From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc4111.txt | 2523 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2523 insertions(+) create mode 100644 doc/rfc/rfc4111.txt (limited to 'doc/rfc/rfc4111.txt') diff --git a/doc/rfc/rfc4111.txt b/doc/rfc/rfc4111.txt new file mode 100644 index 0000000..ad73acb --- /dev/null +++ b/doc/rfc/rfc4111.txt @@ -0,0 +1,2523 @@ + + + + + + +Network Working Group L. Fang, Ed. +Request for Comments: 4111 AT&T Labs. +Category: Informational July 2005 + + + Security Framework for + Provider-Provisioned Virtual Private Networks (PPVPNs) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + This document addresses security aspects pertaining to Provider- + Provisioned Virtual Private Networks (PPVPNs). First, it describes + the security threats in the context of PPVPNs and defensive + techniques to combat those threats. It considers security issues + deriving both from malicious behavior of anyone and from negligent or + incorrect behavior of the providers. It also describes how these + security attacks should be detected and reported. It then discusses + possible user requirements for security of a PPVPN service. These + user requirements translate into corresponding provider requirements. + In addition, the provider may have additional requirements to make + its network infrastructure secure to a level that can meet the PPVPN + customer's expectations. Finally, this document defines a template + that may be used to describe and analyze the security characteristics + of a specific PPVPN technology. + +Table of Contents + + 1. Introduction ................................................. 2 + 2. Terminology .................................................. 4 + 3. Security Reference Model ..................................... 4 + 4. Security Threats ............................................. 6 + 4.1. Attacks on the Data Plane .............................. 7 + 4.2. Attacks on the Control Plane ........................... 9 + 5. Defensive Techniques for PPVPN Service Providers ............. 11 + 5.1. Cryptographic Techniques ............................... 12 + 5.2. Authentication ......................................... 20 + 5.3. Access Control Techniques .............................. 22 + 5.4. Use of Isolated Infrastructure ......................... 27 + + + +Fang Informational [Page 1] + +RFC 4111 PPVPN Security Framework July 2005 + + + 5.5. Use of Aggregated Infrastructure ....................... 27 + 5.6. Service Provider Quality Control Processes ............. 28 + 5.7. Deployment of Testable PPVPN Service ................... 28 + 6. Monitoring, Detection, and Reporting of Security Attacks ..... 28 + 7. User Security Requirements ................................... 29 + 7.1. Isolation .............................................. 30 + 7.2. Protection ............................................. 30 + 7.3. Confidentiality ........................................ 31 + 7.4. CE Authentication ...................................... 31 + 7.5. Integrity .............................................. 31 + 7.6. Anti-replay ............................................ 32 + 8. Provider Security Requirements ............................... 32 + 8.1. Protection within the Core Network ..................... 32 + 8.2. Protection on the User Access Link ..................... 34 + 8.3. General Requirements for PPVPN Providers ............... 36 + 9. Security Evaluation of PPVPN Technologies .................... 37 + 9.1. Evaluating the Template ................................ 37 + 9.2. Template ............................................... 37 + 10. Security Considerations ...................................... 40 + 11. Contributors ................................................. 41 + 12. Acknowledgement .............................................. 42 + 13. Normative References ......................................... 42 + 14. Informative References ....................................... 43 + +1. Introduction + + Security is an integral aspect of Provider-Provisioned Virtual + Private Network (PPVPN) services. The motivation and rationale for + both Provider-Provisioned Layer-2 VPN and Provider-Provisioned + Layer-3 VPN services are provided by [RFC4110] and [RFC4031]. These + documents acknowledge that security is an important and integral + aspect of PPVPN services, for both VPN customers and VPN service + providers. Both will benefit from a PPVPN Security Framework + document that lists the customer and provider security requirements + related to PPVPN services, and that can be used to assess how much a + particular technology protects against security threats and fulfills + the security requirements. + + First, we describe the security threats that are relevant in the + context of PPVPNs, and the defensive techniques that can be used to + combat those threats. We consider security issues deriving both from + malicious or incorrect behavior of users and other parties and from + negligent or incorrect behavior of the providers. An important part + of security defense is the detection and report of a security attack, + + + + + + + +Fang Informational [Page 2] + +RFC 4111 PPVPN Security Framework July 2005 + + + which is also addressed in this document. Special considerations + engendered by IP mobility within PPVPNs are not in the scope of this + document. + + Then, we discuss the possible user and provider security requirements + for a PPVPN service. Users expectations must be met for the security + characteristics of a VPN service. These user requirements translate + into corresponding requirements for the providers offering the + service. Furthermore, providers have security requirements to + protect their network infrastructure, securing it to the level + required to provide the PPVPN services in addition to other services. + + Finally, we define a template that may be used to describe the + security characteristics of a specific PPVPN technology in a manner + consistent with the security framework described in this document. + It is not within the scope of this document to analyze the security + properties of specific technologies. Instead, our intention is to + provide a common tool, in the form of a checklist, that may be used + in other documents dedicated to an in-depth security analysis of + individual PPVPN technologies to describe their security + characteristics in a comprehensive and coherent way, thereby + providing a common ground for comparison between different + technologies. + + It is important to clarify that this document is limited to + describing users' and providers' security requirements that pertain + to PPVPN services. It is not the intention to formulate precise + "requirements" on each specific technology by defining the mechanisms + and techniques that must be implemented to satisfy such users' and + providers' requirements. + + This document is organized as follows. Section 2 defines the + terminology used in the document. Section 3 defines the security + reference model for security in PPVPN networks. Section 4 describes + the security threats that are specific of PPVPNs. Section 5 reviews + defense techniques that may be used against those threats. Section 6 + describes how attacks may be detected and reported. Section 7 + discusses the user security requirements that apply to PPVPN + services. Section 8 describes additional security requirements on + the provider to guarantee the security of the network infrastructure + providing PPVPN services. In Section 9, we provide a template that + may be used to describe the security characteristics of specific + PPVPN technologies. Finally, Section 10 discusses security + considerations. + + + + + + + +Fang Informational [Page 3] + +RFC 4111 PPVPN Security Framework July 2005 + + +2. Terminology + + This document uses PPVPN-specific terminology. Definitions and + details specific to PPVPN terminology can be found in [RFC4026] and + [RFC4110]. The most important definitions are repeated in this + section; for other definitions, the reader is referred to + [RFC4026] and [RFC4110]. + + CE: Customer Edge device, a router or a switch in the customer + network interfacing with the service provider's network. + + P: Provider Router. The Provider Router is a router in the + service provider's core network that does not have interfaces + directly toward the customer. A P router is used to + interconnect the PE routers. A P router does not have to + maintain VPN state and is thus VPN unaware. + + PE: Provider Edge device, the equipment in the service provider's + network that interfaces with the equipment in the customer's + network. + + PPVPN: Provider-Provisioned Virtual Private Network, a VPN that is + configured and managed by the service provider (and thus not by + the customer itself). + + SP: Service Provider. + + VPN: Virtual Private Network, which restricts communication + between a set of sites using an IP backbone shared by traffic + that is not going to or coming from those sites. + +3. Security Reference Model + + This section defines a reference model for security in PPVPN + networks. + + A PPVPN core network is the central network infrastructure (P and PE + routers) over which PPVPN services are delivered. A PPVPN core + network consists of one or more SP networks. All network elements in + the core are under the operational control of one or more PPVPN + service providers. Even if the PPVPN core is provided by several + service providers, it appears to the PPVPN users as a single zone of + trust. However, several service providers providing a common PPVPN + core still have to secure themselves against the other providers. + PPVPN services can also be delivered over the Internet, in which case + the Internet forms a logical part of the PPVPN core. + + + + + +Fang Informational [Page 4] + +RFC 4111 PPVPN Security Framework July 2005 + + + A PPVPN user is a company, institution or residential client of the + PPVPN service provider. + + A PPVPN service is a private network service made available by a + service provider to a PPVPN user. The service is implemented using + virtual constructs built on a shared PPVPN core network. A PPVPN + service interconnects sites of a PPVPN user. + + Extranets are VPNs in which multiple sites are controlled by + different (legal) entities. Extranets are another example of PPVPN + deployment scenarios wherein restricted and controlled communication + is allowed between trusted zones, often via well-defined transit + points. + + This document defines each PPVPN as a trusted zone and the PPVPN core + as another trusted zone. A primary concern is security aspects that + relate to breaches of security from the "outside" of a trusted zone + to the "inside" of this zone. Figure 1 depicts the concept of + trusted zones within the PPVPN framework. + + +------------+ +------------+ + | PPVPN +-----------------------------+ PPVPN | + | user PPVPN user | + | site +---------------------XXX-----+ site | + +------------+ +------------------XXX--+ +------------+ + | PPVPN core | | | + +------------------| |--+ + | | + | +------\ + +--------/ Internet + + Figure 1: The PPVPN trusted zone model + + In principle, the trusted zones should be separate. However, PPVPN + core networks often offer Internet access, in which case a transit + point (marked "XXX" in the figure) is defined. + + The key requirement of a "virtual private" network (VPN) is that the + security of the trusted zone of the VPN is not compromised by sharing + the core infrastructure with other VPNs. + + Security against threats that originate within the same trusted zone + as their targets (for example, attacks from a user in a PPVPN to + other users within the same PPVPN, or attacks entirely within the + core network) is outside the scope of this document. + + Also outside the scope are all aspects of network security that are + independent of whether a network is a PPVPN network or a private + + + +Fang Informational [Page 5] + +RFC 4111 PPVPN Security Framework July 2005 + + + network. For example, attacks from the Internet to a web