470 likes | 701 Views
MPLS Security 5 th Annual MCWG Forum – October 16-20, 2006. Tuesday, October 17, 2006 Harmen van der Linde Contributions By: Product Manager – MPLS Michael Behringer Cisco - NSSTG Monique Morrow havander@cisco.com. Topics. Multi-Protocol Label Switching (MPLS) MPLS Security Overview
E N D
MPLS Security5th Annual MCWG Forum – October 16-20, 2006 Tuesday, October 17, 2006 Harmen van der Linde Contributions By: Product Manager – MPLS Michael Behringer Cisco - NSSTG Monique Morrow havander@cisco.com
Topics • Multi-Protocol Label Switching (MPLS) • MPLS Security Overview • Framework • Risks and Deployment • Feature Set • Conclusions
Multi-Protocol Label Switching Technology Overview Network Architecture MPLS Security
TechnologyEvolution ServiceEvolution Packet Network Evolution IP over ATMChallenge MPLS Innovation and Deployment WidespreadMPLS Deployments • IP + ATM Integration • Cell Switching Routers • IP/Tag Switching • IETF Efforts • Traffic Engineering • MPLS VPNs • Fast Reroute • Any Transport over MPLS (AToM) • Multi-Service Edge • MPLS High Availability with SSO/NSF/FRR • MPLS + IPSec • MPLS VPN and multicast • Traditional ATM/FR • Internet access • Remote access VPNs • MPLS VPN services with full mesh and Hub & Spoke connectivity • QoS Offerings – 2 to 5 Classes • Network Convergence – Many Services on converged MPLS core network • Triple-play service converge 1995 - 1996 1996 - 2002 2002 and Beyond
Multi-Protocol Label Switching (MPLS) • Established network infrastructure technology • Service provider networks and large enterprise networks • Two functional layers in MPLS architecture • Control plane • Forwarding plane • MPLS control plane • Distributes labels and establishes label switched paths • Multiple control protocols; LDP, BGP, and RSVP-TE • MPLS forwarding plane • Used for MPLS labeled data packet forwarding • MPLS Applications • Layer-3 VPNs, Layer-2 VPNs, Traffic Engineering (TE)
MPLS Network Architecture 2. In the Core: • Label swapping or switching:Forward using labels (not IP addr); label indicates service class and destination 1. At Ingress Edge: • Label imposition:Classify & Label packets PE P P Edge Label Switch Router OR(ATM Switch/ Router) Provider Edge- PE 3. At Egress Edge: • Label disposition: Remove labels and forward packets PE Customer A Customer B Label Switch Router (LSR) or P (Provider) router • Router OR ATM switch + label switch controller
MPLS High Availability MPLS Management MPLS Security MPLS Security
MPLS Security Overview Overview and Scope Cisco IP NGN Market Drivers and Positioning
MPLS Security • Protection mechanisms for MPLS-specific network resources • Protection of MPLS forwarding and signaling • MPLS security protection areas • MPLS node access and resiliency • Integrity and privacy of MPLS VPN service traffic • Focus areas in MPLS network infrastructure • MPLS core (Label between PE pairs) • MPLS service edge (PE-CE link) • MPLS network interconnect (Inter-AS/SP) • Incremental value-add and integral part of scalable and robust MPLS technology solution
Scope • Focus on security capabilities for MPLS-specific network resources • Protection of MPLS forwarding and signaling • Incremental security functionality to existing MPLS functions • Use of existing device and IP-level security capabilities assumed for basic level of security • CLI passwords, TACACS, ACLs, Firewalls, etc. • Leverage existing security capabilities of lower layer protocols where possible • Instead of replication of functionality focus on integration of MPLS with existing security capabilities • For example, LDP use of TCP MD5 authentication capabilities
MPLS Security Identity Policy Billing Self Service MPLS Service Edge MPLS NetworkInter-connect MPLS Core Operational Layer Intelligent Networking Cisco IP NGN – Secure Network Layer Presence-Based Telephony IP Contact Center Data Center Web Services Mobile Apps Gaming Application Layer Open Framework for Enabling ‘Triple Play on the Move’ (Data, Voice, Video, Mobility) Service Exchange Service Layer Mobility Customer Element Access/ Aggregation Intelligent Edge Multiservice Core Network Layer Transport
