MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs

Slides:

Advertisements

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

Advertisements

Deployment of MPLS VPN in Large ISP Networks

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.

W. Mark Townsley Pseudowires and L2TPv3 W. Mark Townsley

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.

CS Summer 2003 Lecture 13. CS Summer 2003 MP_REACH_NLRI Attribute The MP_REACH_NLRI attribute is encoded as shown below:

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

SMUCSE 8344 MPLS Virtual Private Networks (VPNs).

BGP L3VPN Virtual PE draft-fang-l3vpn-virtual-pe-01

Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.

Multicast in L3VPNs Bruce Davie 1 draft-ietf-l3vpn-2547bis-mcast-03.txt 1. Not a draft co-author, or a multicast expert.

1 Solving the Softwire Mesh Problem Chris Metz, IETF Softwire WG Interim Meeting Hong Kong February 2006.

November th Requirements for supporting Customer RSVP and RSVP-TE over a BGP/MPLS IP-VPN draft-kumaki-l3VPN-e2e-mpls-rsvp-te-reqts-05.txt.

Encapsulating MPLS in UDP draft-xu-mpls-in-udp-02 Xiaohu Xu (Huawei) Marshall Eubanks (AmericaFree.TV) Lucy Yong (Huawei) Nischal Sheth.

Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

Network Connectivity Options Currently offered by Wyless.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

1 IPFIX Protocol Specifications IPFIX IETF-59 March 3, 2004 Benoit Claise Mark Fullmer Reinaldo Penno Paul Calato Stewart Bryant Ganesh Sadasivan.

Virtual Private Networks Warren Toomey. Available WAN Links.

CSCE 715: Network Systems Security

TCP/IP Protocols Contains Five Layers

MPLS on UW System Network Michael Hare. Purpose of presentation As I didn't really understand MPLS going in, I thought it would be useful to share what.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.

Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Support for RSVP in Layer 3 VPNs draft-davie-tsvwg-rsvp-l3vpn-01.txt Bruce Davie François le Faucheur Ashok Narayanan Cisco Systems.

Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Nov. 8, 2006IDR WG Meeting1 IPv6 Next Hop for IPv4 Prefix In BGP Updates, NH not necessarily of same address family as NLRI Currently deployed examples:

Softwire mesh MIB draft-cui-softwire-mesh-mib Peng Wu Tsinghua University.

MPLS on UW System Network Michael Hare. Purpose of presentation As I didn't really understand MPLS going in, I thought it would be useful to share what.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

MPLS over L2TPv3 Encapsulation IETF VersionIHLTOSTotal length IdentificationFlagsFragment offset TTL Protocol ==

VPN: Virtual Private Network Presented By: Wesam Shuldhum ID:

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

November 6, 2006Softwire WG Meeting1 Softwires “Mesh” Scenario Problem: –pass AF1 routing and data over the AF1-free core, –while obeying certain constraints.

1 Use of PE-PE IP/GRE/IPsec for MPLS PWs draft-raggarwa-pwe3-pw-over-ip- 00.txt Rahul Aggarwal

Network Layer Security Network Systems Security Mort Anvari.

Understanding “Virtual” Networks J.J. Ekstrom Fall 2011.

K. Salah1 Security Protocols in the Internet IPSec.

MPLS WG Meeting IETF 58 Paris Detecting MPLS Data Plane Failures in Inter-AS and inter-provider Scenarios draft-nadeau-mpls-interas-lspping-00.txt Tom.

Tunnel SAFI draft-nalawade-kapoor-tunnel- safi-03.txt SSA Attribute draft-kapoor-nalawade-idr- bgp-ssa-01.txt.

IETF 61 draft-ooms-v6ops-bgp-tunnel-04.txt Connecting IPv6 Islands over IPv4 MPLS using IPv6 Provider Edge Routers (6PE) Francois Le Faucheur -

Support for RSVP-TE in L3VPNs Support for RSVP-TE in L3VPNs draft-kumaki-murai-ccamp-rsvp-te-l3vpn-01.txt Kenji Kumaki KDDI Corporation Tomoki Murai Furukawa.

