Manualshelf

user manual

ManualsBrandsCisco Systems ManualsComputer AccessoriesComputer Accessories OL-4344-01
21222324252627282930
1-21
Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0
OL-4344-01
Chapter 1 About Cisco IP Solution Center
Security Requirements for MPLS VPNs
Security Requirements for MPLS VPNs
This section discusses the security requirements for MPLS VPN architectures. This section concentrates
on protecting the core network against attacks from the “outside,” that is, the Internet and connected
VPNs. Protection against attacks from the “inside,” that is, when an attacker has logical or physical
access to the core network is not discussed here, since any network can be attacked with access from the
inside.
Address Space and Routing Separation
Between two non-intersecting VPNs of an MPLS VPN service, it is assumed that the address space
between different VPNs is entirely independent. This means, for example, that two non-intersecting
VPNs must be able to both use the 10/8 network without any interference. From a routing perspective,
this means that each end system in a VPN has a unique address, and all routes to this address point to
the same end system. Specifically:
Any VPN must be able to use the same address space as any other VPN.
Any VPN must be able to use the same address space as the MPLS core.
Routing between any two VPNs must be independent.
Routing between any VPN and the core must be independent.
Address Space Separation
From a security point of view, the basic requirement is to avoid that packets destined to a host a.b.c.d
within a given VPN reach a host with the same address in another VPN or the core.
MPLS allows distinct VPNs to use the same address space, which can also be private address space. This
is achieved by adding a 64-bit route distinguisher (RD) to each IPv4 route, making VPN-unique
addresses also unique in the MPLS core. This “extended” address is also called a VPN-IPv4 address.
Thus customers of an MPLS service do not need to change current addressing in their networks.
In the case of using routing protocols between CE and PE routers (for static routing this is not an issue),
there is one exception—the IP addresses of the PE routers the CE routers are peering with. To be able to
communicate to the PE router, routing protocols on the CE routers must configure the address of the peer
router in the core. This address must be unique from the CE router’s perspective. In an environment
where the service provider manages also the CE routers as CPE (customer premises equipment), this can
be made invisible to the customer.
Routing Separation
Routing separation between the VPNs can also be achieved. Every PE router maintains a separate Virtual
Routing and Forwarding instance (VRF) for each connected VPN. Each VRF on the PE router is
populated with routes from one VPN, through statically configured routes or through routing protocols
that run between the PE and the CE router. Since every VPN results in a separate VRF, there are no
interferences between the VPNs on the PE router.
Across the MPLS core to the other PE routers, this routing separation is maintained by adding unique
VPN identifiers in multi-protocol BGP, such as the route distinguisher (RD). VPN routes are exclusively
exchanged by MP-BGP across the core, and this BGP information is not redistributed to the core
network, but only to the other PE routers, where the information is kept again in VPN-specific VRFs.
Thus routing across an MPLS network is separate per VPN.