Mpls security 5 th annual mcwg forum october 16 20 2006
Download
1 / 45

- PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

MPLS Security 5 th Annual MCWG Forum – October 16-20, 2006. Tuesday, October 17, 2006 Harmen van der Linde Contributions By: Product Manager – MPLS Michael Behringer Cisco - NSSTG Monique Morrow havander@cisco.com. Topics. Multi-Protocol Label Switching (MPLS) MPLS Security Overview

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - kenna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Mpls security 5 th annual mcwg forum october 16 20 2006

MPLS Security5th Annual MCWG Forum – October 16-20, 2006

Tuesday, October 17, 2006

Harmen van der Linde Contributions By:

Product Manager – MPLS Michael Behringer

Cisco - NSSTG Monique Morrow

havander@cisco.com


Topics
Topics

  • Multi-Protocol Label Switching (MPLS)

  • MPLS Security Overview

  • Framework

  • Risks and Deployment

  • Feature Set

  • Conclusions


Mpls security 5 th annual mcwg forum october 16 20 2006

Multi-Protocol Label Switching

Technology Overview

Network Architecture

MPLS Security


Packet network evolution

TechnologyEvolution

ServiceEvolution

Packet Network Evolution

IP over ATMChallenge

MPLS Innovation and Deployment

WidespreadMPLS Deployments

  • IP + ATM Integration

  • Cell Switching Routers

  • IP/Tag Switching

  • IETF Efforts

  • Traffic Engineering

  • MPLS VPNs

  • Fast Reroute

  • Any Transport over MPLS (AToM)

  • Multi-Service Edge

  • MPLS High Availability with SSO/NSF/FRR

  • MPLS + IPSec

  • MPLS VPN and multicast

  • Traditional ATM/FR

  • Internet access

  • Remote access VPNs

  • MPLS VPN services with full mesh and Hub & Spoke connectivity

  • QoS Offerings – 2 to 5 Classes

  • Network Convergence – Many Services on converged MPLS core network

  • Triple-play service converge

1995 - 1996

1996 - 2002

2002 and Beyond


Multi protocol label switching mpls
Multi-Protocol Label Switching (MPLS)

  • Established network infrastructure technology

    • Service provider networks and large enterprise networks

  • Two functional layers in MPLS architecture

    • Control plane

    • Forwarding plane

  • MPLS control plane

    • Distributes labels and establishes label switched paths

    • Multiple control protocols; LDP, BGP, and RSVP-TE

  • MPLS forwarding plane

    • Used for MPLS labeled data packet forwarding

  • MPLS Applications

    • Layer-3 VPNs, Layer-2 VPNs, Traffic Engineering (TE)


Mpls network architecture
MPLS Network Architecture

2. In the Core:

  • Label swapping or switching:Forward using labels (not IP addr); label indicates service class and destination

1. At Ingress Edge:

  • Label imposition:Classify & Label packets

PE

P

P

Edge Label Switch Router OR(ATM Switch/ Router)

Provider Edge- PE

3. At Egress Edge:

  • Label disposition: Remove labels and forward packets

PE

Customer A

Customer B

Label Switch Router (LSR) or P (Provider) router

  • Router OR ATM switch + label switch controller


Mpls security

MPLS

High Availability

MPLS

Management

MPLS

Security

MPLS Security


Mpls security 5 th annual mcwg forum october 16 20 2006

MPLS Security Overview

Overview and Scope

Cisco IP NGN

Market Drivers and Positioning


Mpls security1
MPLS Security

  • Protection mechanisms for MPLS-specific network resources

    • Protection of MPLS forwarding and signaling

  • MPLS security protection areas

    • MPLS node access and resiliency

    • Integrity and privacy of MPLS VPN service traffic

  • Focus areas in MPLS network infrastructure

    • MPLS core (Label between PE pairs)

    • MPLS service edge (PE-CE link)

    • MPLS network interconnect (Inter-AS/SP)

  • Incremental value-add and integral part of scalable and robust MPLS technology solution


Scope
Scope

  • Focus on security capabilities for MPLS-specific network resources

    • Protection of MPLS forwarding and signaling

  • Incremental security functionality to existing MPLS functions

  • Use of existing device and IP-level security capabilities assumed for basic level of security

    • CLI passwords, TACACS, ACLs, Firewalls, etc.

