Cisco Systems OL-4344-01 Securing the MPLS Core

1-25

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

OL-4344-01

Chapter1 About Cisco IP Solution Center

Security Requirements for MPLS VPNs

For security reasons, a PE router should never accept a packet with a label from a CE router. Cisco

routers implementation is such that packets that arrive on a CE interface with a label are dropped. Thus,

it is not possible to insert fake labels because no labels are accepted.

There remains the possibility to spoof the IP address of a packet that is being sent to the MPLS core.

However, since there is strict addressing separation within the PE router, and each VPN has its own VRF,

this can only do harm to the VPN the spoofed packet originated from, in other words, a VPN customer

can attack himself. MPLS does not add any security risk here.

Securing the MPLS Core

The following is a list of recommendations and considerations on configuring an MPLS network

securely.

Note The security of the overall solution depends on the security of its weakest link. This could be the weakest

single interconnection between a PE and a CE, an insecure access server, or an insecure TFTP server.

The PE and P devices, as well as remote access servers and AAA servers must be treated as trusted

systems. This requires strong security management, starting with physical building security and

including issues such as access control, secure configuration management, and storage. There is ample

literature available on how to secure network elements, so these topics are not discussed here in more

detail.

CE routers are typically not under full control of the service provider and must be treated as “untrusted.”

The interface between PE and CE routers is crucial for a secure MPLS network. The PE router should

be configured as close as possible. From a security point of view, the best option is to configure the

interface to the CE router unnumbered and route statically.

Packet filters (Access Control Lists) should be configured to permit only one specific routing protocol

to the peering interface of the PE router, and only from the CE router. All other traffic to the router and

the internal service provider network should be denied. This avoids the possibility that the PE and P

routers can be attacked, since all packets to the corresponding address range are dropped by the PE

router. The only exception is the peer interface on the PE router for routing purposes. This PE peer

interface must be secured separately.

If private address space is used for the PE and P routers, the same rules with regard to packet filtering

apply—it is required to filter all packets to this range. However, since addresses of this range should not

be routed over the Internet, it limits attacks to adjacent networks.

All routing protocols should be configured with the corresponding authentication option toward the CEs

and toward any Internet connection. Specifically: BGP, OSPF, and RIP2. All peering relationships in the

network need to be secured this way:

•CE-PE link: use BGP MD-5 authentication