Secure MPLS VPN Designs
The previous chapters analyzed MPLS VPN security from an abstract point of view based
on the architectural standards. However, the requirements of VPN users often go beyond
simple architectures:
The MPLS core should support Internet access.
Several independent VPN users need to access a common extranet.
A VPN user’s network spans several countries and involves several service
An Internet service provider (ISP) wants to resell MPLS VPN services.
All of these more complex designs have a number of security implications, and
sometimes a small design change affects security significantly. This chapter discusses
their security properties and gives guidance on how to build advanced MPLS VPN
designs securely.
Internet Access
Probably the most common VPN user requirement is that their service provider offer
them Internet access in addition to VPN connectivity. However, being accessible from the
Internet automatically is assumed to carry a certain risk for the VPN customer as well as
for the MPLS VPN provider. This section discusses the various options for how to design
an MPLS core for Internet access such that VPNs remain secure.
But is the Internet really so dangerous? Is a service provider not also at risk from connected
VPNs? Can one VPN be a threat to another? As in all security questions it is difficult to draw
a clear line, and of course a VPN user can also attack an MPLS core network.
The difference in security between a VPN user and the Internet consists mainly in the
order of magnitude: A VPN user can attack the core, and a worm can come from a VPN
also. But the size of the VPN user’s network is usually several orders of magnitude
smaller than the global Internet; therefore, the impact of an attack from the Internet is
much higher.
1834x04.fm Page 79 Thursday, May 12, 2005 1:33 PM
Chapter 4: Secure MPLS VPN Designs
Moreover, a service provider holds a contract with the VPN user but not with the
Internet at large. This contract usually allows for counter measures to be taken: for
example if DoS attacks are detected from a VPN connection, the connection can often
be cut until the problem is resolved. Such drastic measures are often not possible with
the Internet.
Service providers should seek legal advice on how to write customer contracts that allow
the service provider to take technical counter measures against attacks, worms, and other
threats from a VPN, including the temporal isolation of VPN sites. Legal aspects are outside
the scope of this book.
Therefore, the risk from VPNs versus from the Internet is not intrinsically different in type,
but it is significantly different in the order of magnitude and in terms of legal possibilities.
Internet provisioning must be done with security in mind.
Technically, there are a number of options for how to provide Internet services on an MPLS
core. While all those options achieve their goal in connecting a VPN user to the Internet,
their security properties are completely different. We therefore strongly recommended
considering all of the Internet options in detail before making a design choice.
While security is a very important consideration in the design of an MPLS core, it is not the
only one. Before making design decisions, other requirements, such as core scalability and
quality of service (QoS), should be taken into consideration.
Technically, there are several ways to provide an Internet service on an MPLS core:
Internet routes held in a VRF.
Internet routes held in the global routing table. Here we distinguish two subcases:
The entire core holds the Internet routing (PE and P).
Only PEs hold the Internet routing, the so-called “Internet-free” MPLS core.
At first sight, all of those options appear to have similar properties; however, their security
exposure varies significantly. The following section examines a core without Internet
connectivity as a baseline to compare the other design options to. Then those options, as
well as generic Internet design guidelines, are explained in detail.
1834x04.fm Page 80 Thursday, May 12, 2005 1:33 PM

Get MPLS VPN Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.