  • Leverage existing security capabilities of lower layer protocols where possible

    • Instead of replication of functionality focus on integration of MPLS with existing security capabilities

      • For example, LDP use of TCP MD5 authentication capabilities


Cisco ip ngn secure network layer

MPLS Security

Identity

Policy

Billing

Self Service

MPLS Service Edge

MPLS NetworkInter-connect

MPLS Core

Operational Layer

Intelligent Networking

Cisco IP NGN – Secure Network Layer

Presence-Based Telephony

IP

Contact Center

Data

Center

Web Services

Mobile Apps

Gaming

Application Layer

Open Framework for Enabling ‘Triple Play on the Move’

(Data, Voice, Video, Mobility)

Service Exchange

Service Layer

Mobility

Customer

Element

Access/ Aggregation

Intelligent

Edge

Multiservice

Core

Network Layer

Transport


Mpls security evolution

Challenges

SecurityFocus

MPLS Security Evolution

Initial MPLS Deployments

Large & Widespread MPLS Deployments

Next-Generation MPLS Deployments

  • Service Provider MPLS technology adoption

  • Code features and stability

  • MPLS scale and enhanced features

  • Enterprise MPLS technology adoption

  • Manageability and operations

  • Complexity of new enhanced services (Extranets, mcast)

  • MPLS network convergence

  • MPLS network inter-connects

  • MPLS as a secure technology replacement for legacy Layer-2 technologies (FR/ATM)

  • Inter-AS MPLS network connects

  • New RFP compliance reqs

  • Enterprise network security

  • Increasing service configuration complexity

  • New security reqs for support of converged triple play services

1996 - 2002

2002 - 2005

2005 and Beyond



Concerns and goals

Concerns

Goals

Service Provider

MarketSegment

Enterprise

MarketSegment

Federal

MarketSegment

Concerns and Goals

  • Unauthorized customer VPN access

  • Public Internet traffic access/impact on private MPLS VPNs

  • Customer VPN traffic separation

  • Public Internet and private VPN traffic separation

  • Unauthorized access to internal user VPNs

  • Public Internet traffic access/impact on private LAN traffic

  • User group VPN traffic separation

  • WAN and extranet VPN traffic separation and privacy

  • Unauthorized access to internal user VPNs

  • WAN/public Internet traffic access/impact on private LAN traffic

  • User group VPN traffic separation

  • WAN and VPN traffic separation and privacy


Mpls security 5 th annual mcwg forum october 16 20 2006

MPLS Security Framework

Service Provider View

Enterprise View

Threat Model



Mpls security framework

MPLSNetwork

External Network

External Network

ExternalNetworkInterface

ExternalNetwork Interface

MPLS Security Framework

Trusted Zone

MPLS core signaling

LDP, RSVP, and BGP

MPLS edge signaling

BGP, LDP, RIP, OSPF

ControlPlane

MPLS packet forwarding

ForwardingPlane

IP or MPLS packet forwarding


Mpls security service provider view

MPLSNetwork

CustomerNetwork

Peer SPNetwork

ExternalServiceInterface

ExternalNetwork ConnectInterface

MPLS Security – Service Provider View

Trusted Zone

  • MPLS Edge Security

  • Security for VPN service interface

  • Focus on control plane access and resources on PE router

  • MPLS Core Security

  • Security for end-to-end (PE-PE) MPLS traffic integrity

  • Focus on MPLS packet forwarding

  • MPLS Inter-AS Security

  • Security for network interconnect interface

  • Focus on data/control plane access on ASBR


Mpls security enterprise view

ExtranetServiceInterface

ExternalWANInterface

MPLS Security – Enterprise View

Trusted Zone

MPLSNetwork

ExtranetCustomerNetwork

SP MPLSNetwork

  • Extranet Edge Security

  • Security of extranetVPN interface

  • Focus on data/control plane access acrossinterface with partner

  • MPLS Core Security

  • Security for end-to-end (PE-PE) MPLS traffic integrity

  • Focus on MPLS traffic segmentation

  • WAN Edge Security

  • Security of WAN interface with SP

  • Focus on data/control plane access acrossPE-CE link with SP


Security threats

CE

CE

PE

PE

ASBR

ASBR

P

P

Security Threats


Mpls security 5 th annual mcwg forum october 16 20 2006

MPLS Security – Risks and Deployment

Security Risk

MPLS Deployment Scenarios

Network Complexity versus Capital Costs


Mpls security and risks
MPLS Security and Risks

  • MPLS security associated with MPLS deployment and risk

    • Risk of MPLS design or configuration error

  • MPLS deployment components

    • Network design, implementation, and operation

  • Basic risk components

    • Security vulnerability event

    • Probability of event

    • Impact of event

  • MPLS security focused on mitigating potential security vulnerability events

    • Minimizing probability and associated impacts of potential events


Mpls deployment framework

NetworkDesign

  • Monitor and analyze network anomalities, which could indicate a security attack

  • Set up and configuration of security policies and commands in MPLS network

NetworkOperation

NetworkImplementation

MPLS Deployment Framework


Mpls deployment risk
MPLS Deployment Risk network infrastructure

  • MPLS network deployment complexity level determines perceived security risks

    • More complexity requires more detailed design, and associated network implementation and operation

    • More complexity increases the possibility of design and configuration errors

  • Influencing factors of MPLS deployment complexity

    • Network architecture (e.g., physical v.s. logical separation)

    • Networking services run on top of MPLS network

  • Types of networking services

    • Public IP services (Internet)

    • Private (VPN) connectivity services


Public and private connectivity services

Service network infrastructureCharacteristics

BusinessFocus

Examples

Public IPConnectivityServices

  • Access to the Internet

  • Connectivity toanybody anywhereon the Internet

  • Best effort traffic

  • Focus on ubiquitous IP connectivity

  • General public access to web sites, email, etc.

