1-22
Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0
OL-4344-01
Chapter1 About Cisco IP Solution Center
Security Requirements for MPLS VPNs
Given addressing and routing separation across an MPLS core network, MPLS offers in this respect the
same security as comparable Layer 2 VPNs, such as ATM or Frame Relay. It is not possible to intrude
into other VPNs through the MPLS core, unless this has been configured specifically.
Hiding the MPLS Core StructureThe internal structure of the MPLS core network (PE and Provider router devices) should not be visible
to outside networks (either the Internet or any connected VPN). While a breach of this requirement does
not lead to a security problem itself, it is generally advantageous when the internal addressing and
network structure remains hidden to the outside world. The ideal is to not reveal any information of the
internal network to the outside. This applies equally to the customer networks as to the MPLS core.
Denial-of-service attacks against a core router, for example, are much easier to carry out if an attacker
knows the IP address. Where addresses are not known, they can be guessed, but when the MPLS core
structure is hidden, attacks are more difficult to make. Ideally, the MPLS core should be as invisible to
the outside world as a comparable Layer 2 infrastructure (for example, Frame Relay or ATM).
In practice, a number of additional security measures have to be taken, most of all extensive packet
filtering. MPLS does not reveal unnecessary information to the outside, not even to customer VPNs. The
addressing in the core can be done with either private addresses or public addresses. Since the interface
to the VPNs, as well as potentially to the Internet, is BGP, there is no need to reveal any internal
information. The only information required in the case of a routing protocol between a PE and CE is the
address of the PE router. If this is not desired, you can configure static routing between the PE and CE.
With this measure, the MPLS core can be kept completely hidden.
To ensure reachability across the MPLS cloud, customer VPNs will have to advertise their routes as a
minimum to the MPLS core. While this could be seen as too open, the information known to the MPLS
core is not about specific hosts, but networks (routes); this offers some degree of abstraction. Also, in a
VPN-only MPLS network (that is, no shared Internet access), this is equal to existing Layer 2 models,
where the customer has to trust the service provider to some degree. Also in a Frame Relay or ATM
network, routing information about the VPNs can be seen on the core network.
In a VPN service with shared Internet access, the service provider typically announces the routes of
customers that wish to use the Internet to his upstream or peer providers. This can be done via a network
address translation (NAT) function to further obscure the addressing information of the customers’
networks. In this case, the customer does not reveal more information to the general Internet than with
a general Internet service. Core information is not revealed at all, except for the peering addresses of the
PE router) that hold the peering with the Internet.
In su mmar y, in a pure MPLS VPN s ervi ce, w here no Internet access is provided, the level of information
hiding is as good as on a comparable Frame Relay or ATM network—no addressing information is
revealed to third parties or the Internet. If a customer chooses to access the Internet via the MPLS core,
he will have to reveal the same addressing structure as for a normal Internet service. NAT can be used
for further address hiding.
If an MPLS network has no interconnections to the Internet, this is equal to Frame Relay or ATM
networks. With Internet access from the MPLS cloud, the service provider has to reveal at least one
IP address (of the peering PE router) to the next provider, and thus the outside world.