04_MPLS_Security_MCWG_v02

MPLS Security5th Annual MCWG Forum October 16-20, 2006

Tuesday, October 17, 2006

Harmen van der Linde Product Manager MPLS Cisco - NSSTG [email protected] 2005 Cisco Systems, Inc. All rights reserved.

Contributions By: Michael Behringer Monique Morrow

1

Topics Multi-Protocol Label Switching (MPLS) MPLS Security Overview Framework Risks and Deployment Feature Set Conclusions

2005 Cisco Systems, Inc. All rights reserved.

2

Multi-Protocol Label SwitchingTechnology Overview Network Architecture MPLS Security


3

Packet Network EvolutionIP over ATM Challenge IP + ATM Integration Cell Switching Routers IP/Tag Switching IETF Efforts MPLS Innovation and Deployment Traffic Engineering MPLS VPNs Fast Reroute Any Transport over MPLS (AToM) Widespread MPLS Deployments Multi-Service Edge MPLS High Availability with SSO/NSF/FRR MPLS + IPSec MPLS VPN and multicast

Technology Evolution

Service Evolution

Traditional ATM/FR Internet access Remote access VPNs

MPLS VPN services with full mesh and Hub & Spoke connectivity QoS Offerings 2 to 5 Classes

Network Convergence Many Services on converged MPLS core network Triple-play service converge

1995 - 1996

1996 - 2002

2002 and Beyond


4

Multi-Protocol Label Switching (MPLS) Established network infrastructure technology Service provider networks and large enterprise networks

Two functional layers in MPLS architecture Control plane Forwarding plane

MPLS control plane Distributes labels and establishes label switched paths Multiple control protocols; LDP, BGP, and RSVP-TE

MPLS forwarding plane Used for MPLS labeled data packet forwarding

MPLS Applications Layer-3 VPNs, Layer-2 VPNs, Traffic Engineering (TE)


5

MPLS Network Architecture1. At Ingress Edge: Label imposition: Classify & Label packets PE P

2. In the Core: Label swapping or switching: Forward using labels (not IP addr); label indicates service class and destination

Edge Label Switch Router OR (ATM Switch/ Router) Provider Edge- PE PE Customer A Label Switch Router (LSR) or P (Provider) router Router OR ATM switch + label switch controller

P

3. At Egress Edge: Label disposition: Remove labels and forward packets Customer B


6

MPLS SecurityMPLS Area Core MPLS High Availability Management Security

MPLS forwarding (data plane) MPLS signaling (control plane)

Layer-3 VPNs

MPLS High Availability

MPLS Management

MPLS Security

Layer-2 VPNs

Traffic Engineering


7

MPLS Security OverviewOverview and Scope Cisco IP NGN Market Drivers and Positioning


8

MPLS Security Protection mechanisms for MPLS-specific network resources Protection of MPLS forwarding and signaling

MPLS security protection areas MPLS node access and resiliency Integrity and privacy of MPLS VPN service traffic

Focus areas in MPLS network infrastructure MPLS core (Label between PE pairs) MPLS service edge (PE-CE link) MPLS network interconnect (Inter-AS/SP)

Incremental value-add and integral part of scalable and robust MPLS technology solution


9

Scope Focus on security capabilities for MPLS-specific network resources Protection of MPLS forwarding and signaling

Incremental security functionality to existing MPLS functions Use of existing device and IP-level security capabilities assumed for basic level of security CLI passwords, TACACS, ACLs, Firewalls, etc.

Leverage existing security capabilities of lower layer protocols where possible Instead of replication of functionality focus on integration of MPLS with existing security capabilities For example, LDP use of TCP MD5 authentication capabilities


10

Cisco IP NGN Secure Network LayerApplication LayerGaming Data Center PresenceBased Telephony Web Services Mobile Apps IP Contact Center

MPLS Security Service ExchangeOpen Framework Self Identity Policy Billing MPLS Service MPLS Network Service MPLS Core Edge Inter-connect for Enabling Triple Play on the Move(Data, Voice, Video, Mobility)

Mobility

Network Layer

Customer Element

Access/ Aggregation

Intelligent Edge

Multiservice Core

Transport

Intelligent Networking 2005 Cisco Systems, Inc. All rights reserved.11

Operational Layer

Service Layer

MPLS Security EvolutionInitial MPLS Deployments Service Provider MPLS technology adoption Code features and stability Large & Widespread MPLS Deployments MPLS scale and enhanced features Enterprise MPLS technology adoption Manageability and operations Next-Generation MPLS Deployments Complexity of new enhanced services (Extranets, mcast) MPLS network convergence MPLS network inter-connects

Challenges

Security Focus

MPLS as a secure technology replacement for legacy Layer-2 technologies (FR/ATM)

Inter-AS MPLS network connects New RFP compliance reqs Enterprise network security

