Professional Documents
Culture Documents
Security
Monique Morrow
MFA Forum Ambassador
CTO Consulting Engineer
Cisco Systems
1
MPLS VPN Security Tutorial
Contributors
Developed by:
• Michael Behringer – Cisco Systems
• Monique Morrow – Cisco Systems
Contributors:
• Victoria Fineberg – DISA
• Ross Callon – Juniper
• David Christophe – Lucent
• Advanced level
Expected: Basic understanding of MPLS protocols
and how MPLS VPNs operate.
• Target Audience:
Service providers
Network operators and designers
Network security engineers
Technical focus
2
Why Is MPLS VPN Security
Important?
• Customer buys “Internet Service”:
Packets from SP are not trusted
Perception: Need for firewalls, etc.
• Customer buys a “VPN Service”:
Packets from SP are trusted
Perception: Few or no further security measures
required
Objectives
3
Analysis of the MPLS
VPN Architecture
(RFC 4364)
Trusted Zone
External External
Network Network
Interface Interface
4
MPLS Security – Service
Provider View
Trusted Zone
External External
Service Network Connect
Interface Interface
Trusted Zone
Extranet External
Service WAN
Interface Interface
5
Comparison with ATM/FR
ATM/FR MPLS
Address Space
Yes Yes
Separation
Routing Separation Yes Yes
Resistance to
Yes Yes
Attacks
Resistance to
Yes Yes
Label Spoofing
Direct CE-CE
Authentication Yes With IPsec
(Layer 3)
• Can be mis-configured
(operation) True, but same
• Routers can have bugs on ATM/FR
(implementation)
• PEs can be accessed
PEs can be secured,
from Internet, thus as Internet routers
intrinsically insecure
• Floods over Internet
Engineering/QoS
can impact VPN traffic
6
Security Relies on Three Pillars
Security
Implementation
Architecture/
Algorithm
Operation
Break One, and All Security Is Gone!
Slide 13 Copyright © 2006 MFA Forum
CE
VPN1 Address Space CE
0.0.0.0—255.255.255.255
CE
VPN2 Address Space CE
0.0.0.0—255.255.255.255 mbehring
PE-CE
Several Data Interfaces
Planes: Belong to VPN;
VPNv4 Addr. Only Attack
PE P PE
Point!!
Control Plane:
IPv4 Addr.
Core Address Space
0.0.0.0—255.255.255.255
7
Secure MPLS VPN Design ―
General Security Best Practices
8
PE-CE Routing Security
MPLS Core
CE
BGP Route Reflector Internet
PE
P
VPN PE
P
CE VPN
P
9
Securing the Core:
Infrastructure ACLs
CE PE PE CE
.2 1.1.1.0/30 .1 .1 1.1.1.8/30 .2
VPN VPN
CE PE PE CE
.2 1.1.1.4/30 .1 .1 1.1.1.12/30 .2
VPN VPN
10
Neighbor Authentication
11
VRF Maximum Prefix Number
In This VRF…
…Accept Max 45 Prefixes…
ip vrf red
maximum routes 45 80
router bgp 13
neighbor 140.0.250.2 maximum-prefix 45 80 restart 2
12
Control of Routes from a BGP Peer:
Logging
13
Key: PE Security
14
Operational Security
15
Issue: DoS Through a Shared PE
Might Affect VPN Customer
VRF CE1 P
ck
Internet Customer global Atta
S P
table
Do
P
16
Separate VPN and Internet
Access
To Internet P
PE1
Firewall/NAT CE1
VRF Internet
IDS PE2
CE2
VRF VPN
To VPN
• Separation: +++
• DoS resistance: +++
• Cost: $$$ (two lines and two PEs: expensive!)
Slide 33 Copyright © 2006 MFA Forum
P
PE1
Firewall/NAT Internet CE
17
Hub-and-Spoke VPN with
Internet Access
Hub Site MPLS core Internet
To Internet →
Firewall Internet
NAT CE PE1
VRF Internet
IDS PE2
VPN CE
mbehring
VRF VPN
To VPN
CEs
Extranet /
Internet
VRF A VRF B
18
Alternative Topologies
19
Internet Provisioning on an
MPLS Core
Two basic possibilities:
1. Internet in global table, either:
1a) Internet-free core (using LSPs between PEs)
1b) hop-by-hop routing
2. Internet in VRF
Internet carried as a VPN on the core
Internet Service
Provider
Internet CE
Internet PE
VPN Customer Customer VPN
Customer PE PE Customer
P P
VPN
Customer
LSP Internet
Internet Routing Table Customer
(Global Routing Table)
VPN in a VRF
Slide 40 Copyright © 2006 MFA Forum
20
Internet in Global Routing Table
Using LSPs Between PEs
• Default behavior, if Internet in global table!!
