Control of Routes That Are Injected into a VRF
An area that can cause DoS in an MPLS VPN network is an excessive number of routes being injected from the CE router to the VRF in the PE router, resulting in memory exhaustion and possible failure of the PE router. A VRF on a PE router can be populated with customer routes in several ways:
Through direct configuration into the VRF of static routes that the service provider enters
Through the use of a dynamic routing protocol between the CE router and the PE router
Through Multiprotocol BGP for exchange of VPNv4 routes between PE routers (including intranet, extranet, and Internet VPNs)
The use of static routing provides the greatest security because the service provider controls the destinations and ...