Increasing service configuration complexity New security reqs for support of converged triple play services

1996 - 2002

2002 - 2005

2005 and Beyond


12

MPLS Security DriversMPLS CustomersService Provider Segment Tier-1 (Global) Tier-2 (National) Enterprise Segment Financials Education/Research Other Government Segment Government agencies and institutionsRegulations driving new network security requirements US Homeland Security Regulatory compliance Extranet security User traffic segmentation Regulatory compliance Extranet security MPLS technology value-add Extranet partner connectivity Sarbanes-Oxley Act Financial application access Secure campus connectivity Network convergence Network convergence and network interconnect Triple play and public/private services convergence Inter-AS/SP network inter-connect

MPLS Security Drivers

Examples


13

Concerns and GoalsConcernsService Provider Market Segment Unauthorized customer VPN access Public Internet traffic access/impact on private MPLS VPNs

Goals Customer VPN traffic separation Public Internet and private VPN traffic separation

Enterprise Market Segment

Unauthorized access to internal user VPNs Public Internet traffic access/impact on private LAN traffic

User group VPN traffic separation WAN and extranet VPN traffic separation and privacy

Federal Market Segment

Unauthorized access to internal user VPNs WAN/public Internet traffic access/impact on private LAN traffic

User group VPN traffic separation WAN and VPN traffic separation and privacy


14

MPLS Security FrameworkService Provider View Enterprise View Threat Model


15

Threat ModelSecurity Threats Malicious user behavior Security Vulnerability Description

Denial of Service (DoS) attacks

MPLS network resources become unavailable to authorized users

Intrusion attacks

MPLS network resources become available to unauthorized users

Unintended human error and mis-configuration

MPLS device misconfiguration

MPLS network resources become available to unauthorized users


16

MPLS Security FrameworkTrusted Zone

External Network

MPLS NetworkExternal Network Interface External Network Interface

External Network

Control Plane Forwarding Plane

MPLS core signaling LDP, RSVP, and BGP

MPLS edge signaling BGP, LDP, RIP, OSPF

MPLS packet forwarding

IP or MPLS packet forwarding


17

MPLS Security Service Provider ViewTrusted Zone

Customer Network

MPLS NetworkExternal Service Interface External Network Connect Interface

Peer SP Network

MPLS Edge Security Security for VPN service interface Focus on control plane access and resources on PE router

MPLS Core Security Security for end-to-end (PE-PE) MPLS traffic integrity Focus on MPLS packet forwarding

MPLS Inter-AS Security Security for network interconnect interface Focus on data/control plane access on ASBR


18

MPLS Security Enterprise ViewTrusted Zone

Extranet Customer Network

MPLS NetworkExtranet Service Interface External WAN Interface

SP MPLS Network

Extranet Edge Security Security of extranet VPN interface Focus on data/control plane access across interface with partner

MPLS Core Security Security for end-to-end (PE-PE) MPLS traffic integrity Focus on MPLS traffic segmentation

WAN Edge Security Security of WAN interface with SP Focus on data/control plane access across PE-CE link with SP


19

Security ThreatsCE PE P ASBR ASBR P PE CE

MPLS Service Edge (PE Router) Malicious user behavior Unintended human error and misconfiguration Control plane DoS attacks Unauthorized control plane access (e.g., SNMP, CDP) Unintended VPN Route leakage due to VRF mis-configuration PE router access due to incorrect/missing access configuration

MPLS Core (P routers) Control plane DoS attacks (e.g., LDP)

MPLS Inter-AS Edge (ASBR) Unauthorized VPN/IGP access via label spoofing Control plane DoS attack

Unintended P router access due Unintended VPN Route leakage to incorrect ACL configuration due to incorrect VPN route distribution ASBR router access due to incorrect/missing access configuration


20

MPLS Security Risks and DeploymentSecurity Risk MPLS Deployment Scenarios Network Complexity versus Capital Costs


21

MPLS Security and Risks MPLS security associated with MPLS deployment and risk Risk of MPLS design or configuration error

MPLS deployment components Network design, implementation, and operation

Basic risk components Security vulnerability event Probability of event Impact of event

MPLS security focused on mitigating potential security vulnerability events Minimizing probability and associated impacts of potential events


22

MPLS Deployment Framework Identify/analyze potential security vulnerabilities in MPLS network infrastructure Identify MPLS security capabilities that need to be implemented Design and specify device command parameters

Monitor and analyze network anomalities, which could indicate a security attack

Network Design

Set up and configuration of security policies and commands in MPLS network

Network Operation

Network Implementation


23

MPLS Deployment Risk MPLS network deployment complexity level determines perceived security risks More complexity requires more detailed design, and associated network implementation and operation More complexity increases the possibility of design and configuration errors

