Cisco Systems OL-4344-01 Separation of CE-PE Links, LDP Authentication, Connectivity Between VPNs

1-26

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

OL-4344-01

Chapter1 About Cisco IP Solution Center

Security Requirements for MPLS VPNs

•PE-P link: use LDP MD5 authentication

•P-P

This prevents attackers from spoofing a peer router and introducing bogus routing information. Secure

management is particularly important regarding configuration files, which often contain shared secrets

in clear text (for example for routing protocol authentication).

Separation of CE-PE Links

If several CEs share a common Layer2 infrastructure to access the same PE router (for example, an

ethernet VLAN), a CE router can spoof packets as belonging to another VPN that also has a connection

to this PE router. Securing the routing protocol is not sufficient, since this does not affect normal

packets.

To avoid this problem, Cisco recommends that you implement separate physical connections between

CEs and PEs. The use of a switch between various CE routers and a PE router is also possible, but it is

strongly recommended to put each CE-PE pair into a separate VLAN to provide traffic separation.

Although switches with VLANs increase security, they are not unbreakable. A switch in this

environment must thus be treated as a trusted device and configured with maximum security.

LDP Authentication

The Label Distribution Protocol (LDP) can also be secured with MD-5 authentication across the MPLS

cloud. This prevents hackers from introducing bogus routers, which would participate in the LDP.

Connectivity Between VPNs

MPLS provides VPN services with address and routing separation between VPNs. In many

environments, however, the devices in the VPN must be able to reach destinations outside the VPN. This

could be for Internet access or for merging two VPNs, for example, in the case of two companies

merging. MPLS not only provides full VPN separation, but also allows merging VPNs and accessing the

Internet.

To achieve this, the PE routers maintain various tables: A routing context table is specific to a CE router,

and contains only routes from this particular VPN. From there, routes are propagated into the VRF

(virtual routing and forwarding instance) routing table, from which a VRF forwarding table is

calculated.

For separated VPNs, the VRF routing table contains only routes from one routing context. To merge

VPNs, different routing contexts (from different VPNs) are put into one single VRF routing table. In this

way, two or several VPNs can be merged to a single VPN. In this case, it is necessary that all merged

VPNs have mutually exclusive addressing spaces; in other words, the overall address space must be

unique for all included VPNs.

For a VPN to have Internet connectivity, the same procedure is used: Routes from the Internet VRF

routing table (the default routing table) are propagated into the VRF routing table of the VPN that

requires Internet access. Alternatively to propagating all Internet routes, a default route can be

propagated. In this case, the address space between the VPN and the Internet must be distinct. The VPN

must use private address space since all other addresses can occur in the Internet.