Challenges SecurityFocus MPLS Security Evolution Initial MPLS Deployments Large & Widespread MPLS Deployments Next-Generation MPLS Deployments • Service Provider MPLS technology adoption • Code features and stability • MPLS scale and enhanced features • Enterprise MPLS technology adoption • Manageability and operations • Complexity of new enhanced services (Extranets, mcast) • MPLS network convergence • MPLS network inter-connects • MPLS as a secure technology replacement for legacy Layer-2 technologies (FR/ATM) • Inter-AS MPLS network connects • New RFP compliance reqs • Enterprise network security • Increasing service configuration complexity • New security reqs for support of converged triple play services 1996 - 2002 2002 - 2005 2005 and Beyond
Concerns Goals Service Provider MarketSegment Enterprise MarketSegment Federal MarketSegment Concerns and Goals • Unauthorized customer VPN access • Public Internet traffic access/impact on private MPLS VPNs • Customer VPN traffic separation • Public Internet and private VPN traffic separation • Unauthorized access to internal user VPNs • Public Internet traffic access/impact on private LAN traffic • User group VPN traffic separation • WAN and extranet VPN traffic separation and privacy • Unauthorized access to internal user VPNs • WAN/public Internet traffic access/impact on private LAN traffic • User group VPN traffic separation • WAN and VPN traffic separation and privacy
MPLS Security Framework Service Provider View Enterprise View Threat Model
MPLSNetwork External Network External Network ExternalNetworkInterface ExternalNetwork Interface MPLS Security Framework Trusted Zone MPLS core signaling LDP, RSVP, and BGP MPLS edge signaling BGP, LDP, RIP, OSPF ControlPlane MPLS packet forwarding ForwardingPlane IP or MPLS packet forwarding
MPLSNetwork CustomerNetwork Peer SPNetwork ExternalServiceInterface ExternalNetwork ConnectInterface MPLS Security – Service Provider View Trusted Zone • MPLS Edge Security • Security for VPN service interface • Focus on control plane access and resources on PE router • MPLS Core Security • Security for end-to-end (PE-PE) MPLS traffic integrity • Focus on MPLS packet forwarding • MPLS Inter-AS Security • Security for network interconnect interface • Focus on data/control plane access on ASBR
ExtranetServiceInterface ExternalWANInterface MPLS Security – Enterprise View Trusted Zone MPLSNetwork ExtranetCustomerNetwork SP MPLSNetwork • Extranet Edge Security • Security of extranetVPN interface • Focus on data/control plane access acrossinterface with partner • MPLS Core Security • Security for end-to-end (PE-PE) MPLS traffic integrity • Focus on MPLS traffic segmentation • WAN Edge Security • Security of WAN interface with SP • Focus on data/control plane access acrossPE-CE link with SP
CE CE PE PE ASBR ASBR P P Security Threats
MPLS Security – Risks and Deployment Security Risk MPLS Deployment Scenarios Network Complexity versus Capital Costs
MPLS Security and Risks • MPLS security associated with MPLS deployment and risk • Risk of MPLS design or configuration error • MPLS deployment components • Network design, implementation, and operation • Basic risk components • Security vulnerability event • Probability of event • Impact of event • MPLS security focused on mitigating potential security vulnerability events • Minimizing probability and associated impacts of potential events
Identify/analyze potential security vulnerabilities in MPLS network infrastructure • Identify MPLS security capabilitiesthat need to be implemented • Design and specify device command parameters NetworkDesign • Monitor and analyze network anomalities, which could indicate a security attack • Set up and configuration of security policies and commands in MPLS network NetworkOperation NetworkImplementation MPLS Deployment Framework
MPLS Deployment Risk • MPLS network deployment complexity level determines perceived security risks • More complexity requires more detailed design, and associated network implementation and operation • More complexity increases the possibility of design and configuration errors • Influencing factors of MPLS deployment complexity • Network architecture (e.g., physical v.s. logical separation) • Networking services run on top of MPLS network • Types of networking services • Public IP services (Internet) • Private (VPN) connectivity services
