206 Chapter 6: How IPsec Complements MPLS
Table 6-1 illustrates that all three IPsec models have completely different applicability and
therefore are not mutually replaceable: CE-CE IPsec protects a VPN against threats from
the outside; PE-PE IPsec has very special and limited applications, as described in the
previous section; and IPsec remote access is a very special use of IPsec, rather than a
generic security solution, in that it protects only the access into the VPN and not general
VPN traffic.
Now it should be clear where to implement the IPsec endpoints. The next consideration is
how the IPsec tunnels are established. There are various ways to deploy IPsec tunnels, and
the next section discusses these options.
Deploying IPsec on MPLS
The models discussed in the previous section describe where IPsec tunnels are established
(for example, PE-PE), but not how the tunnels get established, which is the second design
consideration when deploying IPsec networks. The main options for IPsec tunnel
establishment are
Static IPsecIn this model, every IPsec node is configured statically with all its IPsec
peers, the authentication information, and the security policy. This is the oldest
way of configuring IPsec. It is hard to configure because each IPsec node requires
significant configuration; but because this is the oldest way of configuring IPsec, it is
supported on most platforms today. Static IPsec is described in RFC 2401–2412. It
can be applied CE-CE and PE-PE.
Dynamic IPsecIn hub-and-spoke environments, the hub can be configured
without specific information for each spoke; only the spokes know how to reach the
hub, and an IPsec tunnel is established only if the spoke can authenticate itself.
Remote access IPsec uses a similar idea, but authentication is usually done on an
AAA server. Dynamic IPsec is supported today also, and can be used for CE-CE as
well as PE-PE.
Table 6-1 Summary of IPsec Applications on MPLS
Protection Against CE-CE PE-PE Remote Access
Eavesdropping on core Yes Yes
Eavesdropping on access line Yes No
Receiving traffic from outside a VPN Yes No
Sending VPN traffic outside the VPN Yes No
Intrusion via fake CE Yes No
Access security Yes
DoS against the VPN No No

Get MPLS VPN Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.