PE-Speciﬁc Router Security 161
the interface from which it was received (by checking the CEF tables) prior to switching the
packet through. uRPF is currently available in two general operating modes:
• Loose—In this mode, if the incoming packet’s source address is reachable via any
interface in the router, the packet is forwarded. Loose mode is primarily applicable in
• Strict—In this mode, the packet must enter via the exact interface through which the
source address would be reached prior to forwarding. Strict mode is intended for use
at the edges of a given network.
Since PE and CE routers implement the network edge in an MPLS/VPN context, strict
mode would be the appropriate choice. However, if the connections are dual-homed, then
the uRPF mechanism must be relaxed somewhat by using loose mode.
In the next section, we review provider edge security recommendations as part of the
CE relationship for security. An essential aspect of CE security is to consider the overall
service relationship to the provider, such as managed vs. unmanaged and the associated
topological factors, whether operating in hub and spoke, full mesh, or the Internet access
PE-Speciﬁc Router Security
In this section, we discuss PE-speciﬁc security considerations. The key point is that the
PE is a trusted device and, as such, must be installed in a secure location. A PE must never
be located in an insecure location such as a customer premise. If, for example, MPLS is
required on a CE, Carrier’s Carrier (CsC) should be implemented. The PE has trusted
interfaces toward the core and untrusted interfaces toward the CE. These interfaces need to
be secured, for example, by blocking all trafﬁc from the outside to the PEs and the rest of
the core, with the exception of routing. We discuss the interface security details in the
section “Infrastructure Access Lists (iACLs)” later in this chapter.
The service provider’s concerns can be generalized to the following issues:
• Protection of the backbone infrastructure in terms of availability, accessibility, load,
manageability, and so on
• Ensuring that committed service level agreements (SLAs) are maintained
• Ensuring that billing support functions are uncompromised
• Maintaining segregation between different customer domains
• Verifying that customers are receiving the services that they are entitled to—no more
and no less
The provider edge (PE) is within the SP domain and could have multiple customer
relationships; for example, multiple customer VPNs may be provisioned on a single PE.
From a security point of view, assuring complete privacy between various customers is
of utmost importance for the service provider.