One of the reasons MPLS VPNs, or specifically BGP-VPNs, are easy to provision is that MPLS VPNs are not connection oriented. Whereas most traditional VPN types consist of a number of provisioned point-to-point connections, MPLS is connectionless. The connectionless nature of MPLS VPNs has many implications for the scalability of the overall MPLS network, but also for security: On an ATM network, for example, a VPN customer is typically presented with a number of virtual connections from a given router to all other routers that need to be connected. However, the customer needs to configure her router to use these virtual connections. The disadvantage here is that many virtual connections have to be configured on both the customer side and the service provider side. The advantage is that the customer has full visibility of her VPN and controls the connections. On an MPLS network, the same customer router is in most cases presented with a single connection into the MPLS network, and it is the MPLS network itself that decides where to forward packets. The customer loses the view of the connections through the core. The advantage of this approach is scalability: The provisioning complexity is reduced to a single connection for each customer router. However, the customer does not have visibility of the core network anymore. A service provider could maliciously or inadvertently introduce a router that does not belong there into the VPN of a customer. The customer might not detect this and might lose the integrity of her network. VPN users have certain expectations and requirements for their VPN service. In a nutshell, they want their service to be private and secure. Neither concept is black or white, and the concepts need to be defined for a real-world implementation. In discussions about MPLS security, a number of questions typically arise that are outside the scope of the MPLS architecture. This means that these issues have nothing to do with the standards and can therefore not be controlled by the architecture. The following list describes these issues and explains why they are outside the scope of the architecture:
Note When discussing the security of MPLS VPN networks, care should be taken to maintain a balanced view on the overall risks to a customer. It is irrelevant to argue about the chances of an attacker sniffing a core line if the customer network has unsecured wireless access points. It is also not important to worry about a service provider misconfiguring a PE when attackers have uncontrolled physical access to hosts in an enterprise. Security is a question of balance: There is no point in putting extra locks on the door of your house if the windows are left open. Many enterprises have been using VPN services based on Frame Relay or ATM in the past and are considering a move to MPLS VPNs. Unfortunately, the discussion of this topic has often been emotional and unbalanced. Table 7-1 compares all the aspects of VPN security for the various VPN technologies.
1 Reference: http://www.miercom.com/?url=reports/&v=16&tf=-3&st=v New MPLS users are often concerned about the fact that an MPLS VPN service has a control plane on Layer 3. The typical VPN security requirements are
BGP-VPN (for Layer 3 MPLS VPN) permits a separation between address and data plane constructs, whereas hiding the core infrastructure (that is, the service provider or a large enterprise implementing MPLS) is paramount to overall MPLS security (as depicted in Figures 7-1 and 7-2). Note that in both examples, the vulnerable security point is between the service provider PE and customer edge connection. The amount of topological informationfor example, from the Interior Gateway Protocol (IGP)announced outside a trust domain or leaked outside a trust domain is what is important. Figure 7-1. Address Planes: True SeparationFigure 7-2. Hiding of the MPLS CoreWe discuss attack scenarios in the next section, followed by the best practices for defending against attacks. |