ServiceCharacteristics BusinessFocus Examples Public IPConnectivityServices • Access to the Internet • Connectivity toanybody anywhereon the Internet • Best effort traffic • Focus on ubiquitous IP connectivity • General public access to web sites, email, etc. Private IP VPN Connectivity Services • Connectivity to selective set of end-nodes connected to same VPN • QoS support • Focus of secure and reliable connectivity • Service Level Agreements (SLAs) Public and Private Connectivity Services • at&t: Managed Internet Service (MIS) • Sprint Nextel: Internet Access • Verizon Business: Dedicated Internet Access • at&t: IPeFR, eVPN • Masergy: Private IP • Sprint Nextel: MPLS VPN • Verizon Business: Private IP
Public/Private PE MPLSCore MPLSCore PublicPE Private PE • Single MPLS core for both public IP and private VPN traffic • Optional BGP/Internet free core • Single MPLS core for both public IP and private VPN traffic • Optional BGP/Internet free core • Separate MPLS cores for public IP and private VPN traffic • Optional BGP/Internet free core MPLSCore Network PublicPE PrivatePE MPLSEdge Network MPLSCore MPLSCore • PE routers terminate both public IP and private VPN connections • Dedicated PE routers used for termination of public IP and private VPN connections • Dedicated PE routers used for termination of public IP and private VPN connections MPLS Deployment Scenarios Shared MPLS Core & Edge Shared MPLS Core & Separate Edge Separate MPLS Core & Edge
Current MPLS Deployments • Internal survey of key SP customers on deployment of public and private MPLS services • Separate MPLS core & edge • Shared MPLS core & separate edge • Shared MPLS core & edge • No common MPLS deployment preference • Balanced distribution of various MPLS deployment scenarios Source: Internal 2006 MPLS Security Survey by Michael Behringer.
Future MPLS Deployment Plans • Future MPLS deployment plans indicate increasing network consolidation • Increasing number of shared MPLS core deployments • Common MPLS core for public and private services • Migration of both public and private services onto single MPLS edge Source: Internal 2006 MPLS Security Survey by Michael Behringer.
LogicalSeparation Simplifications for implementing MPLS security mechanisms reducing MPLS deployment risks. NetworkComplexity (Risk) Shared MPLS Core & Edge MPLS security mechanism enable secure logical separation of MPLS traffic forwarding and signaling Public/Private PE Shared MPLS Core & Separate Edge MPLSCore MPLSCore PublicPE Private PE Separate MPLS Core & Edge PublicPE PrivatePE PhysicalSeparation MPLSCore MPLSCore Capital Costs Network Complexity versus Capital Costs Lower cost MPLS deployments with reduced complexity and increased resiliency Goal
MPLS Security Features Core Network Security Service Edge Security Network Inter-Connect Security
Security Focus Feature Areas MPLS Core MPLSServiceEdge MPLSNetworkInter-Connect Feature Portfolio • MPLS VPN traffic separation • Network Topology hiding • MPLS control plane protection • MPLS traffic forwarding • MPLS packet TTL hiding • Control plane session authentication • VPN address space separation and route control • PE-CE link control plane access • Control plane policing • VPN route control • BGP session prefix filtering and control • Control plane session authentication • MPLS VPN traffic separation • ASBR link control plane protection • Control plane policing • VPN route control • Control plane session authentication
PE Router PE Router P Router P Router LDP Session iBGP Session MPLS Security – Core Network MPLS Core Network Security BGPRoute Reflector MPLS Core Network
Infrastructure Access-Lists (ACLs) • Example: • deny ip any 1.1.1.0 0.0.0.255 • permit ip any any • Caution: This also blocks packets to the CE’s! • Alternatives: List all PE interfaces in ACL or use secondary interface on CE CE PE PE CE 1.1.1.0/30 1.1.1.8/30 .2 .1 .1 .2 VPN VPN CE PE PE CE 1.1.1.4/30 1.1.1.12/30 .2 .1 .1 .2 VPN VPN This Is VPN Address Space, Not Core!
