C6 VPLS and VPWS Security Overview 217
Figure 7-4 illustrates the Metro Ethernet Architecture model and functional roles.
Figure 7-4 Metro Ethernet Architecture and Functional Roles
C6 VPLS and VPWS Security Overview
The fundamental security considerations for VPLS and VPWS constructs are to assure
the integrity of the U-PE configurations and to prevent DoS and resource starvation
attacks against the U-PE, N-PE, and PE-AGG devices. Figure 7-5 shows the untrusted
zone, such as floor (of a building) customer switches to an U-PE (or customer UNI to a
service provider component). The trust is from a service provider perspective because it
is assumed that the U-PE, N-PE, and PE-AGG devices are within the service provider’s
control. We will introduce types of attacks for these services and the appropriate defenses
in this section; the attack details and defense mechanisms will be discussed later in this
chapter.
Figure 7-5 depicts the trusted and untrusted zones for VPLS-based service.
Attack mechanisms may be categorized as follows:
MAC attacks (content-addressable memory or CAM overflow)
Broadcast/multicast storm attacks
VLAN hopping or Dynamic Trunking Protocol (DTP) attacks
Spanning tree attacks
DHCP rogue server attacks
Hijack management access
Table 7-1 summarizes these attacks and the appropriate defensive responses. This table is
the foundation of our security discussion in this chapter.
Full Service
Customer
Equipment
Full Service
Customer
Equipment
Efficient
Access
Efficient
Access
Large-Scale
Aggregation
Intelligent
Edge
Intelligent
Edge
Multiservice
Core
Si
Integrated System
Admission control,
Security Policy
Enforcement,
Classification,
Policing and Marking,
Queuing and Scheduling
Traffic Aggregation,
Congestion
Management,
L2 Wholesale Handoff,
Service Insertion
MPLS, L2TPv3, VPWS,
VPLS, L3VPN, Internet
Access, Service Gateway,
Value Added Services
(Security, Voice,…)
Fast Packet Forwarding
(IP/MPLS), Sophisticated
Traffic Engineering and
Congestion Management
Access
U-PE
Aggre gation
PE-AGG
Edge
N-PE
P
218 Chapter 7: Security of MPLS Layer 2 VPNs
Figure 7-5 Metro Ethernet Security Mode
NOTE A constantly flapping port may cause LDP generating/withdrawing labels and denial of
service to the protocol stack.
Note that the IETF (Martini) drafts permit a copy of the VLAN priority fields into the
MPLS EXP, and we recommend awareness of this fact.
Table 7-1 VPLS/VPWS Attack Points and Defensive Actions
Attack Defensive Features/Actions
MAC attacks (CAM table
overflow)
Port security, per-VLAN MAC limiting
Broadcast/multicast storm
attacks
Storm control
VLAN hopping, DTP
attacks
Careful configuration (disable autotrunking, used dedicated
VLAN-ID for trunk ports, set user ports to nontrunking,
VLAN 1 minimization, disable unused ports, and so on)
Spanning tree attacks BPDU guard, root guard, MD5 VTP authentication
DHCP rogue server attack DHCP snooping (differentiate trusted and untrusted ports)
Hijack management access Secure variants of management access protocols (not telnet,
etc., but SSH and out-of-band management), disable password
recovery, encrypted passwords
Proactive defense Deploy MAC-level port security, wire-speed ACLs, 802.1x
Protect Against
DoS Attacks or
Limited
Resource
Contention
VLAN 3
VLAN 3
VLAN 2
VLAN 1
VLAN 5
VLAN 5
VLAN 4
VLAN 4
Untrusted Trusted
Protect from Compromised U-PE Authenticate Customer UNI
Customer
Protection
Network Protection
VLAN 2
(QinQ) VLAN 5
(QinQ) VLAN 5
VLAN 3
VLAN 3
VLAN 4
VLAN 4
VLAN 1
PE
CE VLAN 1
CE VLAN 2
Premises
POP
POP
Switch
(N-PE/PE-AGG)
Premises
Switch
(U-PE)
10/100/1000
10/100/1000
10/100/1000
VCs
Ensure the Configuration Can
Not Be Accessed and Modified
Mostly Trusted
Gigabit Ethernet Transport
V

Get MPLS VPN Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.