MPLS VPN Security

PE-Speciﬁc Router Security 161

the interface from which it was received (by checking the CEF tables) prior to switching the

packet through. uRPF is currently available in two general operating modes:

• Loose—In this mode, if the incoming packet’s source address is reachable via any

interface in the router, the packet is forwarded. Loose mode is primarily applicable in

network cores.

• Strict—In this mode, the packet must enter via the exact interface through which the

source address would be reached prior to forwarding. Strict mode is intended for use

at the edges of a given network.

Since PE and CE routers implement the network edge in an MPLS/VPN context, strict

mode would be the appropriate choice. However, if the connections are dual-homed, then

the uRPF mechanism must be relaxed somewhat by using loose mode.

In the next section, we review provider edge security recommendations as part of the

CE relationship for security. An essential aspect of CE security is to consider the overall

service relationship to the provider, such as managed vs. unmanaged and the associated

topological factors, whether operating in hub and spoke, full mesh, or the Internet access

provisioning model.

PE-Speciﬁc Router Security

In this section, we discuss PE-speciﬁc security considerations. The key point is that the

PE is a trusted device and, as such, must be installed in a secure location. A PE must never

be located in an insecure location such as a customer premise. If, for example, MPLS is

required on a CE, Carrier’s Carrier (CsC) should be implemented. The PE has trusted

interfaces toward the core and untrusted interfaces toward the CE. These interfaces need to

be secured, for example, by blocking all trafﬁc from the outside to the PEs and the rest of

the core, with the exception of routing. We discuss the interface security details in the

section “Infrastructure Access Lists (iACLs)” later in this chapter.

The service provider’s concerns can be generalized to the following issues:

• Protection of the backbone infrastructure in terms of availability, accessibility, load,

manageability, and so on

• Ensuring that committed service level agreements (SLAs) are maintained

• Ensuring that billing support functions are uncompromised

• Maintaining segregation between different customer domains

• Verifying that customers are receiving the services that they are entitled to—no more

and no less

The provider edge (PE) is within the SP domain and could have multiple customer

relationships; for example, multiple customer VPNs may be provisioned on a single PE.

From a security point of view, assuring complete privacy between various customers is

of utmost importance for the service provider.

Get MPLS VPN Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

MPLS VPN Security by Michael H. Behringer, Monique J. Morrow