server + inside a given PPVPN will not be considered here, unless the + provisioning of the PPVPN network could make a difference to the + security of this server. + +4. Security Threats + + This section discusses the various network security threats that may + endanger PPVPNs. The discussion is limited to threats that are + unique to PPVPNs, or that affect PPVPNs in unique ways. A successful + attack on a particular PPVPN or on a service provider's PPVPN + infrastructure may cause one or more of the following ill effects: + + - observation, modification, or deletion of PPVPN user data, + + - replay of PPVPN user data, + + - injection of non-authentic data into a PPVPN, + + - traffic pattern analysis on PPVPN traffic, + + - disruption of PPVPN connectivity, or + + - degradation of PPVPN service quality. + + It is useful to consider that threats to a PPVPN, whether malicious + or accidental, may come from different categories of sources. For + example they may come from: + + - users of other PPVPNs provided by the same PPVPN service provider, + + - the PPVPN service provider or persons working for it, + + - other persons who obtain physical access to a service provider + site, + + - other persons who use social engineering methods to influence + behavior of service provider personnel, + + - users of the PPVPN itself, i.e., intra-VPN threats (such threats + are beyond the scope of this document), or + + - others, i.e., attackers from the Internet at large. + + In the case of PPVPNs, some parties may be in more advantageous + positions that enable them to launch types of attacks not available + to others. For example, users of different PPVPNs provided by the + + + + +Fang Informational [Page 6] + +RFC 4111 PPVPN Security Framework July 2005 + + + same service provider may be able to launch attacks that those who + are completely outside the network cannot. + + Given that security is generally a compromise between expense and + risk, it is also useful to consider the likelihood of different + attacks. There is at least a perceived difference in the likelihood + of most types of attacks being successfully mounted in different + environments, such as + + - in a PPVPN contained within one service provider's network, or + + - in a PPVPN transiting the public Internet. + + Most types of attacks become easier to mount, and hence more likely, + as the shared infrastructure that provides VPN service expands from a + single service provider to multiple cooperating providers, and then + to the global Internet. Attacks that may not be sufficiently likely + to warrant concern in a closely controlled environment often merit + defensive measures in broader, more open environments. + + The following sections discuss specific types of exploits that + threaten PPVPNs. + +4.1. Attacks on the Data Plane + + This category encompasses attacks on the PPVPN user's data, as viewed + by the service provider. Note that from the PPVPN user's point of + view, some of this might be control plane traffic, e.g., routing + protocols running from PPVPN user site to PPVPN user site via an L2 + PPVPN. + +4.1.1. Unauthorized Observation of Data Traffic + + This refers to "sniffing" VPN packets and examining their contents. + This can result in exposure of confidential information. It can also + be a first step in other attacks (described below) in which the + recorded data is modified and re-inserted, or re-inserted unchanged. + +4.1.2. Modification of Data Traffic + + This refers to modifying the contents of packets as they traverse the + VPN. + +4.1.3. Insertion of Non-authentic Data Traffic: Spoofing and Replay + + This refers to the insertion into the VPN (or "spoofing") of packets + that do not belong there, with the objective of having them accepted + as legitimate by the recipient. Also included in this category is + + + +Fang Informational [Page 7] + +RFC 4111 PPVPN Security Framework July 2005 + + + the insertion of copies of once-legitimate packets that have been + recorded and replayed. + +4.1.4. Unauthorized Deletion of Data Traffic + + This refers to causing packets to be discarded as they traverse the + VPN. This is a specific type of Denial-of-Service attack. + +4.1.5. Unauthorized Traffic Pattern Analysis + + This refers to "sniffing" VPN packets and examining aspects or meta- + aspects of them that may be visible even when the packets themselves + are encrypted. An attacker might gain useful information based on + the amount and timing of traffic, packet sizes, source and + destination addresses, etc. For most PPVPN users, this type of + attack is generally considered significantly less of a concern than + are the other types discussed in this section. + +4.1.6. Denial-of-Service Attacks on the VPN + + Denial-of-Service (DoS) attacks are those in which an attacker + attempts to disrupt or prevent the use of a service by its legitimate + users. Taking network devices out of service, modifying their + configuration, or overwhelming them with requests for service are + several of the possible avenues for DoS attack. + + Overwhelming the network with requests for service, otherwise known + as a "resource exhaustion" DoS attack, may target any resource in the + network, e.g., link bandwidth, packet forwarding capacity, session + capacity for various protocols, and CPU power. + + DoS attacks of the resource exhaustion type can be mounted against + the data plane of a particular PPVPN by attempting to insert (spoof) + an overwhelming quantity of non-authentic data into the VPN from + outside of that VPN. Potential results might be to exhaust the + bandwidth available to that VPN or to overwhelm the cryptographic + authentication mechanisms of the VPN. + + Data plane resource exhaustion attacks can also be mounted by + overwhelming the service provider's general (VPN-independent) + infrastructure with traffic. These attacks on the general + infrastructure are not usually a PPVPN-specific issue, unless the + attack is mounted by another PPVPN user from a privileged position. + For example, a PPVPN user might be able to monopolize network data + plane resources and thus to disrupt other PPVPNs.) + + + + + + +Fang Informational [Page 8] + +RFC 4111 PPVPN Security Framework July 2005 + + +4.2. Attacks on the Control Plane + + This category encompasses attacks on the control structures operated + by the PPVPN service provider. + +4.2.1. Denial-of-Service Attacks on Network Infrastructure + + Control plane DoS attacks can be mounted specifically against the + mechanisms that the service provider uses to provide PPVPNs (e.g., + IPsec, MPLS) or against the general infrastructure of the service + provider (e.g., P routers or shared aspects of PE routers.) Attacks + against the general infrastructure are within the scope of this + document only if the attack happens in relation to the VPN service; + otherwise, they are not a PPVPN-specific issue. + + Of special concern for PPVPNs is denial of service to one PPVPN user + caused by the activities of another. This can occur, for example, if + one PPVPN user's activities are allowed to consume excessive network + resources of any sort that are also needed to serve other PPVPN + users. + + The attacks described in the following sections may each have denial + of service as one of their effects. Other DoS attacks are also + possible. + +4.2.2. Attacks on Service Provider Equipment via Management + Interfaces + + This includes unauthorized access to service provider infrastructure + equipment, in order, for example, to reconfigure the equipment or to + extract information (statistics, topology, etc.) about one or more + PPVPNs. + + This can be accomplished through malicious entrance of the systems, + or as an inadvertent consequence of inadequate inter-VPN isolation in + a PPVPN user self-management interface. (The former is not + necessarily a PPVPN-specific issue.) + +4.2.3. Social Engineering Attacks on Service Provider + Infrastructure + + Attacks in which the service provider network is reconfigured or + damaged, or in which confidential information is improperly + disclosed, may be mounted through manipulation of service provider + personnel. These types of attacks are PPVPN-specific if they affect + PPVPN-serving mechanisms. It may be observed that the organizational + split (customer, service provider) that is inherent in PPVPNs may + make it easier to mount such attacks against provider-provisioned + + + +Fang Informational [Page 9] + +RFC 4111 PPVPN Security Framework July 2005 + + + VPNs than against VPNs that are self-provisioned by the customer at + the IP layer. + +4.2.4. Cross-Connection of Traffic between PPVPNs + + This refers to events where expected isolation between separate + PPVPNs is breached. This includes cases such as: + + - a site being connected into the "wrong" VPN, + + - two or more VPNs being improperly merged, + + - a point-to-point VPN connecting the wrong two points, or + + - any packet or frame being improperly delivered outside the VPN it + is sent in. + + Misconnection or cross-connection of VPNs may be caused by service + provider or equipment vendor error, or by the malicious action of an + attacker. The breach may be physical (e.g., PE-CE links + misconnected) or logical (improper device configuration). + + Anecdotal evidence suggests that the cross-connection threat is one + of the largest security concerns of PPVPN users (or would-be users). + +4.2.5. Attacks against PPVPN Routing Protocols + + This encompasses attacks against routing protocols that are run by + the service provider and that directly support the PPVPN service. In + layer 3 VPNs this, typically relates to membership discovery or to + the distribution of per-VPN routes. In layer 2 VPNs, this typically + relates to membership and endpoint discovery. Attacks against the + use of routing protocols for the distribution of backbone (non-VPN) + routes are beyond the scope of this document. Specific attacks + against popular routing protocols have been widely studied and are + described in [RFC3889]. + +4.2.6. Attacks on Route Separation + + "Route separation" refers here to keeping the per-VPN topology and + reachability information for each PPVPN separate from, and + unavailable to, any other PPVPN (except as specifically intended by + the service provider). This concept is only a distinct security + concern for layer-3 VPN types for which the service provider is + involved with the routing within the VPN (i.e., VR, BGP-MPLS, routed + version of IPsec). A breach in the route separation can reveal + topology and addressing information about a PPVPN. It can also cause + + + + +Fang Informational [Page 10] + +RFC 4111 PPVPN Security Framework July 2005 + + + black hole routing or unauthorized data plane cross-connection + between PPVPNs. + +4.2.7. Attacks on Address Space Separation + + In layer-3 VPNs, the IP address spaces of different VPNs have to be + kept separate. In layer-2 VPNs, the MAC address and VLAN spaces of + different VPNs have to be kept separate. A control plane breach in + this addressing separation may result in unauthorized data plane + cross-connection between VPNs. + +4.2.8. Other Attacks on PPVPN Control Traffic + + Besides routing and management protocols (covered separately in the + previous sections), a number of other control protocols may be + directly involved in delivering the PPVPN service (e.g., for + membership discovery and tunnel establishment in various PPVPN + approaches). These include but may not be limited to: + + - MPLS signaling (LDP, RSVP-TE), + - IPsec signaling (IKE) , + - L2TP, + - BGP-based membership discovery, and + - Database-based membership discovery (e.g., RADIUS-based). + + Attacks might subvert or disrupt the activities of these protocols, + for example, via impersonation or DoS attacks. + +5. Defensive Techniques for PPVPN Service Providers + + The defensive techniques discussed in this document are intended to + describe methods by which some security threats can be addressed. + They are not intended as requirements for all PPVPN implementations. + The PPVPN provider should determine