As service providers seek to consolidate their infrastructures and offer many different services over a single network, provider-provisioned MPLS VPNs have become one of the industry's biggest hits. Yet every new solution must go through a period of scrutiny where potential enterprise adopters ask themselves and their service providers:
- Can my VPN data be compromised?
- Can someone else's traffic end up on my VPN, or vice versa?
- Can someone bring the VPN down by attacking the service provider's core?
- Can MPLS VPNs give me the security and performance I need from a VPN service?
To protect any VPN environment, the provider and its customers must understand the service's design and operation, and take steps together to address any security challenges. It's a fallacy to put the onus of security on just the provider or just the customer, because security vulnerabilities can exist in both domains.
Protecting the PE-CE environment
In Layer 3 VPNs, the routing protocol between the provider edge and the customer edge (the PE-CE
protocol) is a natural target for an attacker. As the one control protocol that extends outside the
provider network cloud, it may cross shared-access facilities like Ethernet networks. This creates
opportunities for incorrect routing information to be injected into the VPN infrastructure, causing
denial of service or even data redirection.
To prevent
Requires Free Membership to View
SearchEnterpriseWAN.com members gain immediate and unlimited access to breaking industry news, best practices for designing and managing Wide Area Networks, WAN Security, and more -- all at no cost. Join me on SearchEnterpriseWAN.com today!
Kate Gerwig, Editorial Director
an attacker from masquerading as a trusted PE or CE router, customers and providers
may use HMAC-MD5 routing protocol authentication on the PE-CE link. HMAC-MD5 uses a message-digest
algorithm to compute a fixed-length hash, which is transmitted along with the routing data. The
receiver uses a matching key to validate the message digest. If an attacker has forged or modified
the message, the routing data will be discarded. Routing protocol authentication is available on
most modern routers and for all major protocols.
Firewall filters (also called access control lists or stateless firewalls) provide a flexible way of allowing the passage of authorized traffic while blocking that traffic which is unauthorized or harmful. A firewall filter can also limit the rate at which certain types of traffic are accepted into the router, allowing you to regulate the flow of traffic from a certain neighbor, of a specific protocol, to a certain destination, or exhibiting other unique characteristics.
CE-PE data encryption
For users concerned about VPN data interception before it reaches the PE router, providers can have
customers connect to the PE router over an IPsec or otherwise encrypted tunnel. When the access
link is provisioned by another less-trusted service provider, or over a shared media like Ethernet,
data encryption ensures customer data is protected as it travels across the access link and
connects to the VPN. Encryption may also be applied to the routing protocol traffic to keep it
confidential.
Protecting the provider router infrastructure
Much like the core of a frame relay or ATM network, the provider router infrastructure of an MPLS
VPN network must be inviolable and accessible only to the trusted operations staff of the provider.
While the security of the core network is often assumed in standards documents, providers operate
in the real world of changing topologies, routing instability, and nefarious attackers -- all of
which pose a challenge to network security.
Protecting the VPN label space
The label mechanisms used in MPLS VPNs serve two purposes: to indicate the destination VPN site of
each data packet, as well as to route those data packets along the pre-established MPLS LSPs
towards the correct destination PE router. Label information that is incorrect can have an effect
on VPN reachability, or even be used to redirect traffic away from its intended destination for
interception. Providers should explicitly discard any MPLS setup or label information from CE
devices that are not meant to send it.
Routing session encryption
In environments where there is a possibility of customers connecting "inside" the VPN cloud (for
example, in topologies where standard Internet service is provided via an overlay network that
includes the VPN network), the encryption of the PE-PE routing traffic provides excellent privacy
for the routing data, thus keeping the internal structure of the VPN infrastructure hidden. While
not providing data security itself, this opacity helps reassure the customer, and also makes it
harder for any miscreant to crack the infrastructure.
Routing table size limits
In Layer 3 VPNs, it makes sense to limit the size of VPN routing tables to protect against
misconfigurations or attacks leading to denial of service. Router operating systems should allow
users to specify the number of routes for each VRF, as well as the maximum number of prefixes
learned from any peer PE router, to allow control over the amount of information exchanged, stored
and processed for any VPN.
VPNs old and new
As providers continue to consolidate their service offerings onto single, all-purpose IP backbones,
customers can expect to find MPLS VPN offerings largely replacing Frame Relay and ATM VPNs in their
providers' portfolios. With a cooperative approach to network security, though, these MPLS VPNs can
be as secure as their Layer 2 predecessors.
→ See this tutorial on understanding MPLS IP VPN encryption for more information.
This was first published in May 2004