On ingress PE: BGP next hop: Egress PE loopback
Next hop to egress usually has label!
LSP is used to reach egress PE
P routers do not need to know Internet routes
(nor run BGP)
• Security consequence:
PE routers are fully reachable from Internet, by default
(bi-directional)
P routers are also by default reachable from Internet;
but only uni-directional, they don’t know the way
back!
Slide 41 Copyright © 2006 MFA Forum
21
Internet in Global Routing Table
Hop-by-Hop Routing
Internet Service
Provider
Internet CE
Internet PE
VPN Customer Customer VPN
Customer PE PE Customer
P P
VPN
Customer
Internet
Internet Routing Table
(Global Routing Table) Customer
VPN in a VRF
Slide 43 Copyright © 2006 MFA Forum
22
Internet in a VRF
Internet Service
Provider
Internet CE
Internet PE
VPN Customer Customer VPN
Customer PE PE Customer
P P
VPN
Customer
Internet
Internet Routing Table Internet in a VRF
(Global Routing Table)
Customer
VPN in a VRF
Slide 45 Copyright © 2006 MFA Forum
Internet in a VRF
• Internet is a VPN on the core
Full separation to other VPNs, and the core, by
default!
“Connection” Internet ↔ VPN (for service) must be
specifically configured
• Security consequence:
P routers not reachable from anywhere!
PE routers only reachable on outbound facing
interfaces
Very limited access to core
Much easier to secure
• But!!! Routes in a VRF take more memory!!
Check feasibility of putting Internet into the VRF!!
Plus other restrictions, convergence, etc. Copyright © 2006 MFA Forum
Slide 46
23
Internet in a VRF
Recommendations:
Alternatively:
No Internet on the Core
• Pure MPLS VPN service considered “most
secure”
• But what about:
PE PE
CE B VRF B VRF B CE B
CE A VRF A mbehring
VRF A mbehring
CE A
Internet
Service
Provider however, bandwidth usually limited
and some firewall / control applied
24
VPNs Private Internet
Connection
CE B VRF B VRF B CE B
CE A VRF A mbehring
VRF A mbehring
CE A
Internet
Service
Provider
25
Standard-based L3 IPVPN Interconnect
26
Inter-AS: What Are We NOT
Trying to Achieve?
27
Inter-AS: Case A
VRF-VRF Back-to-Back
Cust. AS 1 AS 2 Cust.
CE1 CE2
PE1 ASBR1 ASBR2 PE2
mbehring
• Static mapping
Only IP interfaces
SP1 does not “see” SP2’s network
And does not run routing with SP2, except within
the VPNs
Æ Quite secure
• Potential issues:
SP 1 can incorrectly connect VPNs
(like in ATM/FR)
Customer can flood routing table on PE (this is the
same issue as in single-AS; solution: prefix limits)
28
Inter-AS: Case B: ASBR
exchange labelled VPNv4 routes
Cust. AS 1 AS 2 Cust.
CE1 CE2
PE1 ASBR1MP-eBGP+Labels ASBR2 PE2
mbehring
29
Inter-AS Case C:
ASBRs Exchange PE loopbacks
Cust. AS 1 AS 2 Cust.
CE1 VPNv4 Routes + Labels CE2
PE1 ASBR1 PE Loopb+Labels ASBR2 PE2
mbehring
30
Inter-AS Summary and
Recommendation
• Three different models for Inter-AS
Different security properties
Most secure: Static VRF connections (case A),
but least scalable
• Basically the SPs have to trust each other
Hard/impossible to secure against other SP in this
model
But: Can monitor with flow monitoring
• Case B and C are okay if all ASes are in control
of one SP
• Otherwise: Current Recommendation:
Use case A
Slide 61 Copyright © 2006 MFA Forum
From RFC4364:
Data Plane Protection
31
Carrier’s Carrier
Carrier’s Cust.