Influencing factors of MPLS deployment complexity Network architecture (e.g., physical v.s. logical separation) Networking services run on top of MPLS network

Types of networking services Public IP services (Internet) Private (VPN) connectivity services 2005 Cisco Systems, Inc. All rights reserved.24

Public and Private Connectivity ServicesService Characteristics Access to the Internet Connectivity to anybody anywhere on the Internet Best effort traffic Business Focus Focus on ubiquitous IP connectivity General public access to web sites, email, etc. Examples at&t: Managed Internet Service (MIS) Sprint Nextel: Internet Access Verizon Business: Dedicated Internet Access

Public IP Connectivity Services

Private IP VPN Connectivity Services

Connectivity to selective set of end-nodes connected to same VPN QoS support

Focus of secure and reliable connectivity Service Level Agreements (SLAs)

at&t: IPeFR, eVPN Masergy: Private IP Sprint Nextel: MPLS VPN Verizon Business: Private IP


25

MPLS Deployment ScenariosShared MPLS Core & EdgePublic/Private PE

Shared MPLS Core & Separate EdgePublic PE Private PE

Separate MPLS Core & EdgePublic PE Private PE

MPLS Core

MPLS Core

MPLS Core

MPLS Core

MPLS Core Network

Single MPLS core for both public IP and private VPN traffic Optional BGP/Internet free core

Single MPLS core for both public IP and private VPN traffic Optional BGP/Internet free core

Separate MPLS cores for public IP and private VPN traffic Optional BGP/Internet free core

MPLS Edge Network

PE routers terminate both public IP and private VPN connections

Dedicated PE routers used for termination of public IP and private VPN connections

Dedicated PE routers used for termination of public IP and private VPN connections


26

Current MPLS Deployments Internal survey of key SP customers on deployment of public and private MPLS services Separate MPLS core & edge Shared MPLS core & separate edge Shared MPLS core & edge31%

38%

31%

Separate MPLS Core & Edge Shared MPLS Core & Separate Edge Shared MPLS Core & Edge

No common MPLS deployment preference Balanced distribution of various MPLS deployment scenariosSource: Internal 2006 MPLS Security Survey by Michael Behringer.


27

Future MPLS Deployment Plans Future MPLS deployment plans indicate increasing network consolidation Increasing number of shared MPLS core deployments19%

31%

50%

Common MPLS core for public and private services Migration of both public and private services onto single MPLS edge

Separate MPLS Core & Edge Shared MPLS Core & Separate Edge Shared MPLS Core & Edge

Source: Internal 2006 MPLS Security Survey by Michael Behringer.


28

Network Complexity versus Capital CostsLogical Separation Network Complexity (Risk)Shared MPLS Core & EdgePublic/Private PE

Simplifications for implementing MPLS security mechanisms reducing MPLS deployment risks. MPLS security mechanism enable secure logical separation of MPLS traffic forwarding and signaling Shared MPLS Core & Separate Edge

MPLS Core

Public PE

Private PE

MPLS Core

Separate MPLS Core & EdgePublic PE Private PE

Lower cost MPLS deployments with reduced complexity and increased resiliency

Goal

MPLS Core

MPLS Core

Physical Separation

Capital Costs 2005 Cisco Systems, Inc. All rights reserved.29

MPLS Security FeaturesCore Network Security Service Edge Security Network Inter-Connect Security


30

Feature PortfolioSecurity Focus MPLS VPN traffic separation Network Topology hiding MPLS control plane protection VPN address space separation and route control PE-CE link control plane access

Feature Areas MPLS traffic forwarding MPLS packet TTL hiding Control plane session authentication

MPLS Core

MPLS Service Edge

Control plane policing VPN route control BGP session prefix filtering and control Control plane session authentication Control plane policing VPN route control Control plane session authentication

MPLS Network Inter-Connect

MPLS VPN traffic separation ASBR link control plane protection


31

MPLS Security Core NetworkRequirementVPN traffic separation MPLS control plane protection (access control) MPLS control plane authentication

Available Feature Capabilities

Comments

MPLS labeled packet forwarding using different FECs, Native MPLS capability LSPs, and label imposition/dispositioning Selective enablement of BGP/LDP on core I/Fs Selective IGP route assignment/distribution MD5 authentication of LDP sessions MD5 authentication of iBGP sessions ACL route filtering in edge network assumed -

MPLS Core Network SecurityBGP Route Reflector PE Router PE Router

P Router

P Router

LDP Session iBGP Session

MPLS Core Network 2005 Cisco Systems, Inc. All rights reserved.32

Infrastructure Access-Lists (ACLs)CE.2 1.1.1.0/30 .1

PEVPN

PEVPN

CE.1 1.1.1.8/30 .2

CE.2 1.1.1.4/30 .1

PEVPN

PEVPN

CE.1 1.1.1.12/30 .2

Example: deny ip any 1.1.1.0 0.0.0.255 permit ip any any

This Is VPN Address Space, Not Core!