Best Practices – MPLS Core Security • Dedicated management access to P and PE routers • Out-of-band or in-band • Use AAA for device access • Logging device configuration changes • Limited access to logging facility • Use command authorization where possible • Keep logs in a secure place • Malicious employee might change logs too • Use access-control list on PE routers for blocking any potential external traffic • Option of use MD5 authentication for LDP • May be required as part of security conformance policies
PE Router PE Router CE Router P Router P Router LDP Session iBGP Session eBGP Session MPLS Security – Service Edge MPLS Service Edge Security BGPRoute Reflector MPLS Edge Network Customer Edge Network MPLS Core Network
VPN routing table (VRF) Maximum of 500 VPN prefixes Send warning message when 80% (400) threshold is reached Controlling VPN Route Maximum Potential Security Vulnerability: • Injection of too many routes into VPN table (VRF) • Potential memory overflow • Potential (control plane) DoS attack Protection Mechanism: • Specify maximum number of VPN routes forVPN route table (VRF) ip vrf vpn01 maximum routes 500 80
Remote BGP neighbor Accept maximum of BGP 500 prefixes, if more reset BGP session Restart BGP session after 2 minutes Send warning message when 80% (400) threshold is reached Controlling BGP Prefix Maximum Potential Security Vulnerability: • Injection of too many BGP prefix updates • Potential memory overflow • Potential (control plane) DoS attack Protection Mechanism: • Specify maximum number of BGP prefix fora specific BGP neighbor session router bgp 10 neighbor 140.0.250.2 maximum-prefix 500 80 restart 2
MPLS VPN Configuration Reduce potential MPLS VPN configuration errors via automation of service configuration and validation on PE routers
Best Practices – MPLS Edge Security • Access-list configuration of PE routers • Disable external traffic destined to MPLS core or edge nodes • Control plane traffic filtering on PE routers • Control Plane Policing (CoPP) • Disable selective control plane protocols on VRF-enabled interfaces • E.g., disable SNMP, CDP access for CE routers • Configuration of max allowable VRF routes • Configuration of max number of BGP prefix updates per eBPG peer • In case dynamic routing is configured across PE-CE link option to use MD5-based BGP session authentication • May be required as part of security conformance policies
PE Router ASBR Router ASBR Router P Router P Router LDP Session iBGP Session eBGP Session MPLS Security – Network Inter-Connect MPLS Network Connect Security BGPRoute Reflector MPLS Edge Network External MPLS Network MPLS Core Network
Wrap-up IETF References Conclusions
IETF • IETF L3VPN Working Group: • Working on Layer 3 VPN architectures, such as MPLS IP VPNs, IP VPNs using virtual routers, and IPsec VPNs • http://www.ietf.org/html.charters/l3vpn-charter.html • IETF L2VPN Working Group: • Working on Layer 2 VPN architectures, such as VPLS and VPWS • http://www.ietf.org/html.charters/l2vpn-charter.html • RFC4381 • Analysis of MPLS VPN Security • RFC2196 • Site Security Handbook • RFC2385 • Protection of BGP Sessions via the TCP MD5 Signature Option • RFC3013 • Recommended Internet Service Provider Security Services and Procedures
Conclusions • MPLS security covers protection mechanisms for MPLS forwarding and signaling • MPLS security requires holistic approach including network design, implementation, and operation • Level of MPLS network deployment complexity determines perceived network security risks • Growing importance of MPLS security as a result of network and service convergence