Cust. Carrier Carrier
Carrier
CE1 CE2
PE1 PE2
CsC CsC
CE1 CsC CsC CE2
PE1 PE2
IP data IP data
Carrier’s
Carrier
Carrier
CsC-CE CsC-PE
• Control Plane:
CsC-PE assigns label to CsC-CE
• Data Plane:
CsC-PE only accepts packets with this label on
this interface
ÆCsC-PE controls data plane, no spoofing
possible
32
Carrier’s Carrier: Security
33
L2VPN Security
34
What the Standards Say
Attachment Attachment
circuit Private Wire circuit
PSN Tunnel
CE VPWS P P P VPWS CE
PE PE
Directed LDP
35
Virtual Private LAN Service
(VPLS) Overview
• Network behaves as a switch
Spanning Tree
MAC address learning
ARP, etc.
• Æ Examine threats to a switch to understand
VPLS security
• VLAN “Hopping”
• MAC Attacks
• DHCP Attacks
• ARP Attack
• Spoofing Attacks
• Other Attacks
36
Best Practices for L2 Security
1.1. Always
Alwaysuseuseaadedicated
dedicatedVLAN
VLANID IDfor
forTrunk
TrunkPorts
Ports
2.2. Disable
Disableunused
unusedports
portsand
andput
putthem
themin inan
anunused
unusedVLANVLAN
3.3. Use
UseSecure
SecureTransmission
Transmissionwhenwhenmanaging
managingSwitches
Switches(SSH,
(SSH,OOB,
OOB,Permit
Permit
Lists)
Lists)
4.4. Deploy
DeployPort
PortSecurity
Security
5.5. Set
Set all hostports
all host portsto
toNon
NonTrunking
Trunking
6.6. ALWAYS
ALWAYS use a dedicatedVLAN
use a dedicated VLANfor forTrunk
TrunkPorts
Ports
7.7. Avoid
Avoidusing
usingVLANVLAN11
8.8. Have
Haveaaplan
planfor
forARP
ARPSecurity
Securityissues
issuesandandimplement
implementit!!!
it!!!
9.9. Use SNMP V3 to secure SNMP transmission
Use SNMP V3 to secure SNMP transmission
10.
10. Use
UseSTP
STPAttack
Attackmitigation
mitigation
11.
11. Use
UseMD5
MD5Authentication
AuthenticationforforVTP
VTP
12.
12. Plan for and implement DHCPAttack
Plan for and implement DHCP Attackmitigation
mitigation
13.
13. Use Private VLAN’s to better secureguest
Use Private VLAN’s to better secure guestVLAN’s
VLAN’s
14.
14. Use
Useand
andimplement
implement802.1x
802.1xtotoprotect
protectentry
entryinto
intoyour
yournetwork
network
15.
15. Consider
Considerusing
usingVACL’s
VACL’stotolimit
limitaccess
accessto tokey
keynetwork
networkresources…
resources…
Exposure to Customer
37
Exposure to SP
Therefore:
• PEs cannot be attacked on control plane
(there is none to the outside)
• PEs may be overwhelmed on data plane
(too much traffic to forward Æ DoS)
This threat is identical to any other network
Correct provisioning solves this issue
38
Threat Model
Security Security
Description
Threats Vulnerability
Security Threats
CE PE ASBR ASBR PE CE
P P
39
Ways to Attack
CE PE
• Rest is the same as in other networks
40
Attacking a CE from MPLS
(Other VPN)
• Is the CE reachable from the MPLS side?
Æ only if this is an Internet CE, otherwise not
(CE-PE addressing is part of VPN!)
• For Internet CEs:
Same security rules apply as for any other access
router
41
Attacking a PE Router
PE
IP(P)
IP(PE; l0)
CE1
IP(CE1) IP(PE; fa0)
VRF CE1
CE2
IP(CE2) IP(PE; fa1) VRF CE2
VRF
Internet
Attack Points
Has to Be Secured
and Can Be Secured!
42
IPsec and MPLS
• Encryption of traffic
• Direct authentication of CEs
• Integrity of traffic
• Replay detection
43
Where to Apply IPsec
CE PE PE CE
IPsec CE-CE
Application:
VPN Security
IPsec PE-PE
Application:
Special Cases
IPsec CE-PE
Application: Remote
Access into VPN
44
draft-ietf-l3vpn-ipsec-2547-05.txt:
PE-PE IPsec in MPLS VPNs
PE PE
VPN IPSec VPN
45
IPsec: PE-PE vs. CE-CE
46
Relevant Standardization
Summary
47
MPLS doesn’t provide:
• Protection against
mis-configurations in the core
• Protection against
attacks from within the core
• Confidentiality, authentication, integrity, anti-
replay -> Use IPsec if required
• Customer network security
Summary
48
References
• http://www.mfaforum.org
• http://www.ietf.org
• http://www.itu.int
• http://www.mplsrc.com
49
Thank you for attending the
50