Private IP VPN Connectivity Services

  • Connectivity to selective set of end-nodes connected to same VPN

  • QoS support

  • Focus of secure and reliable connectivity

  • Service Level Agreements (SLAs)

Public and Private Connectivity Services

  • at&t: Managed Internet Service (MIS)

  • Sprint Nextel: Internet Access

  • Verizon Business: Dedicated Internet Access

  • at&t: IPeFR, eVPN

  • Masergy: Private IP

  • Sprint Nextel: MPLS VPN

  • Verizon Business: Private IP


Mpls deployment scenarios

Public/Private PE network infrastructure

MPLSCore

MPLSCore

PublicPE

Private PE

  • Single MPLS core for both public IP and private VPN traffic

  • Optional BGP/Internet free core

  • Single MPLS core for both public IP and private VPN traffic

  • Optional BGP/Internet free core

  • Separate MPLS cores for public IP and private VPN traffic

  • Optional BGP/Internet free core

MPLSCore Network

PublicPE

PrivatePE

MPLSEdge Network

MPLSCore

MPLSCore

  • PE routers terminate both public IP and private VPN connections

  • Dedicated PE routers used for termination of public IP and private VPN connections

  • Dedicated PE routers used for termination of public IP and private VPN connections

MPLS Deployment Scenarios

Shared MPLS Core & Edge

Shared MPLS Core & Separate Edge

Separate MPLS Core & Edge


Current mpls deployments
Current MPLS Deployments network infrastructure

  • Internal survey of key SP customers on deployment of public and private MPLS services

    • Separate MPLS core & edge

    • Shared MPLS core & separate edge

    • Shared MPLS core & edge

  • No common MPLS deployment preference

    • Balanced distribution of various MPLS deployment scenarios

Source: Internal 2006 MPLS Security Survey by Michael Behringer.


Future mpls deployment plans
Future MPLS Deployment Plans network infrastructure

  • Future MPLS deployment plans indicate increasing network consolidation

    • Increasing number of shared MPLS core deployments

  • Common MPLS core for public and private services

  • Migration of both public and private services onto single MPLS edge

Source: Internal 2006 MPLS Security Survey by Michael Behringer.


Network complexity versus capital costs

Logical network infrastructureSeparation

Simplifications for implementing

MPLS security mechanisms

reducing MPLS deployment risks.

NetworkComplexity

(Risk)

Shared MPLS Core & Edge

MPLS security mechanism enable

secure logical separation of MPLS

traffic forwarding and signaling

Public/Private PE

Shared MPLS Core & Separate Edge

MPLSCore

MPLSCore

PublicPE

Private PE

Separate MPLS Core & Edge

PublicPE

PrivatePE

PhysicalSeparation

MPLSCore

MPLSCore

Capital Costs

Network Complexity versus Capital Costs

Lower cost MPLS deployments with reduced complexity and increased resiliency

Goal


Mpls security 5 th annual mcwg forum october 16 20 2006

MPLS Security Features network infrastructure

Core Network Security

Service Edge Security

Network Inter-Connect Security


Feature portfolio

Security Focus network infrastructure

Feature Areas

MPLS Core

MPLSServiceEdge

MPLSNetworkInter-Connect

Feature Portfolio

  • MPLS VPN traffic separation

  • Network Topology hiding

  • MPLS control plane protection

  • MPLS traffic forwarding

  • MPLS packet TTL hiding

  • Control plane session authentication

  • VPN address space separation and route control

  • PE-CE link control plane access

  • Control plane policing

  • VPN route control

  • BGP session prefix filtering and control

  • Control plane session authentication

  • MPLS VPN traffic separation

  • ASBR link control plane protection

  • Control plane policing

  • VPN route control

  • Control plane session authentication


Mpls security core network

PE network infrastructure Router

PE Router

P Router

P Router

LDP Session

iBGP Session

MPLS Security – Core Network

MPLS Core Network Security

BGPRoute Reflector

MPLS Core Network


Infrastructure access lists acls
Infrastructure Access-Lists (ACLs) network infrastructure

  • Example:

    • deny ip any 1.1.1.0 0.0.0.255

    • permit ip any any

  • Caution: This also blocks packets to the CE’s!

