Chapter 2: A Threat Model for MPLS VPNs
Threats Against the Core
This section discusses security from the service provider’s point of view, when securing
its own core network. Security threats against VPNs are, of course, also indirectly of
concern to the service provider, but here the focus is on the core as a zone of trust and
threats against it.
There are different architectural options for building an MPLS core network. It can be
a single autonomous system (AS) forming a monolithic core under one administrative
control. There are also various options for connecting several autonomous systems in
an Inter-AS architecture and in Carrier’s Carrier (CsC) topologies. All the multi-AS
architectures (Inter-AS and CsC) have in common that the core is itself divided into several
different zones of trust. (Refer to Figure 1-11 for an illustration of this.) In all those cases,
the threats are not only coming from VPNs or the Internet, but from a new threat vector—
other parts of the core, in most cases under the control of another service provider.
The fact that the MPLS core is potentially divided into several autonomous systems is
mostly irrelevant to the VPN user: to the VPN user, the core appears in all cases as a single
zone (apart from the fact that the user might be dealing with several providers). However,
as shown in Chapter 4, the VPN user must trust all providers involved in the core. A detailed
discussion of Inter-AS–specific issues can be found in Chapter 3.
The service provider’s network operations center (NOC) can be seen as a logical part of the
core, in the sense that it must be protected from attack as well as the core and probably
forms a single zone of trust with the core. Therefore, the NOC is included as a separate
section in the following threat model against the core.
This section discusses the threat models for these various types of core architectures, as
seen from the core network.
Monolithic Core
monolithic core
refers to the standard MPLS VPN architecture as defined in RFC 2547,
“BGP/MPLS VPNs.” One single AS defines the core network, and all VPN sites connect to
this single AS. The threats against a monolithic core are
from the outside, such as attached VPNs or the Internet.
from the outside, such as attached VPNs or the Internet.
Internal threats
—Operator errors or deliberate misconfigurations can cause security
problems on the core or on a connected VPN. As opposed to internal threats to the
VPNs, which are not considered here, internal threats to the core might have an impact
on the VPNs as well. Therefore, they must be taken into consideration.

Get MPLS VPN Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.