Chapter 4: Secure MPLS VPN Designs
Moreover, a service provider holds a contract with the VPN user but not with the
Internet at large. This contract usually allows for counter measures to be taken: for
example if DoS attacks are detected from a VPN connection, the connection can often
be cut until the problem is resolved. Such drastic measures are often not possible with
Service providers should seek legal advice on how to write customer contracts that allow
the service provider to take technical counter measures against attacks, worms, and other
threats from a VPN, including the temporal isolation of VPN sites. Legal aspects are outside
the scope of this book.
Therefore, the risk from VPNs versus from the Internet is not intrinsically different in type,
but it is signiﬁcantly different in the order of magnitude and in terms of legal possibilities.
Internet provisioning must be done with security in mind.
Technically, there are a number of options for how to provide Internet services on an MPLS
core. While all those options achieve their goal in connecting a VPN user to the Internet,
their security properties are completely different. We therefore strongly recommended
considering all of the Internet options in detail before making a design choice.
While security is a very important consideration in the design of an MPLS core, it is not the
only one. Before making design decisions, other requirements, such as core scalability and
quality of service (QoS), should be taken into consideration.
Technically, there are several ways to provide an Internet service on an MPLS core:
Internet routes held in a VRF.
Internet routes held in the global routing table. Here we distinguish two subcases:
— The entire core holds the Internet routing (PE and P).
— Only PEs hold the Internet routing, the so-called “Internet-free” MPLS core.
At ﬁrst sight, all of those options appear to have similar properties; however, their security
exposure varies signiﬁcantly. The following section examines a core without Internet
connectivity as a baseline to compare the other design options to. Then those options, as
well as generic Internet design guidelines, are explained in detail.
1834x04.fm Page 80 Thursday, May 12, 2005 1:33 PM