    • Alternatives: List all PE interfaces in ACL or use secondary interface on CE

CE

PE

PE

CE

1.1.1.0/30

1.1.1.8/30

.2

.1

.1

.2

VPN

VPN

CE

PE

PE

CE

1.1.1.4/30

1.1.1.12/30

.2

.1

.1

.2

VPN

VPN

This Is VPN Address Space, Not Core!


Best practices mpls core security
Best Practices – MPLS Core Security network infrastructure

  • Dedicated management access to P and PE routers

    • Out-of-band or in-band

  • Use AAA for device access

  • Logging device configuration changes

    • Limited access to logging facility

  • Use command authorization where possible

    • Keep logs in a secure place

    • Malicious employee might change logs too

  • Use access-control list on PE routers for blocking any potential external traffic

  • Option of use MD5 authentication for LDP

    • May be required as part of security conformance policies


Mpls security service edge

PE network infrastructure Router

PE Router

CE Router

P Router

P Router

LDP Session

iBGP Session

eBGP Session

MPLS Security – Service Edge

MPLS Service Edge Security

BGPRoute Reflector

MPLS Edge Network

Customer Edge Network

MPLS Core Network


Controlling vpn route maximum

VPN routing table (VRF) network infrastructure

Maximum of 500 VPN prefixes

Send warning message when 80% (400) threshold is reached

Controlling VPN Route Maximum

Potential Security Vulnerability:

  • Injection of too many routes into VPN table (VRF)

    • Potential memory overflow

    • Potential (control plane) DoS attack

      Protection Mechanism:

  • Specify maximum number of VPN routes forVPN route table (VRF)

    ip vrf vpn01

    maximum routes 500 80


Controlling bgp prefix maximum

Remote BGP neighbor network infrastructure

Accept maximum of BGP 500 prefixes, if more reset BGP session

Restart BGP session after 2 minutes

Send warning message when 80% (400) threshold is reached

Controlling BGP Prefix Maximum

Potential Security Vulnerability:

  • Injection of too many BGP prefix updates

    • Potential memory overflow

    • Potential (control plane) DoS attack

      Protection Mechanism:

  • Specify maximum number of BGP prefix fora specific BGP neighbor session

    router bgp 10

    neighbor 140.0.250.2 maximum-prefix 500 80 restart 2


Mpls vpn configuration
MPLS VPN Configuration network infrastructure

Reduce potential MPLS VPN configuration errors via automation of service configuration and validation on PE routers


Mpls network monitoring
MPLS Network Monitoring network infrastructure


Best practices mpls edge security
Best Practices – MPLS Edge Security network infrastructure

  • Access-list configuration of PE routers

    • Disable external traffic destined to MPLS core or edge nodes

  • Control plane traffic filtering on PE routers

    • Control Plane Policing (CoPP)

  • Disable selective control plane protocols on VRF-enabled interfaces

    • E.g., disable SNMP, CDP access for CE routers

  • Configuration of max allowable VRF routes

  • Configuration of max number of BGP prefix updates per eBPG peer

  • In case dynamic routing is configured across PE-CE link option to use MD5-based BGP session authentication

    • May be required as part of security conformance policies


Mpls security network inter connect

PE network infrastructure Router

ASBR Router

ASBR Router

P Router

P Router

LDP Session

iBGP Session

eBGP Session

MPLS Security – Network Inter-Connect

MPLS Network Connect Security

BGPRoute Reflector

MPLS Edge Network

External MPLS Network

MPLS Core Network


Mpls security 5 th annual mcwg forum october 16 20 2006

Wrap-up network infrastructure

IETF References

Conclusions


Mpls security 5 th annual mcwg forum october 16 20 2006
IETF network infrastructure

  • IETF L3VPN Working Group:

    • Working on Layer 3 VPN architectures, such as MPLS IP VPNs, IP VPNs using virtual routers, and IPsec VPNs

    • http://www.ietf.org/html.charters/l3vpn-charter.html

  • IETF L2VPN Working Group:

    • Working on Layer 2 VPN architectures, such as VPLS and VPWS

    • http://www.ietf.org/html.charters/l2vpn-charter.html

  • RFC4381

    • Analysis of MPLS VPN Security

  • RFC2196

    • Site Security Handbook

  • RFC2385

    • Protection of BGP Sessions via the TCP MD5 Signature Option

  • RFC3013

    • Recommended Internet Service Provider Security Services and Procedures


Conclusions
Conclusions network infrastructure

  • MPLS security covers protection mechanisms for MPLS forwarding and signaling

  • MPLS security requires holistic approach including network design, implementation, and operation

  • Level of MPLS network deployment complexity determines perceived network security risks

  • Growing importance of MPLS security as a result of network and service convergence