Cisco Systems OL-4344-01 manual Securing the Mpls Core, Trusted Devices, PE-CE Interface

Page 25

Chapter 1 About Cisco IP Solution Center

Security Requirements for MPLS VPNs

For security reasons, a PE router should never accept a packet with a label from a CE router. Cisco routers implementation is such that packets that arrive on a CE interface with a label are dropped. Thus, it is not possible to insert fake labels because no labels are accepted.

There remains the possibility to spoof the IP address of a packet that is being sent to the MPLS core. However, since there is strict addressing separation within the PE router, and each VPN has its own VRF, this can only do harm to the VPN the spoofed packet originated from, in other words, a VPN customer can attack himself. MPLS does not add any security risk here.

Securing the MPLS Core

The following is a list of recommendations and considerations on configuring an MPLS network securely.

Note The security of the overall solution depends on the security of its weakest link. This could be the weakest single interconnection between a PE and a CE, an insecure access server, or an insecure TFTP server.

Trusted Devices

The PE and P devices, as well as remote access servers and AAA servers must be treated as trusted systems. This requires strong security management, starting with physical building security and including issues such as access control, secure configuration management, and storage. There is ample literature available on how to secure network elements, so these topics are not discussed here in more detail.

CE routers are typically not under full control of the service provider and must be treated as “untrusted.”

PE-CE Interface

The interface between PE and CE routers is crucial for a secure MPLS network. The PE router should be configured as close as possible. From a security point of view, the best option is to configure the interface to the CE router unnumbered and route statically.

Packet filters (Access Control Lists) should be configured to permit only one specific routing protocol to the peering interface of the PE router, and only from the CE router. All other traffic to the router and the internal service provider network should be denied. This avoids the possibility that the PE and P routers can be attacked, since all packets to the corresponding address range are dropped by the PE router. The only exception is the peer interface on the PE router for routing purposes. This PE peer interface must be secured separately.

If private address space is used for the PE and P routers, the same rules with regard to packet filtering apply—it is required to filter all packets to this range. However, since addresses of this range should not be routed over the Internet, it limits attacks to adjacent networks.

Routing Authentication

All routing protocols should be configured with the corresponding authentication option toward the CEs and toward any Internet connection. Specifically: BGP, OSPF, and RIP2. All peering relationships in the network need to be secured this way:

CE-PE link: use BGP MD-5 authentication

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

 

OL-4344-01

1-25

 

 

 

Image 25
Contents About Cisco IP Solution Center ISC Network Management Subnet Overview of ISCISC Features Service Provider Network for Vlan ID Management Resource Pools Access Domain AssignedVPN Service Profile-Based Provisioning Features and Functions Provided in Provisioning with ISCRole-Based Access Control Rbac CPE Customer’s View of the Network Customer’s and Provider’s View of the NetworkAbout Multi-VRF CEs About Provider Edge Routers PEsA Multi-VRF CE Providing Layer 3 Aggregation Mapping IPsec Tunnels to Mpls VPNs Using Templates to Customize Configuration FilesUses for the Template Function Auditing Service RequestsVPNs Sharing Sites About Mpls VPNsIntranets and Extranets Characteristics of Mpls VPNsVPN Routing and Forwarding Tables VRFs Ip vrf site2 rd VRF Implementation ConsiderationsRoute Distinguishers and Route Targets Creating a VRF InstanceCE Routing Communities Route Target CommunitiesHub and Spoke Considerations Address Space and Routing Separation Security Requirements for Mpls VPNsAddress Space Separation Routing SeparationHiding the Mpls Core Structure Securing the Routing Protocol Resistance to AttacksLabel Spoofing Securing the Mpls Core Routing AuthenticationTrusted Devices PE-CE InterfaceSeparation of CE-PE Links LDP AuthenticationConnectivity Between VPNs Security Through IP Address Resolution MP-BGP Security FeaturesEnsuring VPN Isolation North Bound Interface NBIAPI Functionality Supported NBI Benefits Distributed Load BalancingAPI Approach 11 Simple Flat-Based Server Load Balancing Configuration Client tier Four-Tier System ArchitectureControl tier