the applicability of these + techniques to the provider's specific service offerings, and the + PPVPN user may wish to assess the value of these techniques in regard + to the user's VPN requirements. + + The techniques discussed here include encryption, authentication, + filtering, firewalls, access control, isolation, aggregation, and + other techniques. + + Nothing is ever 100% secure. Defense therefore protects against + those attacks that are most likely to occur or that could have the + most dire consequences. Absolute protection against these attacks is + seldom achievable; more often it is sufficient to make the cost of a + successful attack greater than what the adversary would be willing to + expend. + + + +Fang Informational [Page 11] + +RFC 4111 PPVPN Security Framework July 2005 + + + Successful defense against an attack does not necessarily mean that + the attack must be prevented from happening or from reaching its + target. In many cases, the network can instead be designed to + withstand the attack. For example, the introduction of non-authentic + packets could be defended against by preventing their introduction in + the first place, or by making it possible to identify and eliminate + them before delivery to the PPVPN user's system. The latter is + frequently a much easier task. + +5.1. Cryptographic Techniques + + PPVPN defenses against a wide variety of attacks can be enhanced by + the proper application of cryptographic techniques. These are the + same cryptographic techniques that are applicable to general network + communications. In general, these techniques can provide + confidentiality (encryption) of communication between devices, + authentication of the identities of the devices, and detection of a + change of the protected data during transit. + + Privacy is a key part (the middle name!) of any Virtual Private + Network. In a PPVPN, privacy can be provided by two mechanisms: + traffic separation and encryption. This section focuses on + encryption; traffic separation is addressed separately. + + Several aspects of authentication are addressed in some detail in a + separate "Authentication" section. + + Encryption adds complexity, and thus it may not be a standard + offering within every PPVPN service. There are a few reasons for + this. Encryption adds an additional computational burden to the + devices performing encryption and decryption. This may reduce the + number of user VPN connections that can be handled on a device or + otherwise reduce the capacity of the device, potentially driving up + the provider's costs. Typically, configuring encryption services on + devices adds to the complexity of the device configuration and adds + incremental labor cost. Encrypting packets typically increases + packet lengths, thereby increasing the network traffic load and the + likelihood of packet fragmentation, with its increased overhead. + (Packet length increase can often be mitigated to some extent by data + compression techniques, but with additional computational burden.) + Finally, some PPVPN providers may employ enough other defensive + techniques, such as physical isolation or filtering/firewall + techniques, that they may not perceive additional benefit from + encryption techniques. + + The trust model among the PPVPN user, the PPVPN provider, and other + parts of the network is a key element in determining the + applicability of encryption for any specific PPVPN implementation. + + + +Fang Informational [Page 12] + +RFC 4111 PPVPN Security Framework July 2005 + + + In particular, it determines where encryption should be applied, as + follows. + + - If the data path between the user's site and the provider's PE + is not trusted, then encryption may be used on the PE-CE link. + + - If some part of the backbone network is not trusted, + particularly in implementations where traffic may travel across + the Internet or multiple provider networks, then the PE-PE + traffic may be encrypted. + + - If the PPVPN user does not trust any zone outside of its + premises, it may require end-to-end or CE-CE encryption + service. This service fits within the scope of this PPVPN + security framework when the CE is provisioned by the PPVPN + provider. + + - If the PPVPN user requires remote access to a PPVPN from a + system that is not at a PPVPN customer location (for example, + access by a traveler), there may be a requirement for + encrypting the traffic between that system and an access point + on the PPVPN or at a customer site. If the PPVPN provider + provides the access point, then the customer must cooperate + with the provider to handle the access control services for the + remote users. These access control services are usually + implemented by using encryption, as well. + + Although CE-CE encryption provides confidentiality against third- + party interception, if the PPVPN provider has complete management + control over the CE (encryption) devices, then it may be possible for + the provider to gain access to the user's VPN traffic or internal + network. Encryption devices can potentially be configured to use + null encryption, to bypass encryption processing altogether, or to + provide some means of sniffing or diverting unencrypted traffic. + Thus, a PPVPN implementation using CE-CE encryption has to consider + the trust relationship between the PPVPN user and provider. PPVPN + users and providers may wish to negotiate a service level agreement + (SLA) for CE-CE encryption that will provide an acceptable + demarcation of responsibilities for management of encryption on the + CE devices. + + The demarcation may also be affected by the capabilities of the CE + devices. For example, the CE might support some partitioning of + management or a configuration lock-down ability, or it might allow + both parties to verify the configuration. In general, if the managed + CE-CE model is used, the PPVPN user has to have a fairly high level + of trust that the PPVPN provider will properly provision and manage + the CE devices. + + + +Fang Informational [Page 13] + +RFC 4111 PPVPN Security Framework July 2005 + + +5.1.1. IPsec in PPVPNs + + IPsec [RFC2401] [RFC2402] [RFC2406] [RFC2407] [RFC2411] is the + security protocol of choice for encryption at the IP layer (Layer 3), + as discussed in [RFC3631]. IPsec provides robust security for IP + traffic between pairs of devices. Non-IP traffic must be converted + to IP packets, or it cannot be transported over IPsec. Encapsulation + is a common conversion method. + + In the PPVPN model, IPsec can be employed to protect IP traffic + between PEs, between a PE and a CE, or from CE to CE. CE-to-CE IPsec + may be employed in either a provider-provisioned or a user- + provisioned model. The user-provisioned CE-CE IPsec model is outside + the scope of this document and outside the scope of the PPVPN Working + Group. Likewise, data encryption that is performed within the user's + site is outside the scope of this document, as it is simply handled + as user data by the PPVPN. IPsec can also be used to protect IP + traffic between a remote user and the PPVPN. + + IPsec does not itself specify an encryption algorithm. It can use a + variety of encryption algorithms with various key lengths, such as + AES encryption. There are trade-offs between key length, + computational burden, and the level of security of the encryption. A + full discussion of these trade-offs is beyond the scope of this + document. In order to assess the level of security offered by a + particular IPsec-based PPVPN service, some PPVPN users may wish to + know the specific encryption algorithm and effective key length used + by the PPVPN provider. However, in practice, any currently + recommended IPsec encryption offers enough security to substantially + reduce the likelihood of being directly targeted by an attacker. + Other, weaker, links in the chain of security are likely to be + attacked first. PPVPN users may wish to use a Service Level + Agreement (SLA) specifying the service provider's responsibility for + ensuring data confidentiality rather than to analyze the specific + encryption techniques used in the PPVPN service. + + For many of the PPVPN provider's network control messages and some + PPVPN user requirements, cryptographic authentication of messages + without encryption of the contents of the message may provide + acceptable security. With IPsec, authentication of messages is + provided by the Authentication Header (AH) or by the Encapsulating + Security Protocol (ESP) with authentication only. Where control + messages require authentication but do not use IPsec, other + cryptographic authentication methods are available. Message + authentication methods currently considered to be secure are based on + hashed message authentication codes (HMAC) [RFC2104] implemented with + a secure hash algorithm such as Secure Hash Algorithm 1 (SHA-1) + [RFC3174]. + + + +Fang Informational [Page 14] + +RFC 4111 PPVPN Security Framework July 2005 + + + One recommended mechanism for providing a combination + confidentiality, data origin authentication, and connectionless + integrity is the use of AES in Cipher Block Chaining (CBC) Mode, with + an explicit Initialization Vector (IV) [RFC3602], as the IPsec ESP. + + PPVPNs that provide differentiated services based on traffic type may + encounter some conflicts with IPsec encryption of traffic. As + encryption hides the content of the packets, it may not be possible + to differentiate the encrypted traffic in the same manner as + unencrypted traffic. Although DiffServ markings are copied to the + IPsec header and can provide some differentiation, not all traffic + types can be accommodated by this mechanism. + +5.1.2. Encryption for Device Configuration and Management + + For configuration and management of PPVPN devices, encryption and + authentication of the management connection at a level comparable to + that provided by IPsec is desirable. + + Several methods of transporting PPVPN device management traffic offer + security and confidentiality. + + - Secure Shell (SSH) offers protection for TELNET [STD8] or + terminal-like connections to allow device configuration. + + - SNMP v3 [STD62] provides encrypted and authenticated protection + for SNMP-managed devices. + + - Transport Layer Security (TLS) [RFC2246] and the closely-related + Secure Sockets Layer (SSL) are widely used for securing HTTP-based + communication, and thus can provide support for most XML- and + SOAP-based device management approaches. + + - As of 2004, extensive work is proceeding in several organizations + (OASIS, W3C, WS-I, and others) on securing device management + traffic within a "Web Services" framework. This work uses a wide + variety of security models and supports multiple security token + formats, multiple trust domains, multiple signature formats, and + multiple encryption technologies. + + - IPsec provides the services with security and confidentiality at + the network layer. With regard to device management, its current + use is primarily focused on in-band management of user-managed + IPsec gateway devices. + + + + + + + +Fang Informational [Page 15] + +RFC 4111 PPVPN Security Framework July 2005 + + +5.1.3. Cryptographic Techniques in Layer-2 PPVPNs + + Layer-2 PPVPNs will generally not be able to use IPsec to provide + encryption throughout the entire network. They may be able to use + IPsec for PE-PE traffic where it is encapsulated in IP packets, but + IPsec will generally not be applicable for CE-PE traffic in Layer-2 + PPVPNs. + + Encryption techniques for Layer-2 links are widely available but are + not within the scope of this document or IETF documents in general. + Layer-2 encryption could be applied to the links from CE to PE, or it + could be applied from CE to CE, as long as the encrypted Layer-2 + packets can be handled properly by the intervening PE devices. In + addition, the upper-layer traffic transported by the Layer-2 VPN can + be encrypted by the user. In this case, confidentiality will be + maintained; however, this is transparent to the PPVPN provider and is + outside the