MPLS VPN Security Best Practice Guidelines

Monique Morrow and Michael Behringer

MPLScon 2006
Distinguished Consulting Engineer and
May 24 2006 Distinguished Systems Engineer

Cisco Systems, Inc.

[email protected]
[email protected]
(www.cisco.com)

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 1

MPLS VPN Security -

Agenda

• MPLS Security evolution and drivers

• Secure MPLS VPN Design
Considerations
• Ongoing standardization work
• Summary

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 2

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
 MPLS Security

• Protection mechanisms for MPLS-specific network resources

Protection of MPLS forwarding and signaling
• MPLS security protection areas
Integrity and privacy of MPLS VPN service traffic
MPLS node access and resiliency
• Focus areas in MPLS network infrastructure
MPLS core (LSPs between PE pairs)
MPLS service edge (PE-CE link)
MPLS network interconnect (Inter-AS/SP)
• Incremental value-add and integral part of scalable and
robust MPLS technology solution

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 3

MPLS Evolution
Initial MPLS Large SP and Enterprise Next-Generation
Deployments MPLS deployments MPLS Deployments

• MPLS scale and

• Complexity of new
Challenges

• Service Provider MPLS high availability

enhanced services
technology adoption • Enterprise MPLS (Extranets, LSM)
• Code features and technology adoption
• MPLS for network
stability • Manageability and convergence
operations

• Inter-SP MPLS • Increasing service

Security Focus

• MPLS as a secure network connects configuration

technology complexity
• New RFP
replacement for legacy • New security reqs
compliance reqs
L2 technologies for support of
(FR/ATM)? • Enterprise network converged triple
security play services

1996-2002 2002-2006 2006 and Beyond

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 4

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
 MPLS Security Drivers

MPLS Customers MPLS Security Drivers Examples

Service Provider Segment

Network convergence Triple play and public/private services
Tier-1 (Global)
convergence

Network convergence and network Inter-AS/SP network

Tier-2 (National)
interconnect inter-connect

Enterprise Segment
Regulatory compliance Sarbanes-Oxley Act
Financials
Extranet security Financial application access
User traffic segmentation Secure campus connectivity
Education/Research
Regulatory compliance
Extranet security Extranet partner connectivity
Other
MPLS technology value-add
Government Segment

Government agencies Regulations driving new network US Homeland Security

and institutions security reqs

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Why Is MPLS VPN Security Important?

• Customer buys “Internet Service”:

Packets from SP are not trusted
Perception: Need for firewalls, etc.

• Customer buys a “VPN Service”:

Packets from SP are trusted
Perception: Few or no further security measures required

SP Must Ensure Secure

MPLS Operations

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 6

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
 Security Risk
• MPLS security architecture components
Network design
Implementation
Operation
• Level of MPLS network deployment complexity determines
perceived security risks
• Influencing factors of MPLS deployment complexity
Network architecture (e.g., physical v.s. logical separation)
Networking services run on top of MPLS network
• Types of networking services
Public IP services (Internet)
Private (VPN) connectivity services

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 7

MPLS Deployment Scenarios

Shared MPLS Shared MPLS Core Separate MPLS

Core & Edge & Separate Edge Core & Edge
Public/Private Public Private Public Private
PE PE PE PE PE

MPLS MPLS MPLS MPLS

Core Core Core Core

• Single MPLS core for • Single MPLS core for • Separate MPLS cores
MPLS both public IP and both public IP and for public IP and
Core private VPN traffic private VPN traffic private VPN traffic
Network • Optional BGP/Internet • Optional BGP/Internet • Optional BGP/Internet
free core free core free core

MPLS • PE routers terminate • Dedicated PE routers • Dedicated PE routers

both public IP and used for termination of used for termination of
Edge private VPN public IP and private public IP and private
Network connections VPN connections VPN connections

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 8

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
 Network Complexity versus Capital Costs
Logical
Separation Simplifications for implementing
MPLS security mechanisms
reducing MPLS deployment risks.
Shared MPLS
Network Core & Edge
MPLS security mechanism enable
Complexity Public/Private secure logical separation of MPLS
PE
(Risk) traffic forwarding and signaling

