MPLS VPN Security in Service Provider Networks Peter Tomsu Michael Behringer Monique Morrow IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 About this Presentation  Advanced level “… advanced MPLS concepts and architectures.”  Target Audience: Service provider!! Network operators and designers Technical focus IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Why Is MPLS VPN Security Important?  Customer buys “Internet Service”: Packets from SP are not trusted Perception: Need for firewalls, etc.  Customer buys a “VPN Service”: Packets from SP are trusted Perception: No further security required SP Must Ensure Secure MPLS Operations IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3 Objectives  Understand how secure MPLS VPNs* are And what IPsec offers in addition  Best practices on how to secure General MPLS VPN deployments Inter-provider VPN Specific cases (Internet, etc) * Here: MPLS VPN = RFC 4364 (old RFC 2547bis) IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4 MPLS VPN Security _ Agenda  Analysis of the Architecture  Secure MPLS VPN Design General Best Practices Internet Access Inter-AS and CsC  IPsec and MPLS  Outlook  Summary IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Analysis of the MPLS VPN Architecture (RFC 4364) IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6 Comparison with ATM/FR ATM/FR MPLS Address Space Separation Yes Yes Routing Separation Yes Yes Resistance to Attacks Yes Yes Resistance to Yes Yes Label Spoofing Direct CE-CE Yes With IPsec Authentication (Layer 3) IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Basic RFC 4364 Security: Today’s Arguments  Can be mis-configured (operation) True, but same on ATM/FR  Routers can have bugs (implementation)  PEs can be accessed PEs can be secured, from Internet, thus intrinsically as Internet routers insecure  Floods over Internet Engineering/QoS can impact VPN traffic IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8 Security Relies on Three Pillars Security n / o e i m n r t u a o h t t i ct n t i a e e r r to m e i hg p e cl A l O r p A m I Break One, and All Security Is Gone! IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9 Address Planes: True Separation! VPN1 Address Space CE CE 0.0.0.0—255.255.255.255 VPN2 Address Space CE CE 0.0.0.0—255.255.255.255 mbehring PE-CE Several Data Interfaces Planes: Belong to VPN; VPNv4 Addr. Only Attack PE P PE Point!! Control Plane: Core Address Space IPv4 Addr. 0.0.0.0—255.255.255.255 IPM-3012 – MPLS Security © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10