Caution: This also blocks packets to the CEs! Alternatives: List all PE interfaces in ACL or use secondary interface on CE


33

Best Practices MPLS Core Security Dedicated management access to P and PE routers Out-of-band or in-band

Use AAA for device access Logging device configuration changes Limited access to logging facility

Use command authorization where possible Keep logs in a secure place Malicious employee might change logs too

Use access-control list on PE routers for blocking any potential external traffic Option of use MD5 authentication for LDP May be required as part of security conformance policies


34

MPLS Security Service EdgeRequirementPE-CE link control plane protection (access control) VPN route access control and address space separation PE-CE link control plane authentication

Available Feature Capabilities Selective control plane prefix filtering Control Plane Policing (CoPP) VPN address space separation via VRFs BGP max-prefix limit (per eBGP session) VRF max route (per VRF) MD5 authentication of eBGP sessions

Comments ACL protocol port filtering on PE router assumed VRF ~ customer RIB Filtering control of BGP RIB and VPN route updates -

MPLS Service Edge SecurityBGP Route Reflector PE Router PE Router CE Router

P Router

P Router

LDP Session iBGP Session eBGP Session

MPLS Core Network

MPLS Edge Network

Customer Edge Network35


Controlling VPN Route MaximumPotential Security Vulnerability: Injection of too many routes into VPN table (VRF) Potential memory overflow Potential (control plane) DoS attack

Protection Mechanism: Specify maximum number of VPN routes for VPN route table (VRF)VPN routing table (VRF) Maximum of 500 VPN prefixes

ip vrf vpn01Send warning message when maximum routes 500 80 (400) threshold is reached80%


36

Controlling BGP Prefix MaximumPotential Security Vulnerability: Injection of too many BGP prefix updates Potential memory overflow Potential (control plane) DoS attack

Protection Mechanism: Specify maximum number of BGP prefix for a specific BGP neighbor sessionRemote BGP neighbor Accept maximum of BGP 500 prefixes, if more reset BGP session Restart BGP session after 2 minutes

router bgp 10 neighbor 140.0.250.2 maximum-prefix 500 80 restart 2Send warning message when 80% (400) threshold is reached


37

MPLS VPN Configuration

Reduce potential MPLS VPN configuration errors via automation of service configuration and validation on PE routers


38

MPLS Network Monitoring


39

Best Practices MPLS Edge Security Access-list configuration of PE routers Disable external traffic destined to MPLS core or edge nodes

Control plane traffic filtering on PE routers Control Plane Policing (CoPP)

Disable selective control plane protocols on VRF-enabled interfaces E.g., disable SNMP, CDP access for CE routers

Configuration of max allowable VRF routes Configuration of max number of BGP prefix updates per eBPG peer In case dynamic routing is configured across PE-CE link option to use MD5-based BGP session authentication May be required as part of security conformance policies


40

MPLS Security Network Inter-ConnectRequirementPE-CE link control plane protection (access control) VPN route access control and address space separation ASBR link control plane authentication

Available Feature Capabilities VPNv4 route filtering Control Plane Policing (CoPP) VPN address space separation via VRFs BGP max-prefix limit (per eBGP session) VRF max route (per VRF) MD5 authentication of eBGP sessions

Comments ACL protocol port filtering on PE router assumed VRF ~ VPN-specific RIB Filtering control of BGP RIB and VPN route updates -

MPLS Network Connect SecurityBGP Route Reflector PE Router ASBR Router ASBR Router

P Router

P Router

LDP Session iBGP Session eBGP Session

MPLS Core Network

MPLS Edge Network

External MPLS Network41


Wrap-upIETF References Conclusions


42

IETF IETF L3VPN Working Group: Working on Layer 3 VPN architectures, such as MPLS IP VPNs, IP VPNs using virtual routers, and IPsec VPNs http://www.ietf.org/html.charters/l3vpn-charter.html

IETF L2VPN Working Group: Working on Layer 2 VPN architectures, such as VPLS and VPWS http://www.ietf.org/html.charters/l2vpn-charter.html

RFC4381 Analysis of MPLS VPN Security

RFC2196 Site Security Handbook

RFC2385 Protection of BGP Sessions via the TCP MD5 Signature Option

RFC3013 Recommended Internet Service Provider Security Services and Procedures 2005 Cisco Systems, Inc. All rights reserved.43

Conclusions MPLS security covers protection mechanisms for MPLS forwarding and signaling MPLS security requires holistic approach including network design, implementation, and operation Level of MPLS network deployment complexity determines perceived network security risks Growing importance of MPLS security as a result of network and service convergence


44


45

04_MPLS_Security_MCWG_v02

Documents

Transcript of 04_MPLS_Security_MCWG_v02