285
route targets (RTs), 17
exports, 97
filtering, 119, 125
imports, 97
routing security
configuring TTL security check for BGP
peering sessions, 176
configuring TTL security check for multihop
BGP peering sessions, 177
MD5 for Label Distribution Protocol, 174
neighbor router authentication, 172–174
overview, 172
TTL security check, configuring, 177
TTL security mechanism for BGP, 175–176
routing/forwarding instance (VRF), 17
S
secure failure, 12
Secure Sockets Layer (SSL), 207
security
components of, 8–9
confidentiality, integrity, and availability, 11
connectionless VPNs, security implications of,
21–22
defined, 7–8
layers of defense, 12
least privilege principle, 11
100 percent security, impossibility of, 8
other technologies, security differing from, 5–6
overview, 5
recommendations. See security
recommendations
secure failure, 12
security policy, 7
threat model, 7
weakest link principle, 10
zones of trust, 24
security policy, 7
security recommendations
CE-CE IPsec
overview, 188
PE-PE IPsec compared, 189
CE-PE routing security best practices
BGP maximum-prefix mechanism, 183–184
BGP PE-CE routing, 179–180
dynamic routing, 179
EIGRP PE-CE routing, 180–181
key chaining, 179
nonrecognized neighbors, prevention of
routes being accepted by, 182
OSPF PE-CE routing, 181
overview, 178, 182
PE-CE addressing, 178
RIPv2 PE-CE routing, 182
static routing, 178
CE-specific router security
data plane security, 160
managed CE security considerations, 159
overview, 157–158
unmanaged CE security considerations,
160
checklist, 192–193
core
iACLs, 164–171
overview, 163
end-to-end resource sharing
additional security, 186
addressing considerations, 187
overview, 186
general router security
AutoSecure, 155–157
control plane policing, 148–154
disabling unnecessary services,
139–142
IP source address verification, 143
overview, 136
rACLs, 143–148
secure access to routers, 136–139
Internet access
overview, 185
resource sharing, 185–186
LAN security
LAN factors for peering constructs, 187
overview, 187
MPLS over IP operational considerations,
189–190
MPLS over L2TPv3, 191
overview, 135–136
PE data plane security, 162
PE-CE connectivity security issues, 163
PE-specific router security, 161–162
security recommendations

Get MPLS VPN Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.