VyperNet A Framework for Programmable Virtual Private Networks Adam Hudson Supervisor: Bob Kummerfeld.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

第六章 IP 安全. Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture

Requirements for LER Forwarding of IPv4 Option Packets

RFC 3775 IPv6 Mobility Support

Examples based on draft-cheng-supa-applicability-00.txt

IT443 – Network Security Administration Instructor: Bo Sheng

Draft-nalawade-kapoor-tunnel-safi 03.txt

CSE565: Computer Security Lecture 23 IP Security

Cryptography and Network Security

* Essential Network Security Book Slides.

A Unified Approach to IP Segment Routing

IP-Spoofing and Source Routing Connections

Introduction to Network Security

Cryptography and Network Security

Presentation transcript:

MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs

MPLS over L2TPv3 w/BGP L3VPNs 1 2 3 4 5 6 7 8 9 Version IHL TOS Total length Identification Flags Fragment offset TTL Protocol == 0x73 (L2TPv3) Header checksum Source IP address Destination IP address (IP address of edge router) Tunnel IP Session ID (32 bits) Cookie (64 bits) L2TPv3 Label Exp S TTL Version IHL TOS Total length Identification Flags Fragment offset TTL Protocol Header checksum Source IP address Destination IP address VPN IP MPLS VPN Label

MPLS over L2TPv3 w/BGP L3VPNs L2TPv3 has its own native operation for L2VPNs defined in draft-ietf-l2tpext-l2tp-base-11.txt For BGP-based L3VPNs, the same L2TPv3 encapsulation may be leveraged for operation over IP networks A single p2mp L2TPv3 session at each PE is used, e.g., one Session ID/Cookie pair per-PE Tunnels could be manually configured, however mechanisms such as those defined below allow for dynamic tunnel establishment based on capabilities of the PE (these apply to IP, GRE and IPsec as well): draft-nalawade-kapoor-tunnel-safi-01.txt, or draft-raggarwa-ppvpn-tunnel-encap-sig-01.txt

VPN Label Spoofing Attacks (MPLS vs. IP Core) MPLS Core PE CE VPN Spoofed MPLS over GRE or IP Packets draft-ietf-l3vpn-gre-ip-2547-00.txt draft-ietf-l3vpn-ipsec-2547-03.txt If MPLS over GRE or IP is enabled on any PE router, a potential packet insertion vulnerability is created, requiring management of L3 ACL lists at all boundary routers. Managing L3 filter lists at all boundary routers can be management-intensive, and the their use at all border routers can affect the performance seen by all traffic entering the SP's network. IPsec may be used to authenticate packets arriving at the PE, but may also be difficult to manage and deploy.

Blind Label Spoofing Attacks with MPLS over L2TPv3 Hacker Profile: Wishes to insert rogue packets into a customer VPN by sending spoofed packets to a PE Can insert spoofed packets past boundary ACLs and reach a VPN PE Cannot intercept, analyze and correlate core (PE to PE) traffic for use in a coordinated attack The L2TPv3 Cookie provides ample protection from this type of hacker by introducing 64-bits of unstructured data unknown by the hacker that must always match upon receipt at the PE.

Next Steps for this WG? draft-ietf-l3vpn-ipsec-2547-03.txt and draft-ietf-l3vpn-gre-ip-2547-00.txt describe RFC2547-based L3VPNs over IP networks using different types of tunnels. MPLS over L2TPv3 for support of RFC2547-based L3VPNs is another tunnel option that falls squarely within the same scope as the above methods, with its own implementation and security tradeoffs. Creation of draft-ietf-l3vpn-l2tpv3-2547-00.txt in similar form to the above drafts and inline with the L3VPN Charter (e.g. protocol specifications defined elsewhere, with the functional requirements here)

End