1 / 7

MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs

MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs. MPLS over L2TPv3 w/BGP L3VPNs. Tunnel IP. L2TPv3. VPN IP. MPLS VPN Label. MPLS over L2TPv3 w/BGP L3VPNs. L2TPv3 has its own native operation for L2VPNs defined in draft-ietf-l2tpext-l2tp-base-11.txt

omer
Download Presentation

MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs

  2. MPLS over L2TPv3 w/BGP L3VPNs Tunnel IP L2TPv3 VPN IP MPLS VPN Label

  3. MPLS over L2TPv3 w/BGP L3VPNs • L2TPv3 has its own native operation for L2VPNs defined in draft-ietf-l2tpext-l2tp-base-11.txt • For BGP-based L3VPNs, the same L2TPv3 encapsulation may be leveraged for operation over IP networks • A single p2mp L2TPv3 session at each PE is used, e.g., one Session ID/Cookie pair per-PE • Tunnels couldbe manually configured, however mechanisms such as those defined below allow for dynamic tunnel establishment based on capabilities of the PE (these apply to IP, GRE and IPsec as well): • draft-nalawade-kapoor-tunnel-safi-01.txt, or • draft-raggarwa-ppvpn-tunnel-encap-sig-01.txt

  4. PE PE PE PE CE VPN PE MPLS Core PE Spoofed MPLS over GRE or IP Packets PE PE PE VPN Label Spoofing Attacks (MPLS vs. IP Core) • draft-ietf-l3vpn-gre-ip-2547-00.txt • draft-ietf-l3vpn-ipsec-2547-03.txt • If MPLS over GRE or IP is enabled on any PE router, a potential packet insertion vulnerability is created, requiring management of L3 ACL lists at all boundary routers. • Managing L3 filter lists at all boundary routers can be management-intensive, and the their use at all border routers can affect the performance seen by all traffic entering the SP's network. • IPsec may be used to authenticate packets arriving at the PE, but may also be difficult to manage and deploy.

  5. Blind Label Spoofing Attacks with MPLS over L2TPv3 • Hacker Profile: • Wishes to insert rogue packets into a customer VPN by sending spoofed packets to a PE • Can insert spoofed packets past boundary ACLs and reach a VPN PE • Cannot intercept, analyze and correlate core (PE to PE) traffic for use in a coordinated attack • The L2TPv3 Cookie provides ample protection from this type of hacker by introducing 64-bits of unstructured data unknown by the hacker that must always match upon receipt at the PE.

  6. Next Steps for this WG? • draft-ietf-l3vpn-ipsec-2547-03.txt and draft-ietf-l3vpn-gre-ip-2547-00.txt describe RFC2547-based L3VPNs over IP networks using different types of tunnels. • MPLS over L2TPv3 for support of RFC2547-based L3VPNs is another tunnel option that falls squarely within the same scope as the above methods, with its own implementation and security tradeoffs. • Creation of draft-ietf-l3vpn-l2tpv3-2547-00.txt in similar form to the above drafts and inline with the L3VPN Charter (e.g. protocol specifications defined elsewhere, with the functional requirements here)

  7. End

More Related