As service providers seek to consolidate their infrastructures and offer many different services over a single network, provider-provisioned MPLS VPNs have become one of the industry's biggest hits. Yet every new solution must go through a period of scrutiny where potential enterprise adopters ask themselves and their service providers:
- Can my VPN data be compromised?
- Can someone else's traffic end up on my VPN, or vice versa?
- Can someone bring the VPN down by attacking the service provider's core?
- Can MPLS VPNs give me the security and performance I need from a VPN service?
To protect any VPN environment, the provider and its customers must understand the service's design and operation, and take steps together to address any security challenges. It's a fallacy to put the onus of security on just the provider or just the customer, because security vulnerabilities can exist in both domains.
Protecting the PE-CE environment
In Layer 3 VPNs, the routing protocol between the provider edge and the customer edge (the PE-CE protocol) is a natural target for an attacker. As the one control protocol that extends outside the provider network cloud, it may cross shared-access facilities like Ethernet networks. This creates opportunities for incorrect routing information to be injected into the VPN infrastructure, causing denial of service or even data redirection.
To prevent an attacker from masquerading as a trusted PE or CE router, customers and providers may use HMAC-MD5 routing protocol authentication on the PE-CE link. HMAC-MD5 uses a message-digest algorithm to compute a fixed-length hash, which is transmitted along with the routing data. The receiver uses a matching key to validate the message digest. If an attacker has forged or modified the message, the routing data will be discarded. Routing protocol authentication is available on most modern routers and for all major protocols.
Firewall filters (also called access control lists or stateless firewalls) provide a flexible way of allowing the passage of authorized traffic while blocking that traffic which is unauthorized or harmful. A firewall filter can also limit the rate at which certain types of traffic are accepted into the router, allowing you to regulate the flow of traffic from a certain neighbor, of a specific protocol, to a certain destination, or exhibiting other unique characteristics.
CE-PE data encryption
For users concerned about VPN data interception before it reaches the PE router, providers can have customers connect to the PE router over an IPsec or otherwise encrypted tunnel. When the access link is provisioned by another less-trusted service provider, or over a shared media like Ethernet, data encryption ensures customer data is protected as it travels across the access link and connects to the VPN. Encryption may also be applied to the routing protocol traffic to keep it confidential.
Protecting the provider router infrastructure
Much like the core of a frame relay or ATM network, the provider router infrastructure of an MPLS VPN network must be inviolable and accessible only to the trusted operations staff of the provider. While the security of the core network is often assumed in standards documents, providers operate in the real world of changing topologies, routing instability, and nefarious attackers -- all of which pose a challenge to network security.
Protecting the VPN label space
The label mechanisms used in MPLS VPNs serve two purposes: to indicate the destination VPN site of each data packet, as well as to route those data packets along the pre-established MPLS LSPs towards the correct destination PE router. Label information that is incorrect can have an effect on VPN reachability, or even be used to redirect traffic away from its intended destination for interception. Providers should explicitly discard any MPLS setup or label information from CE devices that are not meant to send it.
Routing session encryption
In environments where there is a possibility of customers connecting "inside" the VPN cloud (for example, in topologies where standard Internet service is provided via an overlay network that includes the VPN network), the encryption of the PE-PE routing traffic provides excellent privacy for the routing data, thus keeping the internal structure of the VPN infrastructure hidden. While not providing data security itself, this opacity helps reassure the customer, and also makes it harder for any miscreant to crack the infrastructure.
Routing table size limits
In Layer 3 VPNs, it makes sense to limit the size of VPN routing tables to protect against misconfigurations or attacks leading to denial of service. Router operating systems should allow users to specify the number of routes for each VRF, as well as the maximum number of prefixes learned from any peer PE router, to allow control over the amount of information exchanged, stored and processed for any VPN.
VPNs old and new
As providers continue to consolidate their service offerings onto single, all-purpose IP backbones, customers can expect to find MPLS VPN offerings largely replacing Frame Relay and ATM VPNs in their providers' portfolios. With a cooperative approach to network security, though, these MPLS VPNs can be as secure as their Layer 2 predecessors.
→ See this tutorial on understanding MPLS IP VPN encryption for more information.