virtual routers, and IPsec VPNs http://www.ietf.org/html.charters/l3vpn-charter.html
RFC4381
Analysis of MPLS VPN Security
RFC2196
Site Security Handbook
RFC2385
Protection of BGP Sessions via the TCP MD5 Signature Option
RFC3013
Recommended Internet Service Provider Security Services and Procedures
2005 Cisco Systems, Inc. All rights reserved.
43
Conclusions
MPLS security covers protection mechanisms for MPLS forwarding and signaling MPLS security requires holistic approach including network design, implementation, and operation Level of MPLS network deployment complexity determines perceived network security risks Growing importance of MPLS security as a result of network and service convergence
44
45