Cisco Systems OL-4344-01 Resistance to Attacks

1-23

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

OL-4344-01

Chapter1 About Cisco IP Solution Center

Security Requirements for MPLS VPNs

Resistance to Attacks

It is not possible to directly intrude into other VPNs. However, it is possible to attack the MPLS core,

and try to attack other VPNs from there. There are two basic ways the MPLS core can be attacked:

•Attacking the PE routers directly.

•Attacking the signaling mechanisms of MPLS (mostly routing)

There are two basic types of attacks: denial-of-service (DoS) attacks, where resources become

unavailable to authorized users, and intrusion attacks, where the goal is to gain unauthorized access to

resources.

For intrusion attacks, give unauthorized access to resources, there are two basic ways to protect the

network:

•Harden protocols that could be abused (for example, Telnet to a router)

•Make the network as inaccessible as possible. This is achieved by a combination of filtering packets

or employing firewalls and hiding the IP addresses in the MPLS core.

Denial-of service attacks are easier to execute, since in the simplest case, a known IP address might be

enough to attack a machine. The only way to be certain that you are not be vulnerable to this kind of

attack is to make sure that machines are not reachable, again by packet filtering and pinging IP addresses.

MPLS networks must provide at least the same level of protection against both forms of attack as current

Layer 2 networks provide.

To attack an element of an MPLS network it is first necessary to know this element, that is, its IP address.

It is possible to hide the addressing structure of the MPLS core to the outside world, as discussed in the

previous section. Thus, an attacker does not know the IP address of any router in the core that he wants

to attack. The attacker could guess addresses and send packets to these addresses. However, due to the

address separation of MPLS, each incoming packet is treated as belonging to the address space of the

customer. It is therefore impossible to reach an internal router, even through guessing the IP addresses.

There is only one exception to this rule—the peer interface of the PE router.

The routing between the VPN and the MPLS core can be configured two ways:

1. Static. In this case, the PE routers are configured with static routes to the networks behind each CE,

and the CEs are configured to statically point to the PE router for any network in other parts of the

VPN (usually a default route).

The static route can point to the IP address of the PE router, or to an interface of the CE router (for

example, serial0).

Although in the static case the CE router does not know any IP addresses of the PE router, it is still

attached to the PE router via some method, and could guess the address of the PE router and try to

attack it with this address.

In the case of a static route from the CE router to the PE router, which points to an interface, the CE

router does not need to know any IP address of the core network, not even of the PE router. This has

the disadvantage of a more extensive (static) configuration, but from a security point of view, it is

preferable to the other cases.

2. Dynamic. A routing protocol (for example, RIP, OSPF, or BGP) is used to exchange the routing

information between the CE and the PE at each peering point.

In all other cases, each CE router needs to know at least the router ID (RID; peer IP address) of the PE

router in the MPLS core, and thus has a potential destination for an attack.