scope of this document. + +5.1.4. End-to-End vs. Hop-by-Hop Encryption Tradeoffs in PPVPNs + + In PPVPNs, encryption could potentially be applied to the VPN traffic + at several different places. This section discusses some of the + tradeoffs in implementing encryption in several different connection + topologies among different devices within a PPVPN. + + Encryption typically involves a pair of devices that encrypt the + traffic passing between them. The devices may be directly connected + (over a single "hop"), or there may be intervening devices that + transport the encrypted traffic between the pair of devices. The + extreme cases involve hop-by-hop encryption between every adjacent + pair of devices along a given path or "end-to-end" encryption only + between the end devices along a given path. To keep this discussion + within the scope of PPVPNs, we consider the "end to end" case to be + CE to CE rather than fully end to end. + + Figure 2 depicts a simplified PPVPN topology, showing the Customer + Edge (CE) devices, the Provider Edge (PE) devices, and a variable + number (three are shown) of Provider core (P) devices that might be + present along the path between two sites in a single VPN, operated by + a single service provider (SP). + + Site_1---CE---PE---P---P---P---PE---CE---Site_2 + + Figure 2: Simplified PPVPN topology + + + + + + + +Fang Informational [Page 16] + +RFC 4111 PPVPN Security Framework July 2005 + + + Within this simplified topology and assuming that P devices are not + to be involved with encryption, there are four basic feasible + configurations for implementing encryption on connections among the + devices: + + 1) Site-to-site (CE-to-CE): Encryption can be configured between + the two CE devices, so that traffic will be encrypted + throughout the SP's network. + + 2) Provider edge-to-edge (PE-to-PE): Encryption can be configured + between the two PE devices. Unencrypted traffic is received at + one PE from the customer's CE; then it is encrypted for + transmission through the SP's network to the other PE, where it + is decrypted and sent to the other CE. + + 3) Access link (CE-to-PE): Encryption can be configured between + the CE and PE, on each side (or on only one side). + + 4) Configurations 2) and 3) can be combined, with encryption + running from CE to PE, then from PE to PE, and then from PE to + CE. + + Among the four feasible configurations, key tradeoffs in considering + encryption include the following: + + - Vulnerability to link eavesdropping: Assuming that an attacker can + observe the data in transit on the links, would it be protected by + encryption? + + - Vulnerability to device compromise: Assuming an attacker can get + access to a device (or freely alter its configuration), would the + data be protected? + + - Complexity of device configuration and management: Given Nce, the + number of sites per VPN customer, and Npe, the number of PEs + participating in a given VPN, how many device configurations have + to be created or maintained and how do those configurations scale? + + - Processing load on devices: How many encryption or decryption + operations must be done, given P packets? This influences + considerations of device capacity and perhaps end-to-end delay. + + - Ability of SP to provide enhanced services (QoS, firewall, + intrusion detection, etc.): Can the SP inspect the data in order + to provide these services? + + These tradeoffs are discussed below for each configuration. + + + + +Fang Informational [Page 17] + +RFC 4111 PPVPN Security Framework July 2005 + + + 1) Site-to-site (CE-to-CE) Configurations + + o Link eavesdropping: Protected on all links. + + o Device compromise: Vulnerable to CE compromise. + + o Complexity: Single administration, responsible for one device + per site (Nce devices), but overall configuration per VPN + scales as Nce**2. + + o Processing load: on each of two CEs, each packet is either + encrypted or decrypted (2P). + + o Enhanced services: Severely limited; typically only DiffServ + markings are visible to SP, allowing some QoS services. + + 2) Provider edge-to-edge (PE-to-PE) Configurations + + o Link eavesdropping: Vulnerable on CE-PE links; protected on + SP's network links. + + o Device compromise: Vulnerable to CE or PE compromise. + + o Complexity: Single administration; Npe devices to configure. + (Multiple sites may share a PE device, so Npe is typically much + less than Nce.) Scalability of the overall configuration + depends on the PPVPN type: If the encryption is separate per + VPN context, it scales as Npe**2 per customer VPN. If the + encryption is per PE, it scales as Npe**2 for all customer VPNs + combined. + + o Processing load: On each of two PEs, each packet is either + encrypted or decrypted (2P). + + o Enhanced services: Full; SP can apply any enhancements based on + detailed view of traffic. + + 3) Access link (CE-to-PE) Configuration + + o Link eavesdropping: Protected on CE-PE link; vulnerable on SP's + network links. + + o Device compromise: Vulnerable to CE or PE compromise. + + o Complexity: Two administrations (customer and SP) with device + configuration on each side (Nce + Npe devices to configure), + but as there is no mesh, the overall configuration scales as + Nce. + + + +Fang Informational [Page 18] + +RFC 4111 PPVPN Security Framework July 2005 + + + o Processing load: On each of two CEs, each packet is either + encrypted or decrypted. On each of two PEs, each packet is + either encrypted or decrypted (4P). + + o Enhanced services: Full; SP can apply any enhancements based on + detailed view of traffic. + + 4) Combined Access link and PE-to-PE (essentially hop-by-hop). + + o Link eavesdropping: Protected on all links. + + o Device compromise: Vulnerable to CE or PE compromise. + + o Complexity: Two administrations (customer and SP), with device + configuration on each side (Nce + Npe devices to configure). + Scalability of the overall configuration depends on the PPVPN + type. If the encryption is separate per VPN context, it scales + as Npe**2 per customer VPN. If the encryption is per-PE, it + scales as Npe**2 for all customer VPNs combined. + + o Processing load: On each of two CEs, each packet is either + encrypted or decrypted. On each of two PEs, each packet is + both encrypted and decrypted (6P). + + o Enhanced services: Full; SP can apply any enhancements based on + detailed view of traffic. + + Given the tradeoffs discussed above, a few conclusions can be + reached. + + - Configurations 2 and 3, which are subsets of 4, may be appropriate + alternatives to 4 under certain threat models. The remainder of + these conclusions compare 1 (CE-to-CE) with 4 (combined access + links and PE-to-PE). + + - If protection from link eavesdropping is most important, then + configurations 1 and 4 are equivalent. + + - If protection from device compromise is most important and the + threat is to the CE devices, both cases are equivalent; if the + threat is to the PE devices, configuration 1 is best. + + - If reducing complexity is most important and the size of the + network is very small, configuration 1 is the best. Otherwise, + the comparison between options 1 and 4 is relatively complex , + based on a number of issues such as, how close the CE to CE + communication is to a full mesh, and what tools are used for key + management. Option 1 requires configuring keys for each CE-CE + + + +Fang Informational [Page 19] + +RFC 4111 PPVPN Security Framework July 2005 + + + pair that is communicating directly. Option 4 requires + configuring keys on both CE and PE devices but may offer benefit + from the fact that the number of PEs is generally much smaller + than the number of CEs. + + Also, under some PPVPN approaches, the scaling of 4 is further + improved by sharing the same PE-PE mesh across all VPN contexts. + The scaling characteristics of 4 may be increased or decreased in + any given situation if the CE devices are simpler to configure + than the PE devices, or vice versa. Furthermore, with option 4, + the impact of operational error may be significantly increased. + + - If the overall processing load is a key factor, then 1 is best. + + - If the availability of enhanced services support from the SP is + most important, then 4 is best. + + As a quick overall conclusion, CE-to-CE encryption provides greater + protection against device compromise, but it comes at the cost of + enhanced services and with additional operational complexity due to + the Order(n**2) scaling of the mesh. + + This analysis of site-to-site vs. hop-by-hop encryption tradeoffs + does not explicitly include cases where multiple providers cooperate + to provide a PPVPN service, public Internet VPN connectivity, or + remote access VPN service, but many of the tradeoffs will be similar. + +5.2. Authentication + + In order to prevent security issues from some denial-of-service + attacks or from malicious misconfiguration, it is critical that + devices in the PPVPN should only accept connections or control + messages from valid sources. Authentication refers to methods for + ensuring that message sources are properly identified by the PPVPN + devices with which they communicate. This section focuses on + identifying the scenarios in which sender authentication is required, + and it recommends authentication mechanisms for these scenarios. + + Cryptographic techniques (authentication and encryption) do not + protect against some types of denial-of-service attacks, + specifically, resource exhaustion attacks based on CPU or bandwidth + exhaustion. In fact, the processing required to decrypt or check + authentication may in some cases increase the effect of these + resource exhaustion attacks. Cryptographic techniques may, however, + be useful against resource exhaustion attacks based on exhaustion of + state information (e.g., TCP SYN attacks). + + + + + +Fang Informational [Page 20] + +RFC 4111 PPVPN Security Framework July 2005 + + +5.2.1. VPN Member Authentication + + This category includes techniques for the CEs to verify that they are + connected to the expected VPN. It includes techniques for CE-PE + authentication, to verify that each specific CE and PE is actually + communicating with its expected peer. + +5.2.2. Management System Authentication + + Management system authentication includes the authentication of a PE + to a centrally-managed directory server when directory-based "auto- + discovery" is used. It also includes authentication of a CE to its + PPVPN configuration server when a configuration server system is + used. + +5.2.3. Peer-to-Peer Authentication + + Peer-to-peer authentication includes peer authentication for network + control protocols (e.g., LDP, BGP), and other peer authentication + (i.e., authentication of one IPsec security gateway by another). + +5.2.4. Authenticating Remote Access VPN Members + + This section describes methods for authentication of remote access + users connecting to a VPN. + + Effective authentication of individual connections is a key + requirement for enabling remote access to a PPVPN from an arbitrary + Internet address (for instance, by a traveler). + + There are several widely used standards-based protocols to support + remote access authentication. These include RADIUS [RFC2865] and + DIAMETER [RFC3588]. Digital certificate systems also provide + authentication. In addition, there has been extensive development + and deployment of mechanisms for securely transporting individual + remote access connections within tunneling protocols, including L2TP + [RFC2661] and IPsec. + + Remote access involves connection to a gateway device, which provides + access to the PPVPN. The gateway device may be managed by the user + at a user site, or by the PPVPN provider at any of several possible + locations in the network. The user-managed case is of limited + interest within the PPVPN security framework, and it is not + considered at this time. + + When a PPVPN provider manages authentication at the remote access + gateway, this implies that authentication databases, which are + usually extremely confidential user-managed