MPLS VPN Security
Equivalent to the Security of
Frame Relay and ATM
Course Number
Presentation_ID

© 2000, Cisco Systems, Inc.

1


Agenda

• Introduction
• VPN Security today
• MPLS VPN Security
• Summary

Presentation_ID

© 2001 Cisco Systems, Inc.

2


MPLS VPN
CE Router
Customer A
CE Router
Customer B

PE Router
PE Router
MPLS-Core

CE Router
Customer B

CE Router
Customer A
Presentation_ID

© 2001 Cisco Systems, Inc.

3


Meircom MPLS-VPN Security Test

• Meircom performed testing that
proved that MPLS-VPNs have met or
exceeded all of the security
characteristics of a comparable layer
two based VPN such as Frame-Relay
or ATM.
Presentation_ID

© 2001 Cisco Systems, Inc.

4



Meircom MPLS-VPN Test

• Why did Cisco have Meircom do the test?
• Wanted an independent third party to
perform the test
• Test was driven by customer requests to
show MPLS-VPNs are secure
• />
Presentation_ID

© 2001 Cisco Systems, Inc.

5


Agenda

• VPN Overview
• VPN Security today
• MPLS VPN Security
• Summary

Presentation_ID

© 2001 Cisco Systems, Inc.

6



Requirements of a Secure
Network

• Address and routing separation must
exist.
• The service provider core network should
be hidden to the outside world.
• The network must be resistant to attacks.

Presentation_ID

© 2001 Cisco Systems, Inc.

7


Address and Routing Separation

• Address and routing separation
• Between two non-intersecting VPNs the
address spaces are entirely independent
• Each end site in a VPN has a unique
address for that VPN, and the routing
spaces are entirely independent

Presentation_ID

© 2001 Cisco Systems, Inc.

8



Hiding the Core Network

• Hide the internal structure of the
backbone:
•There should be little or no visibility into
the core from outside networks
•The only information the customer
should know is the minimum to allow
service (DLCI, VPI/VCI)
Presentation_ID

© 2001 Cisco Systems, Inc.

9


Resistance to Attacks

• Resistance to Attacks implies
•Resistance to Denial of Service (DoS)
•Resistance to intrusions and inability to
gain unauthorized access

Presentation_ID

© 2001 Cisco Systems, Inc.

10



Security Today

•

Presentation_ID

ATM and Frame Relay are considered
relatively secure
•

Customers’ traffic is transported over a
common infrastructure

•

Traffic is not encrypted

•

Traffic is isolated

•

Traffic is uniquely identified by VPI/VCI or DLCI

© 2001 Cisco Systems, Inc.

11



Address and Routing Separation
ATM and Frame Relay

• Traffic is switched based on VPI/VCI
or DLCI
• Layer 3 information is never
examined or changed
• All traffic is switched, not routed
Presentation_ID

© 2001 Cisco Systems, Inc.

12


Hiding the Service Provider Core
ATM and Frame Relay

• Only information that is shared
between the provider and customer
is info about the customer’s VCs
•DLCI or VPI/VCI

• Customer has no other knowledge of
service provider network
Presentation_ID

© 2001 Cisco Systems, Inc.


13


What do Customers see?
Customer A

Frame-Relay
Switches

Customer A

Customer B

Provider Provisioning and
Network Management

Customer B

Presentation_ID

© 2001 Cisco Systems, Inc.

14


Resistance to Attacks
ATM and Frame Relay

• With no layer 3 information and barely any

layer 2 information about the provider
network what’s let to attack?
• DoS attack – network switches ALL
packets to the other side of the VC
• Intrusion attack – no layer 3 availability

Presentation_ID

© 2001 Cisco Systems, Inc.

15


Attack in an ATM or Frame-Relay
Network
Customer A
Wants to attack
local switch

Traffic has no choice it gets
switched across cloud
Wants to attack
customer B
off same switch

Customer A

Customer B
Provider Provisioning and
Network Management


Customer B

Presentation_ID

© 2001 Cisco Systems, Inc.

16


ATM and Frame-Relay secure?

• Address and routing separation?
•Yes – only layer 2 info is examined

• Service Provider core hidden?
•Yes – only minimal info about the core

• Resistant to attacks?
•Yes – nothing really to attack

Presentation_ID

© 2001 Cisco Systems, Inc.

17


Agenda


• Introduction
• VPN Security today
• MPLS VPN Security
• Summary

Presentation_ID

© 2001 Cisco Systems, Inc.

18


MPLS VPN Security

• Questions need to be answered
• How does routing stay separate?
• How can addressing be separate?
• How can the core network be hidden?
• How vulnerable to DoS and Intrusion
attacks is the network?
Presentation_ID

© 2001 Cisco Systems, Inc.

19


Address and Routing Separation
MPLS VPN


• Address Separation
•64-bit route distinguisher (RD) added to
each IPv4 route, ensuring uniqueness in
the MPLS core
•MP-BGP used to exchange these new
96 bit VPN-IPv4
VPN-IPv4 addresses
across the core
64 bit RD

Presentation_ID

© 2001 Cisco Systems, Inc.

32 bit IPv4

20


Address and Routing Separation
MPLS VPN

• Routing Separation
•These BGP routes are not redistributed
into the core
•PEs have independent routing tables for
each VRF

Presentation_ID


© 2001 Cisco Systems, Inc.

21


How Meircom tested Address and
Routing Separation

• A test bed was built involving three different VPNs:
two of which use the same addressing space
• Every routing table was examined to verify no route
leaking and route table independence
• Verified traffic that initiated from inside the VPN
stayed inside that VPN
• Result: MPLS VPNs provide Address and Routing
Separation

Presentation_ID

© 2001 Cisco Systems, Inc.

22


Meircom Test
Smartbits
No Traffic Being Received

Traffic Being Received


CE Router

CE Router
Blue 10.2.2.2

Yellow 10.2.2.2

CE Router
Red 3.3.3.3

PE Router

Smartbits

Presentation_ID

© 2001 Cisco Systems, Inc.

Traffic Being Sent
Destined for 10.2.2.2
(Yellow)
23


Hiding the Service Provider Core
MPLS VPN

• Interface to VPNs is BGP, no need to reveal
any info about the core
• Info is only required when a routing protocol

is run between the CE and PE
• If not desired, static route to an interface
• Turn off MPLS traceroute
•no tag-switching ip propagate-ttl

Presentation_ID

© 2001 Cisco Systems, Inc.

24


Diagram of what can be seen in
MPLS core
Addressing of WAN links between the
CEs and PEs can be seen
Only those in same VRF

CE Router
Customer B

PE Router
PE Router
MPLS-Core

CE Router
Customer A
Presentation_ID

© 2001 Cisco Systems, Inc.


CE Router
Customer A

CE Router
Customer B

No other visibility into the
Core network
25