Chapter 1 About Cisco IP Solution Center
Security Requirements for MPLS VPNs
Security Requirements for MPLS VPNs
This section discusses the security requirements for MPLS VPN architectures. This section concentrates on protecting the core network against attacks from the “outside,” that is, the Internet and connected VPNs. Protection against attacks from the “inside,” that is, when an attacker has logical or physical access to the core network is not discussed here, since any network can be attacked with access from the inside.
Address Space and Routing Separation
Between two
•Any VPN must be able to use the same address space as any other VPN.
•Any VPN must be able to use the same address space as the MPLS core.
•Routing between any two VPNs must be independent.
•Routing between any VPN and the core must be independent.
Address Space Separation
From a security point of view, the basic requirement is to avoid that packets destined to a host a.b.c.d within a given VPN reach a host with the same address in another VPN or the core.
MPLS allows distinct VPNs to use the same address space, which can also be private address space. This is achieved by adding a
In the case of using routing protocols between CE and PE routers (for static routing this is not an issue), there is one
Routing Separation
Routing separation between the VPNs can also be achieved. Every PE router maintains a separate Virtual Routing and Forwarding instance (VRF) for each connected VPN. Each VRF on the PE router is populated with routes from one VPN, through statically configured routes or through routing protocols that run between the PE and the CE router. Since every VPN results in a separate VRF, there are no interferences between the VPNs on the PE router.
Across the MPLS core to the other PE routers, this routing separation is maintained by adding unique VPN identifiers in
Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0
|
| ||
|
|