systems, will have to be + + + +Fang Informational [Page 21] + +RFC 4111 PPVPN Security Framework July 2005 + + + referenced in a secure manner by the PPVPN provider. This can be + accomplished through proxy authentication services, which accept an + encrypted authentication credential from the remote access user, pass + it to the PPVPN user's authentication system, and receive a yes/no + response as to whether the user has been authenticated. Thus, the + PPVPN provider does not have access to the actual authentication + database, but it can use it on behalf of the PPVPN user to provide + remote access authentication. + + Specific cryptographic techniques for handling authentication are + described in the following sections. + +5.2.5. Cryptographic Techniques for Authenticating Identity + + Cryptographic techniques offer several mechanisms for authenticating + the identity of devices or individuals. These include the use of + shared secret keys, one-time keys generated by accessory devices or + software, user-ID and password pairs, and a range of public-private + key systems. Another approach is to use a hierarchical Certificate + Authority system to provide digital certificates. + + This section describes or provides references to the specific + cryptographic approaches for authenticating identity. These + approaches provide secure mechanisms for most of the authentication + scenarios required in operating a PPVPN. + +5.3. Access Control Techniques + + Access control techniques include packet-by-packet or packet flow - + by - packet flow access control by means of filters and firewalls, as + well as by means of admitting a "session" for a + control/signaling/management protocol that is being used to implement + PPVPNs. Enforcement of access control by isolated infrastructure + addresses is discussed elsewhere in this document. + + We distinguish between filtering and firewalls primarily by the + direction of traffic flow. We define filtering as being applicable + to unidirectional traffic, whereas a firewall can analyze and control + both sides of a conversation. + + There are two significant corollaries of this definition: + + - Routing or traffic flow symmetry: A firewall typically requires + routing symmetry, which is usually enforced by locating a firewall + where the network topology assures that both sides of a + conversation will pass through the firewall. A filter can then + operate upon traffic flowing in one direction without considering + traffic in the reverse direction. + + + +Fang Informational [Page 22] + +RFC 4111 PPVPN Security Framework July 2005 + + + - Statefulness: Because it receives both sides of a conversation, a + firewall may be able to obtain a significant amount of information + concerning that conversation and to use this information to + control access. A filter can maintain some limited state + information on a unidirectional flow of packets, but it cannot + determine the state of the bi-directional conversation as + precisely as a firewall can. + +5.3.1. Filtering + + It is relatively common for routers to filter data packets. That is, + routers can look for particular values in certain fields of the IP or + higher level (e.g., TCP or UDP) headers. Packets that match the + criteria associated with a particular filter may be either discarded + or given special treatment. + + In discussing filters, it is useful to separate the filter + characteristics that may be used to determine whether a packet + matches a filter from the packet actions that are applied to packets + that match a particular filter. + + o Filter Characteristics + + Filter characteristics are used to determine whether a particular + packet or set of packets matches a particular filter. + + In many cases, filter characteristics may be stateless. A + stateless filter determines whether a particular packet matches a + filter based solely on the filter definition, on normal forwarding + information (such as the next hop for a packet), and on the + characteristics of that individual packet. Typically, stateless + filters may consider the incoming and outgoing logical or physical + interface, information in the IP header, and information in higher + layer headers such as the TCP or UDP header. Information in the + IP header to be considered may, for example, include source and + destination IP address, Protocol field, Fragment Offset, and TOS + field. Filters may also consider fields in the TCP or UDP header + such as the Port fields and the SYN field in the TCP header. + + Stateful filtering maintains packet-specific state information to + aid in determining whether a filter has been met. For example, a + device might apply stateless filters to the first fragment of a + fragmented IP packet. If the filter matches, then the data unit + ID may be remembered, and other fragments of the same packet may + then be considered to match the same filter. Stateful filtering + is more commonly done in firewalls, although firewall technology + may be added to routers. + + + + +Fang Informational [Page 23] + +RFC 4111 PPVPN Security Framework July 2005 + + + o Actions Based on Filter Results + + If a packet, or a series of packets, match a specific filter, then + there are a variety of actions that may be taken based on that + filter match. Examples of such actions include: + + - Discard + + In many cases, filters may be set to catch certain undesirable + packets. Examples may include packets with forged or invalid + source addresses, packets that are part of a DoS or DDoS + attack, or packets that are trying to access forbidden + resources (such as network management packets from an + unauthorized source). Where such filters are activated, it is + common to silently discard the packet or set of packets + matching the filter. The discarded packets may also be counted + and/or logged, of course. + + - Set CoS + + A filter may be used to set the Class of Service associated + with the packet. + + - Count Packets and/or Bytes + + - Rate Limit + + In some cases, the set of packets that match a particular + filter may be limited to a specified bandwidth. Packets and/or + bytes would be counted and forwarded normally up to the + specified limit. Excess packets may be discarded or marked + (for example, by setting a "discard eligible" bit in the IP ToS + field or the MPLS EXP field). + + - Forward and Copy + + It is useful in some cases not only to forward some set of + packets normally, but also to send a copy to a specified other + address or interface. For example, this may be used to + implement a lawful intercept capability, or to feed selected + packets to an Intrusion Detection System. + + o Other Issues Related to Packet Filters + + There may be a very wide variation in the performance impact of + filtering. This may occur both due to differences between + implementations, and due to differences between types or numbers + + + + +Fang Informational [Page 24] + +RFC 4111 PPVPN Security Framework July 2005 + + + of filters deployed. For filtering to be useful, the performance + of the equipment has to be acceptable in the presence of filters. + + The precise definition of "acceptable" may vary from service + provider to service provider and may depend on the intended use of + the filters. For example, for some uses a filter may be turned on + all the time in order to set CoS, to prevent an attack, or to + mitigate the effect of a possible future attack. In this case it + is likely that the service provider will want the filter to have + minimal or no impact on performance. In other cases, a filter may + be turned on only in response to a major attack (such as a major + DDoS attack). In this case a greater performance impact may be + acceptable to some service providers. + + A key consideration with the use of packet filters is that they + can provide few options for filtering packets carrying encrypted + data. Because the data itself is not accessible, only packet + header information or other unencrypted fields can be used for + filtering. + +5.3.2. Firewalls + + Firewalls provide a mechanism for control over traffic passing + between different trusted zones in the PPVPN model, or between a + trusted zone and an untrusted zone. Firewalls typically provide much + more functionality than filters, as they may be able to apply + detailed analysis and logical functions to flows and not just to + individual packets. They may offer a variety of complex services, + such as threshold-driven denial-of-service attack protection, virus + scanning, or acting as a TCP connection proxy. As with other access + control techniques, the value of firewalls depends on a clear + understanding of the topologies of the PPVPN core network, the user + networks, and the threat model. Their effectiveness depends on a + topology with a clearly defined inside (secure) and outside (not + secure). + + Within the PPVPN framework, traffic typically is not allowed to pass + between the various user VPNs. This inter-VPN isolation is usually + not performed by a firewall, but it is a part of the basic VPN + mechanism. An exception to the total isolation of VPNs is the case + of "extranets", which allow specific external access to a user's VPN, + potentially from another VPN. Firewalls can be used to provide the + services required for secure extranet implementation. + + + + + + + + +Fang Informational [Page 25] + +RFC 4111 PPVPN Security Framework July 2005 + + + In a PPVPN, firewalls can be applied between the public Internet and + user VPNs, in cases where Internet access services are offered by the + provider to the VPN user sites. In addition, firewalls may be + applied between VPN user sites and any shared network-based services + offered by the PPVPN provider. + + Firewalls may be applied to help protect PPVPN core network functions + from attacks originating from the Internet or from PPVPN user sites, + but typically other defensive techniques will be used for this + purpose. + + Where firewalls are employed as a service to protect user VPN sites + from the Internet, different VPN users, and even different sites of a + single VPN user, may have varying firewall requirements. The overall + PPVPN logical and physical topology, along with the capabilities of + the devices implementing the firewall services, will have a + significant effect on the feasibility and manageability of such + varied firewall service offerings. + + Another consideration with the use of firewalls is that they can + provide few options for handling packets carrying encrypted data. As + the data itself is not accessible, only packet header information, + other unencrypted fields, or analysis of the flow of encrypted + packets can be used for making decisions on accepting or rejecting + encrypted traffic. + +5.3.3. Access Control to Management Interfaces + + Most of the security issues related to management interfaces can be + addressed through the use of authentication techniques described in + the section on authentication. However, additional security may be + provided by controlling access to management interfaces in other + ways. + + Management interfaces, especially console ports on PPVPN devices, may + be configured so that they are only accessible out of band, through a + system that is physically or logically separated from the rest of the + PPVPN infrastructure. + + Where management interfaces are accessible in-band within the PPVPN + domain, filtering or firewalling techniques can be used to restrict + unauthorized in-band traffic from having access to management + interfaces. Depending on device capabilities, these filtering or + firewalling techniques can be configured either on other devices + through which the traffic might pass, or on the individual PPVPN + devices themselves. + + + + + +Fang Informational [Page 26] + +RFC 4111 PPVPN Security Framework July 2005 + + +5.4. Use of Isolated Infrastructure + + One way to protect the infrastructure used for support of VPNs is to + separate the VPN support resources from the resources used for other + purposes (such as support of Internet services). In some cases, this + may require the use of physically separate equipment for VPN + services, or even a physically separate network. + + For example, PE-based L3 VPNs may be run on a separate backbone not + connected to the Internet, or they may use separate edge routers from + those used to support Internet service. Private IP addresses (local + to the provider and non-routable over the Internet) are sometimes + used to provide additional separation. + + It is common for CE-based L3VPNs to make use of CE devices that are + dedicated to one specific VPN. In many or most cases, CE-based VPNs + may make use of normal Internet services to interconnect CE devices. + +5.5. Use of Aggregated Infrastructure + + In general it is not feasible to use a completely separate set of + resources for support of each VPN. One of the main reasons for VPN + services is to allow sharing of resources between multiple users, + including multiple VPNs. Thus, even if VPN services make use of a + separate network from Internet services, there will still be multiple + VPN users sharing the same network resources. In some cases, VPN + services will share the use of network resources with Internet + services or other services. + + It is therefore important for VPN services to provide protection + between resource use by different VPNs. Thus, a well-behaved VPN + user should be protected from possible misbehavior by other VPNs. + This requires that limits be placed on the amount of resources that + can be used by any one VPN. For example, both control traffic and + user data traffic may be rate limited. In some cases or in some + parts of the network where a sufficiently large number of queues are + available, each VPN (and, optionally, each VPN and CoS within the + VPN) may make use of a separate queue. Control-plane resources such + as link bandwidth and CPU and memory resources may be reserved on a + per-VPN basis. + + The techniques that are used to provision resource protection between + multiple VPNs served by the same infrastructure can also be used to + protect VPN services from Internet services. + + The use of aggregated infrastructure allows the service provider to + benefit from stochastic multiplexing of multiple bursty flows and may + + + + +Fang Informational [Page 27] + +RFC 4111 PPVPN Security Framework July 2005 + + + also, in some cases, thwart traffic pattern analysis by combining the + data from multiple VPNs. + +5.6. Service Provider Quality Control Processes + + Deployment of provider-provisioned VPN services requires a relatively + large amount of configuration by the service provider. For example, + the service provider has to configure which VPN each site belongs to, + as well as QoS and SLA guarantees. This large amount of required + configuration leads to the possibility of misconfiguration. + + It is important for the service provider to have operational + processes in place to reduce the potential impact of + misconfiguration. CE-to-CE authentication may also be used to detect + misconfiguration when it occurs. + +5.7. Deployment of Testable PPVPN Service + + This refers to solutions that can readily be tested for correct + configuration. For example, for a point-point VPN, checking that the + intended connectivity is working largely ensures that there is not + connectivity to some unintended site. + +6. Monitoring, Detection, and Reporting of Security Attacks + + A PPVPN service may be subject to attacks from a variety of security + threats. Many threats are described in another part of this + document. Many of the defensive techniques described in this + document and elsewhere provide significant levels of protection from + a variety of threats. However, in addition to silently employing + defensive techniques to protect against attacks, PPVPN services can + add value for both providers and customers by implementing security- + monitoring systems that detect and report on any security attacks + that occur, regardless of whether the attacks are effective. + + Attackers often begin by probing and analyzing defenses, so systems + that can detect and properly report these early stages of attacks can + provide significant benefits. + + Information concerning attack incidents, especially if available + quickly, can be useful in defending against further attacks. It can + be used to help identify attackers and their specific targets at an + early stage. This knowledge about attackers and targets can be used + to further strengthen defenses against specific attacks or attackers, + or to improve the defensive services for specific targets on an as- + needed basis. Information collected on attacks may also be useful in + identifying and developing defenses against novel attack types. + + + + +Fang Informational [Page 28] + +RFC 4111 PPVPN Security Framework July 2005 + + + Monitoring systems used to detect security attacks in PPVPNs will + typically operate by collecting information from Provider Edge (PE), + Customer Edge (CE), and/or Provider backbone (P) devices. Security + monitoring systems should have the ability to actively retrieve + information from devices (e.g., SNMP get) or to passively receive + reports from devices (e.g., SNMP notifications). The specific + information exchanged will depend on the capabilities of the devices + and on the type of VPN technology. Particular care should be given + to securing the communications channel between the monitoring systems + and the PPVPN devices. + + The CE, PE, and P devices should employ efficient methods to acquire + and communicate the information needed by the security monitoring + systems. It is important that the communication method between PPVPN + devices and security monitoring systems be designed so that it will + not disrupt network operations. As an example, multiple attack + events may be reported through a single message, rather than allow + each attack event to trigger a separate message, which might result + in a flood of messages, essentially becoming a denial-of-service + attack against the monitoring system or the network. + + The mechanisms for reporting security attacks should be flexible + enough to meet the needs of VPN service providers, VPN customers, and + regulatory agencies. The specific reports will depend on the + capabilities of the devices, the security monitoring system, the type + of VPN, and the service level agreements between the provider and + customer. + +7. User Security Requirements + + This section defines a list of security-related requirements that the + users of PPVPN services may have for their PPVPN service. Typically, + these translate into requirements for the provider in offering the + service. + + The following sections detail various requirements that ensure the + security of a given trusted zone. Since in real life there are + various levels of security, a PPVPN may fulfill any or all of these + security requirements. This document does not state that a PPVPN + must fulfill all of these requirements to be secure. As mentioned in + the Introduction, it is not within the scope of this document to + define the specific requirements that each VPN technology must + fulfill in order to be secure. + + + + + + + + +Fang Informational [Page 29] + +RFC 4111 PPVPN Security Framework July 2005 + + +7.1. Isolation + + A virtual private network usually defines "private" as isolation from + other PPVPNs and the Internet. More specifically, isolation has + several components, which are discussed in the following sections. + +7.1.1. Address Separation + + A given PPVPN can use the full Internet address range, including + private address ranges [RFC1918], without interfering with other + PPVPNs that use PPVPN services from the same service provider(s). + When Internet access is provided (e.g., by the same service provider + that is offering PPVPN service), NAT functionality may be needed. + + In layer-2 VPNs, the same requirement exists for the layer 2 + addressing schemes, such as MAC addresses. + +7.1.2. Routing Separation + + A PPVPN core must maintain routing separation between the trusted + zones. This means that routing information must not leak from any + trusted zone to any other, unless the zones are specifically + engineered this way (e.g., for Internet access.) + + In layer-2 VPNs, the switching information must be kept separate + between the trusted zones, so that switching information of one PPVPN + does not influence other PPVPNs or the PPVPN core. + +7.1.3. Traffic Separation + + Traffic from a given trusted zone must never leave this zone, and + traffic from another zone must never enter this zone. Exceptions are + made where zones are is specifically engineered that way (e.g., for + extranet purposes or Internet access.) + +7.2. Protection + + The common perception is that a completely separated "private" + network has defined entry points and is only subject to attack or + intrusion over those entry points. By sharing a common core, a PPVPN + appears to lose some of these clear interfaces to networks outside + the trusted zone. Thus, one of the key security requirements of + PPVPN services is that they offer the same level of protection as + private networks. + + + + + + + +Fang Informational [Page 30] + +RFC 4111 PPVPN Security Framework July 2005 + + +7.2.1. Protection against Intrusion + + An intrusion is defined here as the penetration of a trusted zone + from outside. This could be from the Internet, another PPVPN, or the + core network itself. + + The fact that a network is "virtual" must not expose it to additional + threats over private networks. Specifically, it must not add new + interfaces to other parts outside the trusted zone. Intrusions from + known interfaces such as Internet gateways are outside the scope of + this document. + +7.2.2. Protection against Denial-of-Service Attacks + + A denial-of-service (DoS) attack aims at making services or devices + unavailable to legitimate users. In the framework of this document, + only those DoS attacks are considered that are a consequence of + providing network service through a VPN. DoS attacks over the + standard interfaces into a trusted zone are not considered here. + + The requirement is that a PPVPN is not more vulnerable against DoS + attacks than it would be if the same network were private. + +7.2.3. Protection against Spoofing + + It must not be possible to violate the integrity of a PPVPN by + changing the sender identification (source address, source label, + etc) of traffic in transit. For example, if two CEs are connected to + the same PE, it must not be possible for one CE to send crafted + packets that make the PE believe those packets are coming from the + other CE, thus inserting them into the wrong PPVPN. + +7.3. Confidentiality + + This requirement means that data must be cryptographically secured in + transit over the PPVPN core network to avoid eavesdropping. + +7.4. CE Authentication + + Where CE authentication is provided, it is not possible for an + outsider to install a CE and pretend to belong to a specific PPVPN to + which this CE does not belong in reality. + +7.5. Integrity + + Data in transit must be secured in such a manner that it cannot be + altered or that any alteration may be detected at the receiver. + + + + +Fang Informational [Page 31] + +RFC 4111 PPVPN Security Framework July 2005 + + +7.6. Anti-replay + + Anti-replay means that data in transit cannot be recorded and + replayed later. To protect against anti-replay attacks, the data + must be cryptographically secured. + + Note: Even private networks do not necessarily meet the requirements + of confidentiality, integrity, and anti-reply. Thus, when private + and "virtually private" PPVPN services are compared, these + requirements are only applicable if the comparable private service + also included these services. However, the fact that VPNs operate + over a shared infrastructure may make some of these requirements more + important in a VPN environment than in a private network environment. + +8. Provider Security Requirements + + In this section, we discuss additional security requirements that the + provider may have in order to secure its network infrastructure as it + provides PPVPN services. + + The PPVPN service provider requirements defined here are the + requirements for the PPVPN core in the reference model. The core + network can be implemented with different types of network + technologies, and each core network may use different technologies to + provide the PPVPN services to users with different levels of offered + security. Therefore, a PPVPN service provider may fulfill any number + of the security requirements listed in this section. This document + does not state that a PPVPN must fulfill all of these requirements to + be secure. + + These requirements are focused on 1) how to protect the PPVPN core + from various attacks outside the core, including PPVPN users and + non-PPVPN alike, both accidentally and maliciously, and 2) how to + protect the PPVPN user VPNs and sites themselves. Note that a PPVPN + core is not more vulnerable against attacks than a core that does not + provide PPVPNs. However, providing PPVPN services over such a core + may lead to additional security requirements, if only because most + users are expecting higher security standards in a core delivering + PPVPN services. + +8.1. Protection within the Core Network + +8.1.1. Control Plane Protection + + - Protocol Authentication within the Core: + + PPVPN technologies and infrastructure must support mechanisms for + authentication of the control plane. For an IP core, IGP and BGP + + + +Fang Informational [Page 32] + +RFC 4111 PPVPN Security Framework July 2005 + + + sessions may be authenticated by using TCP MD5 or IPsec. If an + MPLS core is used, LDP sessions may be authenticated by using TCP + MD5. In addition, IGP and BGP authentication should also be + considered. For a core providing layer-2 services, PE to PE + authentication may also be used via IPsec. + + With the cost of authentication coming down rapidly, the + application of control plane authentication may not increase the + cost of implementation for providers significantly, and it will + improve the security of the core. If the core is dedicated to VPN + services and there are no interconnects to third parties, then it + may reduce the requirement for authentication of the core control + plane. + + - Elements protection + + Here we discuss means to hide the provider's infrastructure nodes. + + A PPVPN provider may make the infrastructure routers (P and PE + routers) unreachable by outside users and unauthorized internal + users. For example, separate address space may be used for the + infrastructure loopbacks. + + Normal TTL propagation may be altered to make the backbone look + like one hop from the outside, but caution should be taken for + loop prevention. This prevents the backbone addresses from being + exposed through trace route; however, it must also be assessed + against operational requirements for end-to-end fault tracing. + + An Internet backbone core may be re-engineered to make Internet + routing an edge function, for example, by using MPLS label + switching for all traffic within the core and possibly by making + the Internet a VPN within the PPVPN core itself. This helps + detach Internet access from PPVPN services. + + PE devices may implement separate control plane, data plane, and + management plane functionality in terms of hardware and software, + to improve security. This may help limit the problems when one + particular area is attacked, and it may allow each plane to + implement additional security measurement separately. + + PEs are often more vulnerable to attack than P routers, since, by + their very nature, PEs cannot be made unreachable to outside + users. Access to core trunk resources can be controlled on a + per-user basis by the application of inbound rate- + limiting/shaping. This can be further enhanced on a per-Class of + Service basis (see section 8.2.3). + + + + +Fang Informational [Page 33] + +RFC 4111 PPVPN Security Framework July 2005 + + + In the PE, using separate routing processes for Internet and PPVPN + service may help improve the PPVPN security and better protect VPN + customers. Furthermore, if the resources, such as CPU and memory, + may be further separated based on applications, or even on + individual VPNs, it may help provide improved security and + reliability to individual VPN customers. + + Many of these were not particular issues when an IP core was + designed to support Internet services only. Providing PPVPN + services introduces new security requirements for VPN services. + Similar consideration apply to L2 VPN services. + +8.1.2. Data Plane Protection + + PPVPN using IPsec technologies provides VPN users with encryption of + secure user data. + + In today's MPLS, ATM, and Frame Relay networks, encryption is not + provided as a basic feature. Mechanisms can be used to secure the + MPLS data plane and to secure the data carried over the MPLS core. + Additionally, if the core is dedicated to VPN services and there are + no external interconnects to third party networks, then there is no + obvious need for encryption of the user data plane. + + Inter-working IPsec/L3 PPVPN technologies or IPsec/L2 PPVPN + technologies may be used to provide PPVPN users with end-to-end PPVPN + services. + +8.2. Protection on the User Access Link + + Peer/Neighbor protocol authentication may be used to enhance + security. For example, BGP MD5 authentication may be used to enhance + security on PE-CE links using eBGP. In the case of an inter-provider + connection, authentication/encryption mechanisms between ASes, such + as IPsec, may be used. + + WAN link address space separation for VPN and non-VPN users may be + implemented to improve security in order to protect VPN customers if + multiple services are provided on the same PE platform. + + Firewall/Filtering: Access control mechanisms can be used to filter + out any packets destined for the service provider's infrastructure + prefix or to eliminate routes identified as illegitimate. + + + + + + + + +Fang Informational [Page 34] + +RFC 4111 PPVPN Security Framework July 2005 + + + Rate limiting may be applied to the user interface/logical interfaces + against DDoS bandwidth attack. This is very helpful when the PE + device is supporting both VPN services and Internet services, + especially when it supports VPN and Internet services on the same + physical interfaces through different logical interfaces. + +8.2.1. Link Authentication + + Authentication mechanisms can be employed to validate site access to + the PPVPN network via fixed or logical (e.g., L2TP, IPsec) + connections. When the user wishes to hold the 'secret' associated to + acceptance of the access and site into the VPN, then PPVPN based + solutions require the flexibility for either direct authentication by + the PE itself or interaction with a customer PPVPN authentication + server. Mechanisms are required in the latter case to ensure that + the interaction between the PE and the customer authentication server + is controlled, for example, by limiting it simply to an exchange in + relation to the authentication phase and with other attributes (e.g., + optional filtering of RADIUS). + +8.2.2. Access Routing + + Mechanisms may be used to provide control at a routing protocol level + (e.g., RIP, OSPF, BGP) between the CE and PE. Per-neighbor and per- + VPN routing policies may be established to enhance security and + reduce the impact of a malicious or non-malicious attack on the PE, + in particular, the following mechanisms should be considered: + + - Limiting the number of prefixes that may be advertised into the PE + on a per-access basis . Appropriate action may be taken should a + limit be exceeded; for example, the PE might shut down the peer + session to the CE. + + - Applying route dampening at the PE on received routing updates. + + - Definition of a per-VPN prefix limit, after which additional + prefixes will not be added to the VPN routing table. + + In the case of inter-provider connection, access protection, link + authentication, and routing policies as described above may be + applied. Both inbound and outbound firewall/filtering mechanism may + be applied between ASes. Proper security procedures must be + implemented in inter-provider VPN interconnection to protect the + providers' network infrastructure and their customer VPNs. This may + be custom designed for each inter-Provider VPN peering connection, + and both providers must agree on it. + + + + + +Fang Informational [Page 35] + +RFC 4111 PPVPN Security Framework July 2005 + + +8.2.3. Access QoS + + PPVPN providers offering QoS-enabled services require mechanisms to + ensure that individual accesses are validated against their + subscribed QOS profile and are granted access to core resources that + match their service profile. Mechanisms such as per-Class of Service + rate limiting/traffic shaping on ingress to the PPVPN core are one + option in providing this level of control. Such mechanisms may + require the per-Class of Service profile to be enforced by marking, + remarking, or discarding traffic that is outside of the profile. + +8.2.4. Customer VPN Monitoring Tools + + End users requiring visibility of VPN-specific statistics on the core + (e.g., routing table, interface status, QoS statistics) impose + requirements for mechanisms at the PE both to validate the incoming + user and to limit the views available to that particular user's VPN. + Mechanisms should also be considered to ensure that such access + cannot be used to create a DoS attack (either malicious or + accidental) on the PE itself. This could be accomplished either + through separation of these resources within the PE itself or via the + capability to rate-limit such traffic on a per-VPN basis. + +8.3. General Requirements for PPVPN Providers + + The PPVPN providers must support the users' security requirements as + listed in Section 7. Depending on the technologies used, these + requirements may include the following. + + - User control plane separation: Routing isolation. + + - User address space separation: Supporting overlapping addresses + from different VPNs. + + - User data plane separation: One VPN traffic cannot be intercepted + by other VPNs or any other users. + + - Protection against intrusion, DoS attacks and spoofing. + + - Access Authentication. + + - Techniques highlighted through this document identify + methodologies for the protection of PPVPN resources and + infrastructure. + + Hardware or software bugs in equipment that lead to security breaches + are outside the scope of this document. + + + + +Fang Informational [Page 36] + +RFC 4111 PPVPN Security Framework July 2005 + + +9. Security Evaluation of PPVPN Technologies + + This section presents a brief template that may be used to evaluate + and summarize how a given PPVPN approach (solution) measures up + against the PPVPN Security Framework. An evaluation using this + template should appear in the applicability statement for each PPVPN + approach. + +9.1. Evaluating the Template + + The first part of the template is in the form of a list of security + assertions. For each assertion the approach is assessed and one or + more of the following ratings is assigned: + + - The requirement is not applicable to the VPN approach because ... + (fill in reason). + + - The base VPN approach completely addresses the requirement by ... + (fill in technique). + + - The base VPN approach partially addresses the requirement by ... + (fill in technique and extent to which it addresses the + requirement). + + - An optional extension to the VPN approach completely addresses the + requirement by ... (fill in technique). + + - An optional extension to the VPN approach partially addresses the + requirement by ... (fill in technique and extent to which it + addresses the requirement). + + - The requirement is addressed in a way that is beyond the scope of + the VPN approach. (Explain.) (One example of this would be a VPN + approach in which some aspect, such as membership discovery, is + done via configuration. The protection afforded to the + configuration would be beyond the scope of the VPN approach.). + + - The VPN approach does not meet the requirement. + +9.2. Template + + The following assertions solicit responses of the types listed in the + previous section. + + 1. The approach provides complete IP address space separation for + each L3 VPN. + + + + + +Fang Informational [Page 37] + +RFC 4111 PPVPN Security Framework July 2005 + + + 2. The approach provides complete L2 address space separation for + each L2 VPN. + + 3. The approach provides complete VLAN ID space separation for each + L2 VPN. + + 4. The approach provides complete IP route separation for each L3 + VPN. + + 5. The approach provides complete L2 forwarding separation for each + L2 VPN. + + 6. The approach provides a means to prevent improper cross- + connection of sites in separate VPNs. + + 7. The approach provides a means to detect improper cross-connection + of sites in separate VPNs. + + 8. The approach protects against the introduction of unauthorized + packets into each VPN + a. in the CE-PE link, + b. in a single- or multi-provider PPVPN backbone, or + c. in the Internet used as PPVPN backbone. + + 9. The approach provides confidentiality (secrecy) protection for + PPVPN user data + a. in the CE-PE link, + b. in a single- or multi-provider PPVPN backbone, or + c. in the Internet used as PPVPN backbone. + + 10. The approach provides sender authentication for PPVPN user data. + a. in the CE-PE link, + b. in a single- or multi-provider PPVPN backbone, or + c. in the Internet used as PPVPN backbone. + + 11. The approach provides integrity protection for PPVPN user data + a. in the CE-PE link, + b. in a single- or multi- provider PPVPN backbone, or + c. in the Internet used as PPVPN backbone. + + 12. The approach provides protection against replay attacks for PPVPN + user data + a. in the CE-PE link, + b. in a single- or multi-provider PPVPN backbone, or + c. in the Internet used as PPVPN backbone. + + + + + + +Fang Informational [Page 38] + +RFC 4111 PPVPN Security Framework July 2005 + + + 13. The approach provides protection against unauthorized traffic + pattern analysis for PPVPN user data + a. in the CE-PE link, + b. in a single- or multi-provider PPVPN backbone, or + c. in the Internet used as PPVPN backbone. + + 14. The control protocol(s) used for each of the following functions + provides message integrity and peer authentication + + a. VPN membership discovery. + b. Tunnel establishment. + c. VPN topology and reachability advertisement: + i. PE-PE. + ii. PE-CE. + d. VPN provisioning and management. + e. VPN monitoring, attack detection, and reporting. + f. Other VPN-specific control protocols, if any (list). + + The following questions solicit free-form answers. + + 15. Describe the protection, if any, the approach provides against + PPVPN-specific DoS attacks (i.e., inter-trusted-zone DoS + attacks): + + a. Protection of the service provider infrastructure against + Data Plane or Control Plane DoS attacks originated in a + private (PPVPN user) network and aimed at PPVPN mechanisms. + + b. Protection of the service provider infrastructure against + Data Plane or Control Plane DoS attacks originated in the + Internet and aimed at PPVPN mechanisms. + + c. Protection of PPVPN users against Data Plane or Control + Plane DoS attacks originated from the Internet or from other + PPVPN users and aimed at PPVPN mechanisms. + + 16. Describe the protection, if any, the approach provides against + unstable or malicious operation of a PPVPN user network + + a. Protection against high levels of, or malicious design of, + routing traffic from PPVPN user networks to the service + provider network. + + b. Protection against high levels of, or malicious design of, + network management traffic from PPVPN user networks to the + service provider network. + + + + + +Fang Informational [Page 39] + +RFC 4111 PPVPN Security Framework July 2005 + + + c. Protection against worms and probes originated in the PPVPN + user networks, sent toward the service provider network. + + 17. Is the approach subject to any approach-specific vulnerabilities + not specifically addressed by this template? If so, describe the + defense or mitigation, if any, that the approach provides for + each. + +10. Security Considerations + + Security considerations constitute the sole subject of this memo and + hence are discussed throughout. Here we recap what has been + presented and explain at a very high level the role of each type of + consideration in an overall secure PPVPN system. The document + describes a number of potential security threats. Some of these + threats have already been observed occurring in running networks; + others are largely theoretical at this time. + + DoS attacks and intrusion attacks from the Internet against service + provider infrastructure have been seen. DoS "attacks" (typically not + malicious) have also been seen in which CE equipment overwhelms PE + equipment with high quantities or rates of packet traffic or routing + information. Operational/provisioning errors are cited by service + providers as one of their prime concerns. + + The document describes a variety of defensive techniques that may be + used to counter the suspected threats. All of the techniques + presented involve mature and widely implemented technologies that are + practical to implement. + + The document describes the importance of detecting, monitoring, and + reporting both successful and unsuccessful attacks. These activities + are essential for "understanding one's enemy", mobilizing new + defenses, and obtaining metrics about how secure the PPVPN service + is. As such, they are vital components of any complete PPVPN + security system. + + The document evaluates PPVPN security requirements from a customer + perspective and from a service provider perspective. These sections + re-evaluate the identified threats from the perspectives of the + various stakeholders and are meant to assist equipment vendors and + service providers, who must ultimately decide what threats to protect + against in any given equipment or service offering. + + Finally, the document includes a template for use by authors of PPVPN + technical solutions for evaluating how those solutions measure up + against the security considerations presented in this memo. + + + + +Fang Informational [Page 40] + +RFC 4111 PPVPN Security Framework July 2005 + + +11. Contributors + + The following people made major contributions to writing this + document: Michael Behringer, Ross Callon, Fabio Chiussi, Jeremy De + Clerque, Paul Hitchen, and Paul Knignt. + + Michael Behringer + Cisco + Village d'Entreprises Green Side, Phone: +33.49723-2652 + 400, Avenue Roumanille, Bat. T 3 EMail: mbehring@cisco.com + 06410 Biot, Sophia Antipolis + France + + Ross Callon + Juniper Networks + 10 Technology Park Drive Phone: 978-692-6724 + Westford, MA 01886 EMail: rcallon@juniper.net + + Fabio Chiussi Phone: 1 978 367-8965 + Airvana EMail: fabio@airvananet.com + 19 Alpha Road + Chelmsford, Massachusetts 01824 + + Jeremy De Clercq + Alcatel + Fr. Wellesplein 1, 2018 Antwerpen EMail: jeremy.de_clercq@alcatel.be + Belgium + + Mark Duffy + Sonus Networks + 250 Apollo Drive Phone: 1 978-614-8748 + Chelmsford, MA 01824 EMail: mduffy@sonusnet.com + + Paul Hitchen + BT + BT Adastral Park + Martlesham Heath Phone: 44-1473-606-344 + Ipswich IP53RE EMail: paul.hitchen@bt.com + UK + + Paul Knight + Nortel + 600 Technology Park Drive Phone: 978-288-6414 + Billerica, MA 01821 EMail: paul.knight@nortel.com + + + + + + + +Fang Informational [Page 41] + +RFC 4111 PPVPN Security Framework July 2005 + + +12. Acknowledgement + + The author and contributors would also like to acknowledge the + helpful comments and suggestions from Paul Hoffman, Eric Gray, Ron + Bonica, Chris Chase, Jerry Ash, and Stewart Bryant. + +13. Normative References + + [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, + G., and E. Lear, "Address Allocation for Private + Internets", BCP 5, RFC 1918, February 1996. + + [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", + RFC 2246, January 1999. + + [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the + Internet Protocol", RFC 2401, November 1998. + + [RFC2402] Kent, S. and R. Atkinson, "IP Authentication Header", + RFC 2402, November 1998. + + [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security + Payload (ESP)", RFC 2406, November 1998. + + [RFC2407] Piper, D., "The Internet IP Security Domain of + Interpretation for ISAKMP", RFC 2407, November 1998. + + [RFC2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, + G., and B. Palter, "Layer Two Tunneling Protocol + "L2TP"", RFC 2661, August 1999. + + [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, + "Remote Authentication Dial In User Service (RADIUS)", + RFC 2865, June 2000. + + [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. + Arkko, "Diameter Base Protocol", RFC 3588, September + 2003. + + [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC + Cipher Algorithm and Its Use with IPsec", RFC 3602, + September 2003. + + + + + + + + + +Fang Informational [Page 42] + +RFC 4111 PPVPN Security Framework July 2005 + + + [STD62] Harrington, D., Presuhn, R., and B. Wijnen, "An + Architecture for Describing Simple Network Management + Protocol (SNMP) Management Frameworks", STD 62, RFC + 3411, December 2002. + + Case, J., Harrington, D., Presuhn, R., and B. Wijnen, + "Message Processing and Dispatching for the Simple + Network Management Protocol (SNMP)", STD 62, RFC 3412, + December 2002. + + Levi, D., Meyer, P., and B. Stewart, "Simple Network + Management Protocol (SNMP) Applications", STD 62, RFC + 3413, December 2002. + + Blumenthal, U. and B. Wijnen, "User-based Security Model + (USM) for version 3 of the Simple Network Management + Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. + + Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based + Access Control Model (VACM) for the Simple Network + Management Protocol (SNMP)", STD 62, RFC 3415, December + 2002. + + Presuhn, R., "Version 2 of the Protocol Operations for + the Simple Network Management Protocol (SNMP)", STD 62, + RFC 3416, December 2002. + + Presuhn, R., "Transport Mappings for the Simple Network + Management Protocol (SNMP)", STD 62, RFC 3417, December + 2002. + + Presuhn, R., "Management Information Base (MIB) for the + Simple Network Management Protocol (SNMP)", STD 62, RFC + 3418, December 2002. + + [STD8] Postel, J. and J. Reynolds, "Telnet Protocol + Specification", STD 8, RFC 854, May 1983. + +14. Informative References + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: + Keyed-Hashing for Message Authentication", RFC 2104, + February 1997. + + [RFC2411] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security + Document Roadmap", RFC 2411, November 1998. + + + + + +Fang Informational [Page 43] + +RFC 4111 PPVPN Security Framework July 2005 + + + [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm + 1 (SHA1)", RFC 3174, September 2001. + + [RFC3631] Bellovin, S., Schiller, J., and C. Kaufman, "Security + Mechanisms for the Internet", RFC 3631, December 2003. + + [RFC3889] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to + Routing Protocols", RFC 3889, October 2004. + + [RFC4026] Andersson, L. and T. Madsen, "Provider Provisioned + Virtual Private Network (VPN) Terminology", RFC 4026, + March 2005. + + [RFC4031] Carugi, M. and D. McDysan, Eds., "Service Requirements + for Layer 3 Provider Provisioned Virtual Private + Networks (PPVPNs)", RFC 4031, April 2005. + + [RFC4110] Callon, R. and M. Suzuki, "A Framework for Layer 3 + Provider Provisioned Virtual Private Networks", RFC + 4110, July 2005. + + +Author's Address + + Luyuan Fang + AT&T Labs. + 200 Laurel Avenue, Room C2-3B35 + Middletown, NJ 07748 + + Phone: 732-420-1921 + EMail: luyuanfang@att.com + + + + + + + + + + + + + + + + + + + + +Fang Informational [Page 44] + +RFC 4111 PPVPN Security Framework July 2005 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2005). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Fang Informational [Page 45] + -- cgit v1.2.3