Mpls
Páginas: 14 (3468 palabras)
Publicado: 8 de marzo de 2013
MPLS and VPLS Security
Enno Rey, erey@ernw.de
Agenda
♣ MPLS Basic Terms & Technology
♣ MPLS VPNs
♣ “Layer 2 VPNs“
♣ Virtual Private LAN Service (VPLS)
♣ A look at the future
♣ Multiprotocol Label Switching [RFC 3031 et.al.]
♣ Technology used for forwarding packets, based on Labels (see below).Packets may carry multiple labels (for different purposes).
♣ Initial goal: more efficient forwarding than IP-based routing
♣ Used in most carrier backbones
♣ Serves as foundation for some ‘Advanced Services‘
| | | | ||Tag |COS |S |TTL |
Tag (‘Label’) = 20 bits COS/EXP = Class of Service, 3 bits
S = Bottom of Stack, 1 bit TTL = Time to Live, 8 bits
IP packets are classified and labeledMPLS
backbone
In the backbone packet forwarding is done based on labels. The red label is swapped for a blue label, the blue one for a purple one.
MPLS backbone
Note: for simplicity‘s sake we‘ll neglect pen-ultimate hop poppinghere.
MPLS Basics
The label is removed and the
IP-packet is forwarded (routed).
MPLS backbone
In this scenario, we‘ll call them ‘forwarding labels‘ (as that‘s what they serve as here).Security discussion
♣ The first thing joe hacker thinks of when speaking about some
forwarding (“routing“ or “router‘s“) technology is… ‚spoofing or injection‘.
Btw: this approach is a bit naïve… or have you ever seen a successful ‘ospf injection attack’?
♣ But: the just discussed ‘forwarding labels‘ have local significance only.
Two neighboring peersagree on their significance by means of some label distribution protocol.
♣ So injecting/modifying ‘forwarding labels‘ would not allow much profit…
♣ However, those nice little shiny labels can serve many other purposes…
MPLS Services
♣ VPNs (“Layer 3“ or “Layer 2“)
♣ Any Transport over MPLS
♣ Virtual Private LAN Service
♣ MPLS Traffic Engineering♣ Generalized MPLS (GMPLS)
MPLS as a Foundation for Advanced Services
VPNs
Traffic
Engineering IP+ATM
IP+Optical
GMPLS
Any Transport Over MPLS
MPLS
Network Infrastructure
MPLS Services
♣ Some of these technologies(e.g. Traffic Engineering) are relevant for ISPs/carriers only.
♣ Others (“Layer 3 VPNs“, “Layer 2 VPNs“) may be rather important for organizations. Either for customers of a backbone provider or for use in campus networks.
♣ Increasingly “Layer 3 MPLS VPNs“ are used in enterprise networks, for traffic separation/segmentation
(kind of “modern VLAN technology“).
MPLS VPNs(“Layer 3 VPNs“)
♣ MPLS-based technology [mainly RFCs 2547 & 2917] with it‘s own concepts and terminology.
♣ Comparable to Frame Relay/ATM in some respects.
♣ Highly ‘virtual‘ technology (shared infrastructure, separated routing).
♣ Additional (MPLS-) labels are used to establish logical paths/circuits for the traffic of single customers.
♣ Very...
Enno Rey, erey@ernw.de
Agenda
♣ MPLS Basic Terms & Technology
♣ MPLS VPNs
♣ “Layer 2 VPNs“
♣ Virtual Private LAN Service (VPLS)
♣ A look at the future
♣ Multiprotocol Label Switching [RFC 3031 et.al.]
♣ Technology used for forwarding packets, based on Labels (see below).Packets may carry multiple labels (for different purposes).
♣ Initial goal: more efficient forwarding than IP-based routing
♣ Used in most carrier backbones
♣ Serves as foundation for some ‘Advanced Services‘
| | | | ||Tag |COS |S |TTL |
Tag (‘Label’) = 20 bits COS/EXP = Class of Service, 3 bits
S = Bottom of Stack, 1 bit TTL = Time to Live, 8 bits
IP packets are classified and labeledMPLS
backbone
In the backbone packet forwarding is done based on labels. The red label is swapped for a blue label, the blue one for a purple one.
MPLS backbone
Note: for simplicity‘s sake we‘ll neglect pen-ultimate hop poppinghere.
MPLS Basics
The label is removed and the
IP-packet is forwarded (routed).
MPLS backbone
In this scenario, we‘ll call them ‘forwarding labels‘ (as that‘s what they serve as here).Security discussion
♣ The first thing joe hacker thinks of when speaking about some
forwarding (“routing“ or “router‘s“) technology is… ‚spoofing or injection‘.
Btw: this approach is a bit naïve… or have you ever seen a successful ‘ospf injection attack’?
♣ But: the just discussed ‘forwarding labels‘ have local significance only.
Two neighboring peersagree on their significance by means of some label distribution protocol.
♣ So injecting/modifying ‘forwarding labels‘ would not allow much profit…
♣ However, those nice little shiny labels can serve many other purposes…
MPLS Services
♣ VPNs (“Layer 3“ or “Layer 2“)
♣ Any Transport over MPLS
♣ Virtual Private LAN Service
♣ MPLS Traffic Engineering♣ Generalized MPLS (GMPLS)
MPLS as a Foundation for Advanced Services
VPNs
Traffic
Engineering IP+ATM
IP+Optical
GMPLS
Any Transport Over MPLS
MPLS
Network Infrastructure
MPLS Services
♣ Some of these technologies(e.g. Traffic Engineering) are relevant for ISPs/carriers only.
♣ Others (“Layer 3 VPNs“, “Layer 2 VPNs“) may be rather important for organizations. Either for customers of a backbone provider or for use in campus networks.
♣ Increasingly “Layer 3 MPLS VPNs“ are used in enterprise networks, for traffic separation/segmentation
(kind of “modern VLAN technology“).
MPLS VPNs(“Layer 3 VPNs“)
♣ MPLS-based technology [mainly RFCs 2547 & 2917] with it‘s own concepts and terminology.
♣ Comparable to Frame Relay/ATM in some respects.
♣ Highly ‘virtual‘ technology (shared infrastructure, separated routing).
♣ Additional (MPLS-) labels are used to establish logical paths/circuits for the traffic of single customers.
♣ Very...
Leer documento completo
Regístrate para leer el documento completo.