Download presentation
Presentation is loading. Please wait.
Published byLucas Hensley Modified over 9 years ago
1
1 Security Framework for MPLS-TP draft-fang-mpls-tp-security-framework-02.txt Luyuan Fang lufang@cisco.com Ben Niven-Jenkins ben@niven-jenkins.co.uk Raymond Zhang raymond.zhang@bt.com Nabil Bitarnabil.bitar@verizon.com July 26, 2010 78 IETF, Maastricht, Netherlands
2
2 Objectives and Scope Objectives: –Identify and address MPLS-TP specific security issues. Define MPLS-TP security reference models Provide MPLS-TP security requirements Identify MPLS-TP security threats Provide MPLS-TP security threat mitigation recommendations Intended category: Informational Scope: –In scope: Directly related with MPLS-TP –Out of scope: Any functions/application not specific to MPLS-TP. e.g. General MPLS/GMPLS Security, General IP/Internet Security best practice.. –Other drafts for MPLS-TP can point to this draft for general MPLS-TP security discussion, and discuss any specific security issues for the specific protocol proposals as needed. –Focus is on the inter-connection between trusted and untrusted zones
3
Security Issues need to be fully addressed Areas may be attacked –GAL/GACH –NMS –Loopback –MIP/MEP assignment –NMS and control plane interaction –Data plane –GMPLS control plane Security threats –ID Spoofing –Label spoofing –DoS attack –Topology discovery –Data intercept –Performance degradation
4
Pseudowire PW1 Emulated Service Native Service (Attachment Circuit) T-PE1T-PE2 Native Service (Attachment Circuit) S-PE1 CE1 CE2 TP-LSP PW.Seg t3 PW.Seg t1 PW.Seg t2 PW.Seg t4 TP-LSP MPLS-TP Security Reference Model 1 Model 1: single SP scenario Model 1a (Not shown): SS-PW within single trusted zone. Model 1b: MS-PW within single trusted zone (as shown) Trusted Zone Untrusted Zone
5
Pseudowire Emulated Service Native Service (Attachment Circuit) T-PE1T-PE2 Native Service (Attachment Circuit) S-PE1 CE1 CE2 TP-LSP PW1 TP-LSP MPLS-TP Security Reference Model 2 (b) Model 2 (b): Single SP, but not all T-PEs are in the Trusted Zone Trusted Zone Untrusted Zone S-PE1 PW3PW5 MPLS Core
6
Pseudowire Emulated Service Native Service (Attachment Circuit) T-PE1T-PE2 Native Service (Attachment Circuit) S-PE1 CE1 CE2 TP-LSP PW1 TP-LSP MPLS-TP Security Reference Model 2 (c) Model 2 (c): Typical Inter-Provider Scenario Trusted Zone Untrusted Zone S-PE1 PW3PW5
7
7 Next Steps Agree on Security Trust models and identify potential MPLS-TP specific attacks Complete security requirements, threats, mitigations Asking for volunteers to provide input for open issues. –Scott Mansfield will join the next version Target to ask for WG adoption before next IETF meeting
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.