Shared MPLS Core

& Separate Edge
MPLS
Core
Public Private
PE PE

Separate MPLS
MPLS
Core & Edge
Core
Public Private
PE PE

Physical
Sweet MPLS MPLS Separation
Core Core
Spot

Lower cost MPLS deployments with reduced Capital Costs

complexity and increased resiliency

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Secure MPLS/VPN Core Design

Still “Open”:
• Don’t let packets into the core (for Routing
MPLS: PE routers)
Protocol
No way to attack core, except
through routing, thus:

• Secure the routing protocol Only Attack

Neighbor authentication, maximum routes,
dampening,…
Vector:
• Design for transit traffic
Transit Traffic
QoS to give VPN priority
over Internet
Choose correct router
for bandwidth Now Only
Separate PEs where necessary Insider Attacks
• Operate Securely Possible

Avoid Insider
Attacks

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 10

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
 Security Recommendations for ISPs

• Secure devices (PE, P): They are trusted

• Core (PE+P): Secure with ACLs on all interfaces
Ideal: deny ip any <core-networks>
• Static PE-CE routing where possible
• If routing: Use authentication (MD5)
• Separation of CE-PE links where possible
(Internet/VPN)
• LDP authentication (MD5)
• VRF: Define maximum number of routes
Note: Overall security depends on weakest link

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Securing the MPLS Core

MPLS Core
CE
BGP Route Reflector Internet
PE
P
VPN PE
P
CE VPN
P

CE VPN BGP Peering With

PE MD5 Authentic.
PE PE
VPN VPN

LDP With MD5

CE CE CE
ACL, and
Secure Routing
© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 12

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
 Feature Portfolio

MPLS Traffic Forwarding MPLS Signaling

(Data Plane) (Control Plane)
MPLS Core Network

ƒ Native MPLS traffic separation • Session authentication for

Access Control
core signaling protocols

ƒ PE-PE packet/path integrity • Control plane message

Data Integrity & Privacy
ƒ MPLS TTL propagation validation/authentication

MPLS Service Edge

• IP/MPLS packet filtering • Session authentication for

Access Control PE-CE signaling protocols
• VRF-context packet forwarding

• PE-PE packet/path integrity • VRF-aware control plane msg

Data Integrity & Privacy validation/auth (e.g., TTL)
• VPN (max) route/prefix filtering
MPLS Network Inter-Connect

• Ingress MPLS packet validation (top label • Session authentication for

Access Control
validation check) inter-AS signaling protocols

• End-to-end cross-AS MPLS packet/path • VPN route/prefix (RD/RT) filtering

Data Integrity & Privacy integrity validation

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Relevant Standardization

IETF L3VPN WG:

Working on Layer 3 VPN architectures, such as MPLS IP VPNs,
IP VPNs using virtual routers, and IPsec VPNs.
http://www.ietf.org/html.charters/l3vpn-charter.html
IETF L2VPN WG:
Working on Layer 2 VPN architectures, such as VPLS and
VPWS
http://www.ietf.org/html.charters/l2vpn-charter.html

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 14

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
 Conclusions

• MPLS security covers protection mechanisms for

MPLS forwarding and signaling
• MPLS security requires holistic approach including
network design, implementation,
and operation
• Level of MPLS network deployment complexity
determines perceived network security risks
• Growing importance of MPLS security as a result of
network and service convergence

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 15

References

• MPLS VPN Security – ISBN 1587051834

• RFC4381 – Analysis of MPLS VPN Security
• RFC2082 – RIP-2 MD5 Authentication
• RFC2154 – OSPF with Digital Signatures
• RFC2385 – Protection of BGP Sessions via the TCP MD5 Signature Option
• RFC3013 – Recommended Internet Service Provider Security Services and
Procedures
• RFC2196 – Site Security Handbook
• Gartner research note M-17-1953: "MPLS Networks: Drivers Beat Inhibitors in
2003"; 10 Feb 2003
• MPLS and VPN Architectures – ISBN 1587050021

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 16

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
 Q and A

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 17

© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 18

Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr