From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc4381.txt | 1235 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1235 insertions(+) create mode 100644 doc/rfc/rfc4381.txt (limited to 'doc/rfc/rfc4381.txt') diff --git a/doc/rfc/rfc4381.txt b/doc/rfc/rfc4381.txt new file mode 100644 index 0000000..be318ee --- /dev/null +++ b/doc/rfc/rfc4381.txt @@ -0,0 +1,1235 @@ + + + + + + +Network Working Group M. Behringer +Request for Comments: 4381 Cisco Systems Inc +Category: Informational February 2006 + + + Analysis of the Security of BGP/MPLS IP + Virtual Private Networks (VPNs) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +IESG Note + + The content of this RFC was at one time considered by the IETF, and + therefore it may resemble a current IETF work in progress or a + published IETF work. This RFC is not a candidate for any level of + Internet Standard. The IETF disclaims any knowledge of the fitness + of this RFC for any purpose, and in particular notes that the + decision to publish is not based on IETF review for such things as + security, congestion control or inappropriate interaction with + deployed protocols. The RFC Editor has chosen to publish this + document at its discretion. Readers of this RFC should exercise + caution in evaluating its value for implementation and deployment. + See RFC 3932 for more information. + +Abstract + + This document analyses the security of the BGP/MPLS IP virtual + private network (VPN) architecture that is described in RFC 4364, for + the benefit of service providers and VPN users. + + The analysis shows that BGP/MPLS IP VPN networks can be as secure as + traditional layer-2 VPN services using Asynchronous Transfer Mode + (ATM) or Frame Relay. + + + + + + + + + + +Behringer Informational [Page 1] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +Table of Contents + + 1. Scope and Introduction ..........................................3 + 2. Security Requirements of VPN Networks ...........................4 + 2.1. Address Space, Routing, and Traffic Separation .............4 + 2.2. Hiding the Core Infrastructure .............................5 + 2.3. Resistance to Attacks ......................................5 + 2.4. Impossibility of Label Spoofing ............................6 + 3. Analysis of BGP/MPLS IP VPN Security ............................6 + 3.1. Address Space, Routing, and Traffic Separation .............6 + 3.2. Hiding of the BGP/MPLS IP VPN Core Infrastructure ..........7 + 3.3. Resistance to Attacks ......................................9 + 3.4. Label Spoofing ............................................11 + 3.5. Comparison with ATM/FR VPNs ...............................12 + 4. Security of Advanced BGP/MPLS IP VPN Architectures .............12 + 4.1. Carriers' Carrier .........................................13 + 4.2. Inter-Provider Backbones ..................................14 + 5. What BGP/MPLS IP VPNs Do Not Provide ...........................16 + 5.1. Protection against Misconfigurations of the Core + and Attacks 'within' the Core .............................16 + 5.2. Data Encryption, Integrity, and Origin Authentication .....17 + 5.3. Customer Network Security .................................17 + 6. Layer 2 Security Considerations ................................18 + 7. Summary and Conclusions ........................................19 + 8. Security Considerations ........................................20 + 9. Acknowledgements ...............................................20 + 10. Normative References ..........................................20 + 11. Informative References ........................................20 + + + + + + + + + + + + + + + + + + + + + + + +Behringer Informational [Page 2] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +1. Scope and Introduction + + As Multiprotocol Label Switching (MPLS) is becoming a more widespread + technology for providing IP virtual private network (VPN) services, + the security of the BGP/MPLS IP VPN architecture is of increasing + concern to service providers and VPN customers. This document gives + an overview of the security of the BGP/MPLS IP VPN architecture that + is described in RFC 4364 [1], and compares it with the security of + traditional layer-2 services such as ATM or Frame Relay. + + The term "MPLS core" is defined for this document as the set of + Provider Edge (PE) and provider (P) routers that provide a BGP/MPLS + IP VPN service, typically under the control of a single service + provider (SP). This document assumes that the MPLS core network is + trusted and secure. Thus, it does not address basic security + concerns such as securing the network elements against unauthorised + access, misconfigurations of the core, or attacks internal to the + core. A customer that does not wish to trust the service provider + network must use additional security mechanisms such as IPsec over + the MPLS infrastructure. + + This document analyses only the security features of BGP/MPLS IP + VPNs, not the security of routing protocols in general. IPsec + technology is also not covered, except to highlight the combination + of MPLS VPNs with IPsec. + + The overall security of a system has three aspects: the architecture, + the implementation, and the operation of the system. Security issues + can exist in any of these aspects. This document analyses only the + architectural security of BGP/MPLS IP VPNs, not implementation or + operational security issues. + + This document is targeted at technical staff of service providers and + enterprises. Knowledge of the basic BGP/MPLS IP VPN architecture as + described in RFC 4364 [1] is required to understand this document. + For specific Layer 3 VPN terminology and reference models refer to + [11]. + + Section 2 of this document specifies the typical VPN requirements a + VPN user might have, and section 3 analyses how RFC 4364 [1] + addresses these requirements. Section 4 discusses specific security + issues of multi-AS (Autonomous System) MPLS architectures, and + section 5 lists security features that are not covered by this + architecture and therefore need to be addressed separately. Section + 6 highlights potential security issues on layer 2 that might impact + the overall security of a BGP/MPLS IP VPN service. The findings of + this document are summarized in section 7. + + + + +Behringer Informational [Page 3] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +2. Security Requirements of VPN Networks + + Both service providers offering any type of VPN services and + customers using them have specific demands for security. Mostly, + they compare MPLS-based solutions with traditional layer 2-based VPN + solutions such as Frame Relay and ATM, since these are widely + deployed and accepted. This section outlines the typical security + requirements for VPN networks. The following section discusses if + and how BGP/MPLS IP VPNs address these requirements, for both the + MPLS core and the connected VPNs. + +2.1. Address Space, Routing, and Traffic Separation + + Non-intersecting layer 3 VPNs of the same VPN service are assumed to + have independent address spaces. For example, two non-intersecting + VPNs may each use the same 10/8 network addresses without conflict. + In addition, traffic from one VPN must never enter another VPN. This + implies separation of routing protocol information, so that routing + tables must also be separate per VPN. Specifically: + + o Any VPN must be able to use the same address space as any other + VPN. + o Any VPN must be able to use the same address space as the MPLS + core. + o Traffic, including routing traffic, from one VPN must never flow + to another VPN. + o Routing information, as well as distribution and processing of + that information, for one VPN instance must be independent from + any other VPN instance. + o Routing information, as well as distribution and processing of + that information, for one VPN instance must be independent from + the core. + + From a security point of view, the basic requirement is to prevent + packets destined to a host a.b.c.d within a given VPN reaching a host + with the same address in another VPN or in the core, and to prevent + routing packets to another VPN even if it does not contain that + destination address. + + Confidentiality, as defined in the L3VPN Security Framework [11], is + a requirement that goes beyond simple isolation of VPNs and provides + protection against eavesdropping on any transmission medium. + Encryption is the mechanism used to provide confidentiality. This + document considers confidentiality an optional VPN requirement, since + many existing VPN deployments do not encrypt transit traffic. + + + + + + +Behringer Informational [Page 4] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +2.2. Hiding the Core Infrastructure + + The internal structure of the core network (MPLS PE and P elements) + should not be externally visible. Whilst breaking this requirement + is not a security problem in itself, many service providers believe + it is advantageous if the internal addresses and network structure + are hidden from the outside world. An argument is that denial-of- + service (DoS) attacks against a core router are much easier to carry + out if an attacker knows the router addresses. Addresses can always + be guessed, but attacks are more difficult if addresses are not + known. The core should be as invisible to the outside world as a + comparable layer 2 infrastructure (e.g., Frame Relay, ATM). Core + network elements should also not be accessible from within a VPN. + + Security should never rely entirely on obscurity, i.e., the hiding of + information. Services should be equally secure if the implementation + is known. However, there is a strong market perception that hiding + of details is advantageous. This point addresses that market + perception. + +2.3. Resistance to Attacks + + There are two basic types of attacks: DoS attacks, where resources + become unavailable to authorised users, and intrusions, where + resources become available to unauthorised users. BGP/MPLS IP VPN + networks must provide at least the same level of protection against + both forms of attack as current layer 2 networks. + + For intrusions, there are two fundamental ways to protect the + network: first, to harden protocols that could be abused (e.g., + Telnet into a router), and second, to make the network as + inaccessible as possible. This is achieved by a combination of + packet filtering / firewalling and address hiding, as discussed + above. + + DoS attacks are easier to execute, since a single known IP address + might be enough information to attack a machine. This can be done + using normal "permitted" traffic, but using higher than normal packet + rates, so that other users cannot access the targeted machine. The + only way to be invulnerable to this kind of attack is to make sure + that machines are not reachable, again by packet filtering and + optionally by address hiding. + + This document concentrates on protecting the core network against + attacks from the "outside", i.e., the Internet and connected VPNs. + Protection against attacks from the "inside", i.e., an attacker who + has logical or physical access to the core network, is not discussed + here. + + + +Behringer Informational [Page 5] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +2.4. Impossibility of Label Spoofing + + Assuming the address and traffic separation discussed above, an + attacker might try to access other VPNs by inserting packets with a + label that he does not "own". This could be done from the outside, + i.e., another Customer Edge (CE) router or from the Internet, or from + within the MPLS core. The latter case (from within the core) will + not be discussed, since we assume that the core network is provided + securely. Should protection against an insecure core be required, it + is necessary to use security protocols such as IPsec across the MPLS + infrastructure, at least from CE to CE, since the PEs belong to the + core. + + Depending on the way that CE routers are connected to PE routers, it + might be possible to intrude into a VPN that is connected to the same + PE, using layer 2 attack mechanisms such as 802.1Q-label spoofing or + ATM VPI/VCI spoofing. Layer 2 security issues will be discussed in + section 6. + + It is required that VPNs cannot abuse the MPLS label mechanisms or + protocols to gain unauthorised access to other VPNs or the core. + +3. Analysis of BGP/MPLS IP VPN Security + + In this section, the BGP/MPLS IP VPN architecture is analysed with + respect to the security requirements listed above. + +3.1. Address Space, Routing, and Traffic Separation + + BGP/MPLS allows distinct IP VPNs to use the same address space, which + can also be private address space (RFC 1918 [2]). This is achieved + by adding a 64-bit Route Distinguisher (RD) to each IPv4 route, + making VPN-unique addresses also unique in the MPLS core. This + "extended" address is also called a "VPN-IPv4 address". Thus, + customers of a BGP/MPLS IP VPN service do not need to change their + current addressing plan. + + Each PE router maintains a separate Virtual Routing and Forwarding + instance (VRF) for each connected VPN. A VRF includes the addresses + of that VPN as well as the addresses of the PE routers with which the + CE routers are peering. All addresses of a VRF, including these PE + addresses, belong logically to the VPN and are accessible from the + VPN. The fact that PE addresses are accessible to the VPN is not an + issue if static routing is used between the PE and CE routers, since + packet filters can be deployed to block access to all addresses of + the VRF on the PE router. If dynamic routing protocols are used, the + CE routers need to have the address of the peer PE router in the core + configured. In an environment where the service provider manages the + + + +Behringer Informational [Page 6] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + CE routers as CPE, this can be invisible to the customer. The + address space on the CE-PE link (including the peering PE address) is + considered part of the VPN address space. Since address space can + overlap between VPNs, the CE-PE link addresses can overlap between + VPNs. For practical management considerations, SPs typically address + CE-PE links from a global pool, maintaining uniqueness across the + core. + + Routing separation between VPNs can also be achieved. Each VRF is + populated with routes from one VPN through statically configured + routes or through routing protocols that run between the PE and CE + router. Since each VPN is associated with a separate VRF there is no + interference between VPNs on the PE router. + + Across the core to the other PE routers separation is maintained with + unique VPN identifiers in multiprotocol BGP, the Route Distinguishers + (RDs). VPN routes including the RD are exclusively exchanged between + PE routers by Multi-Protocol BGP (MP-BGP, RFC 2858 [8]) across the + core. These BGP routing updates are not re-distributed into the + core, but only to the other PE routers, where the information is kept + again in VPN-specific VRFs. Thus, routing across a BGP/MPLS network + is separate per VPN. + + On the data plane, traffic separation is achieved by the ingress PE + pre-pending a VPN-specific label to the packets. The packets with + the VPN labels are sent through the core to the egress PE, where the + VPN label is used to select the egress VRF. + + Given the addressing, routing, and traffic separation across an BGP/ + MPLS IP VPN core network, it can be assumed that this architecture + offers in this respect the same security as a layer-2 VPN. It is not + possible to intrude from a VPN or the core into another VPN unless + this has been explicitly configured. + + If and when confidentiality is required, it can be achieved in BGP/ + MPLS IP VPNs by overlaying encryption services over the network. + However, encryption is not a standard service on BGP/MPLS IP VPNs. + See also section 5.2. + +3.2. Hiding of the BGP/MPLS IP VPN Core Infrastructure + + Service providers and end-customers do not normally want their + network topology revealed to the outside. This makes attacks more + difficult to execute: If an attacker doesn't know the address of a + victim, he can only guess the IP addresses to attack. Since most DoS + attacks don't provide direct feedback to the attacker it would be + difficult to attack the network. It has to be mentioned specifically + + + + +Behringer Informational [Page 7] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + that information hiding as such does not provide security. However, + in the market this is a perceived requirement. + + With a known IP address, a potential attacker can launch a DoS attack + more easily against that device. Therefore, the ideal is to not + reveal any information about the internal network to the outside + world. This applies to the customer network and the core. A number + of additional security measures also have to be taken: most of all, + extensive packet filtering. + + For security reasons, it is recommended for any core network to + filter packets from the "outside" (Internet or connected VPNs) + destined to the core infrastructure. This makes it very hard to + attack the core, although some functionality such as pinging core + routers will be lost. Traceroute across the core will still work, + since it addresses a destination outside the core. + + MPLS does not reveal unnecessary information to the outside, not even + to customer VPNs. The addressing of the core can be done with + private addresses (RFC 1918 [2]) or public addresses. Since the + interface to the VPNs as well as the Internet is BGP, there is no + need to reveal any internal information. The only information + required in the case of a routing protocol between PE and CE is the + address of the PE router. If no dynamic routing is required, static + routing on unnumbered interfaces can be configured between the PE and + CE. With this measure, the BGP/MPLS IP VPN core can be kept + completely hidden. + + Customer VPNs must advertise their routes to the BGP/MPLS IP VPN core + (dynamically or statically), to ensure reachability across their VPN. + In some cases, VPN users prefer that the service provider have no + visibility of the addressing plan of the VPN. The following has to + be noted: First, the information known to the core is not about + specific hosts, but networks (routes); this offers a degree of + abstraction. Second, in a VPN-only BGP/MPLS IP VPN network (no + Internet access) this is equal to existing layer-2 models, where the + customer has to trust the service provider. Also, in a Frame Relay + or ATM network, routing and addressing information about the VPNs can + be seen on the core network. + + In a VPN service with shared Internet access, the service provider + will typically announce the routes of customers who wish to use the + Internet to his upstream or peer providers. This can be done + directly if the VPN customer uses public address space, or via + Network Address Translation (NAT) to obscure the addressing + information of the customers' networks. In either case, the customer + does not reveal more information than would be revealed by a general + Internet service. Core information will not be revealed, except for + + + +Behringer Informational [Page 8] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + the peering address(es) of the PE router(s) that hold(s) the peering + with the Internet. These addresses must be secured as in a + traditional IP backbone. + + In summary, in a pure MPLS-VPN service, where no Internet access is + provided, information hiding is as good as on a comparable FR or ATM + network. No addressing information is revealed to third parties or + the Internet. If a customer chooses to access the Internet via the + BGP/MPLS IP VPN core, he will have to reveal the same information as + required for a normal Internet service. NAT can be used for further + obscurity. Being reachable from the Internet automatically exposes a + customer network to additional security threats. Appropriate + security mechanisms have to be deployed such as firewalls and + intrusion detection systems. This is true for any Internet access, + over MPLS or direct. + + A BGP/MPLS IP VPN network with no interconnections to the Internet + has security equal to that of FR or ATM VPN networks. With an + Internet access from the MPLS cloud, the service provider has to + reveal at least one IP address (of the peering PE router) to the next + provider, and thus to the outside world. + +3.3. Resistance to Attacks + + Section 3.1 shows that it is impossible to directly intrude into + other VPNs. Another possibility is to attack the MPLS core and try + to attack other VPNs from there. As shown above, it is impossible to + address a P router directly. The only addresses reachable from a VPN + or the Internet are the peering addresses of the PE routers. Thus, + there are two basic ways that the BGP/MPLS IP VPN core can be + attacked: + + 1. By attacking the PE routers directly. + 2. By attacking the signaling mechanisms of MPLS (mostly routing). + + To attack an element of a BGP/MPLS IP VPN network, it is first + necessary to know the address of the element. As discussed in + section 3.2, the addressing structure of the BGP/MPLS IP VPN core is + hidden from the outside world. Thus, an attacker cannot know the IP + address of any router in the core to attack. The attacker could + guess addresses and send packets to these addresses. However, due to + the address separation of MPLS each incoming packet will be treated + as belonging to the address space of the customer. Thus, it is + impossible to reach an internal router, even by guessing IP + addresses. There is only one exception to this rule, which is the + peer interface of the PE router. This address of the PE is the only + attack point from the outside (a VPN or Internet). + + + + +Behringer Informational [Page 9] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + The routing between a VPN and the BGP/MPLS IP VPN core can be + configured two ways: + + 1. Static: In this case, the PE routers are configured with static + routes to the networks behind each CE, and the CEs are configured + to statically point to the PE router for any network in other + parts of the VPN (mostly a default route). There are two sub- + cases: The static route can point to the IP address of the PE + router or to an interface of the CE router (e.g., serial0). + 2. Dynamic: A routing protocol (e.g., Routing Information Protocol + (RIP), OSPF, BGP) is used to exchange routing information between + the CE and PE at each peering point. + + In the case of a static route that points to an interface, the CE + router doesn't need to know any IP addresses of the core network or + even of the PE router. This has the disadvantage of needing a more + extensive (static) configuration, but is the most secure option. In + this case, it is also possible to configure packet filters on the PE + interface to deny any packet to the PE interface. This protects the + router and the whole core from attack. + + In all other cases, each CE router needs to know at least the router + ID (RID, i.e., peer IP address) of the PE router in the core, and + thus has a potential destination for an attack. One could imagine + various attacks on various services running on a router. In + practice, access to the PE router over the CE-PE interface can be + limited to the required routing protocol by using access control + lists (ACLs). This limits the point of attack to one routing + protocol, for example, BGP. A potential attack could be to send an + extensive number of routes, or to flood the PE router with routing + updates. Both could lead to a DoS, however, not to unauthorised + access. + + To reduce this risk, it is necessary to configure the routing + protocol on the PE router to operate as securely as possible. This + can be done in various ways: + + o By accepting only routing protocol packets, and only from the CE + router. The inbound ACL on each CE interface of the PE router + should allow only routing protocol packets from the CE to the PE. + o By configuring MD5 authentication for routing protocols. This is + available for BGP (RFC 2385 [6]), OSPF (RFC 2154 [4]), and RIP2 + (RFC 2082 [3]), for example. This avoids packets being spoofed + from other parts of the customer network than the CE router. It + requires the service provider and customer to agree on a shared + secret between all CE and PE routers. It is necessary to do this + for all VPN customers. It is not sufficient to do this only for + the customer with the highest security requirements. + + + +Behringer Informational [Page 10] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + o By configuring parameters of the routing protocol to further + secure this communication. For example, the rate of routing + updates should be restricted where possible (in BGP through + damping); a maximum number of routes accepted per VRF and per + routing neighbor should be configured where possible; and the + Generalized TTL Security Mechanism (GTSM; RFC 3682 [10]) should be + used for all supported protocols. + + In summary, it is not possible to intrude from one VPN into other + VPNs, or the core. However, it is theoretically possible to attack + the routing protocol port to execute a DoS attack against the PE + router. This in turn might have a negative impact on other VPNs on + this PE router. For this reason, PE routers must be extremely well + secured, especially on their interfaces to CE routers. ACLs must be + configured to limit access only to the port(s) of the routing + protocol, and only from the CE router. Further routing protocols' + security mechanisms such as MD5 authentication, maximum prefix + limits, and Time to Live (TTL) security mechanisms should be used on + all PE-CE peerings. With all these security measures, the only + possible attack is a DoS attack against the routing protocol itself. + BGP has a number of countermeasures such as prefix filtering and + damping built into the protocol, to assist with stability. It is + also easy to track the source of such a potential DoS attack. + Without dynamic routing between CEs and PEs, the security is + equivalent to the security of ATM or Frame Relay networks. + +3.4. Label Spoofing + + Similar to IP spoofing attacks, where an attacker fakes the source IP + address of a packet, it is also theoretically possible to spoof the + label of an MPLS packet. In the first section, the assumption was + made that the core network is trusted. If this assumption cannot be + made, IPsec must be run over the MPLS cloud. Thus in this section + the emphasis is on whether it is possible to insert packets with + spoofed labels into the MPLS network from the outside, i.e., from a + VPN (CE router) or from the Internet. + + The interface between a CE router and its peering PE router is an IP + interface, i.e., without labels. The CE router is unaware of the + MPLS core, and thinks it is sending IP packets to another router. + The "intelligence" is done in the PE device, where, based on the + configuration, the label is chosen and pre-pended to the packet. + This is the case for all PE routers, towards CE routers as well as + the upstream service provider. All interfaces into the MPLS cloud + only require IP packets, without labels. + + + + + + +Behringer Informational [Page 11] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + For security reasons, a PE router should never accept a packet with a + label from a CE router. RFC 3031 [9] specifies: "Therefore, when a + labeled packet is received with an invalid incoming label, it MUST be + discarded, UNLESS it is determined by some means (not within the + scope of the current document) that forwarding it unlabeled cannot + cause any harm." Since accepting labels on the CE interface would + potentially allow passing packets to other VPNs it is not permitted + by the RFC. + + Thus, it is impossible for an outside attacker to send labeled + packets into the BGP/MPLS IP VPN core. + + There remains the possibility to spoof the IP address of a packet + being sent to the MPLS core. Since there is strict address + separation within the PE router, and each VPN has its own VRF, this + can only harm the VPN the spoofed packet originated from; that is, a + VPN customer can attack only himself. MPLS doesn't add any security + risk here. + + The Inter-AS and Carrier's Carrier cases are special cases, since on + the interfaces between providers typically packets with labels are + exchanged. See section 4 for an analysis of these architectures. + +3.5. Comparison with ATM/FR VPNs + + ATM and FR VPN services enjoy a very high reputation in terms of + security. Although ATM and FR VPNs can be provided in a secure + manner, it has been reported that these technologies also can have + security vulnerabilities [14]. In ATM/FR as in any other networking + technology, the security depends on the configuration of the network + being secure, and errors can also lead to security problems. + +4. Security of Advanced BGP/MPLS IP VPN Architectures + + The BGP/MPLS IP VPN architecture described in RFC 2547 [7] defines + the PE-CE interface as the only external interface seen from the + service provider network. In this case, the PE treats the CE as + untrusted and only accepts IP packets from the CE. The IP address + range is treated as belonging to the VPN of the CE, so the PE + maintains full control over VPN separation. + + RFC 4364 [1] has subsequently defined a more complex architecture, + with more open interfaces. These interfaces allow the exchange of + label information and labeled packets to and from devices outside the + control of the service provider. This section discusses the security + implications of this advanced architecture. + + + + + +Behringer Informational [Page 12] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +4.1. Carriers' Carrier + + In the Carriers' Carrier (CsC) architecture, the CE is linked to a + VRF on the PE. The CE may send labeled packets to the PE. The label + has been previously assigned by the PE to the CE, and represents the + label switched path (LSP) from this CE to the remote CE via the + carrier's network. + + RFC 4364 [1] specifies for this case: "When the PE receives a labeled + packet from a CE, it must verify that the top label is one that was + distributed to that CE." This ensures that the CE can only use + labels that the PE correctly associates with the corresponding VPN. + Packets with incorrect labels will be discarded, and thus label + spoofing is impossible. + + The use of label maps on the PE leaves the control of the label + information entirely with the PE, so that this has no impact on the + security of the solution. + + The packet underneath the top label will -- as in standard RFC 2547 + [7] networks -- remain local to the customer carrier's VPN and not be + inspected in the carriers' carrier core. Potential spoofing of + subsequent labels or IP addresses remains local to the carrier's VPN; + it has no implication on the carriers' carrier core nor on other VPNs + in that core. This is specifically stated in section 6 of RFC 4364 + [1]. + + Note that if the PE and CE are interconnected using a shared layer 2 + infrastructure such as a switch, attacks are possible on layer 2, + which might enable a third party on the shared layer 2 network to + intrude into a VPN on that PE router. RFC 4364 [1] specifies + therefore that either all devices on a shared layer 2 network have to + be part of the same VPN, or the layer 2 network must be split + logically to avoid this issue. This will be discussed in more detail + in section 6. + + In the CsC architecture, the customer carrier needs to trust the + carriers' carrier for correct configuration and operation. The + customer of the carrier thus implicitly needs to trust both his + carrier and the carriers' carrier. + + In summary, a correctly configured carriers' carrier network provides + the same level of security as comparable layer 2 networks or + traditional RFC 2547 [7] networks. + + + + + + + +Behringer Informational [Page 13] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +4.2. Inter-Provider Backbones + + RFC 4364 [1] specifies three sub-cases for the inter-provider + backbone (Inter-AS) case. + + a) VRF-to-VRF connections at the autonomous system border routers + (ASBRs). + + In this case, each PE sees and treats the other PE as a CE; each will + not accept labeled packets, and there is no signaling between the PEs + other than inside the VRFs on both sides. Thus, the separation of + the VPNs on both sides and the security of those are the same as on a + single AS RFC 2547 [7] network. This has already been shown to have + the same security properties as traditional layer 2 VPNs. + + This solution has potential scalability issues in that the ASBRs need + to maintain a VRF per VPN, and all of the VRFs need to hold all + routes of the specific VPNs. Thus, an ASBR can run into memory + problems affecting all VPNs if one single VRF contains too many + routes. Thus, the service providers needs to ensure that the ASBRs + are properly dimensioned and apply appropriate security measures such + as limiting the number of prefixes per VRF. + + The two service providers connecting their VPNs in this way must + trust each other. Since the VPNs are separated on different + (sub-)interfaces, all signaling between ASBRs remains within a given + VPN. This means that dynamic cross-VPN security breaches are + impossible. It is conceivable that a service provider connects a + specific VPN to the wrong interface, thus interconnecting two VPNs + that should not be connected. This must be controlled operationally. + + b) EBGP redistribution of labeled VPN-IPv4 routes from AS to + neighboring AS. + + In this case, ASBRs on both sides hold full routing information for + all shared VPNs on both sides. This is not held in separate VRFs, + but in the BGP database. (This is typically limited to the Inter-AS + VPNs through filtering.) The separation inside the PE is maintained + through the use of VPN-IPv4 addresses. The control plane between the + ASBRs uses Multi-Protocol BGP (MP-BGP, RFC 2858 [8]). It exchanges + VPN routes as VPN-IPv4 addresses, the ASBR addresses as BGP next-hop + IPv4 addresses, and labels to be used in the data plane. + + The data plane is separated through the use of a single label, + representing a VRF or a subset thereof. RFC 4364 [1] states that an + ASBR should only accept packets with a label that it has assigned to + this router. This prevents the insertion of packets with unknown + labels, but it is possible for a service provider to use any label + + + +Behringer Informational [Page 14] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + that the ASBR of the other provider has passed on. This allows one + provider to insert packets into any VPN of the other provider for + which it has a label. + + This solution also needs to consider the security on layer 2 at the + interconnection. The RFC states that this type of interconnection + should only be implemented on private interconnection points. See + section 6 for more details. + + RFC 4364 [1] states that a trust relationship between the two + connecting ASes must exist for this model to work securely. + Effectively, all ASes interconnected in this way form a single zone + of trust. The VPN customer needs to trust all the service providers + involved in the provisioning of his VPN on this architecture. + + c) PEs exchange labeled VPN-IPv4 routes, ASBRs only exchange + loopbacks of PEs with labels. + + In this solution, there are effectively two control connections + between ASes. The route reflectors (RRs) exchange the VPN-IPv4 + routes via multihop eBGP. The ASBRs only exchange the labeled + addresses of those PE routers that hold VPN routes that are shared + between those ASes. This maintains scalability for the ASBRs, since + they do not need to know the VPN-IPv4 routes. + + In this solution, the top label specifies an LSP to an egress PE + router, and the second label specifies a VPN connected to this egress + PE. The security of the ASBR connection has the same constraints as + in solution b): An ASBR should only accept packets with top labels + that it has assigned to the other router, thus verifying that the + packet is addressed to a valid PE router. Any label, which was + assigned to the other ASBR, will be accepted. It is impossible for + an ASBR to distinguish between different egress PEs or between + different VPNs on those PEs. A malicious service provider of one AS + could introduce packets into any VPN on a PE of the other AS; it only + needs a valid LSP on its ASBR and PEs to the corresponding PE on the + other AS. The VPN label can be statistically guessed from the + theoretical label space, which allows unidirectional traffic into a + VPN. + + This means that such an ASBR-ASBR connection can only be made with a + trusted party over a private interface, as described in b). + + In addition, this solution exchanges labeled VPN-IPv4 addresses + between route reflectors (RRs) via MP-eBGP. The control plane itself + can be protected via routing authentication (RFC 2385 [6]), which + ensures that the routing information has been originated by the + expected RR and has not been modified in transit. The received VPN + + + +Behringer Informational [Page 15] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + information cannot be verified, as in the previous case. Thus, a + service provider can introduce bogus routes for any shared VPN. The + ASes need to trust each other to configure their respective networks + correctly. All ASes involved in this design form one trusted zone. + The customer needs to trust all service providers involved. + + The difference between case b) and case c) is that in b) the ASBRs + act as iBGP next-hops for their AS; thus, each SP needs to know of + the other SP's core only the addresses of the ASBRs. In case c), the + SPs exchange the loopback addresses of their PE routers; thus, each + SP reveals information to the other about its PE routers, and these + routers must be accessible from the other AS. As stated above, + accessibility does not necessarily mean insecurity, and networks + should never rely on "security through obscurity". This should not + be an issue if the PE routers are appropriately secured. However, + there is an increasing perception that network devices should + generally not be accessible. + + In addition, there are scalability considerations for case c). A + number of BGP peerings have to be made for the overall network + including all ASes linked this way. SPs on both sides need to work + together in defining a scalable architecture, probably with route + reflectors. + + In summary, all of these Inter-AS solutions logically merge several + provider networks. For all cases of Inter-AS configuration, all ASes + form a single zone of trust and service providers need to trust each + other. For the VPN customer, the security of the overall solution is + equal to the security of traditional RFC 2547 [7] networks, but the + customer needs to trust all service providers involved in the + provisioning of this Inter-AS solution. + +5. What BGP/MPLS IP VPNs Do Not Provide + +5.1. Protection against Misconfigurations of the Core and Attacks + 'within' the Core + + The security mechanisms discussed here assume correct configuration + of the network elements of the core network (PE and P routers). + Deliberate or inadvertent misconfiguration may result in severe + security leaks. + + Note that this paragraph specifically refers to the core network, + i.e., the PE and P elements. Misconfigurations of any of the + customer side elements such as the CE router are covered by the + security mechanisms above. This means that a potential attacker must + have access to either PE or P routers to gain advantage from + misconfigurations. If an attacker has access to core elements, or is + + + +Behringer Informational [Page 16] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + able to insert into the core additional equipment, he will be able to + attack both the core network and the connected VPNs. Thus, the + following is important: + + o To avoid the risk of misconfigurations, it is important that the + equipment is easy to configure and that SP staff have the + appropriate training and experience when configuring the network. + Proper tools are required to configure the core network. + o To minimise the risk of "internal" attacks, the core network must + be properly secured. This includes network element security, + management security, physical security of the service provider + infrastructure, access control to service provider installations, + and other standard SP security mechanisms. + + BGP/MPLS IP VPNs can only provide a secure service if the core + network is provided in a secure fashion. This document assumes this + to be the case. + + There are various approaches to control the security of a core if the + VPN customer cannot or does not want to trust the service provider. + IPsec from customer-controlled devices is one of them. The document + "CE-to-CE Member Verification for Layer 3 VPNs" [13] proposes a + CE-based authentication scheme using tokens, aimed at detecting + misconfigurations in the MPLS core. The document "MPLS VPN + Import/Export Verification" [12] proposes a similar scheme based on + using the MD5 routing authentication. Both schemes aim to detect and + prevent misconfigurations in the core. + +5.2. Data Encryption, Integrity, and Origin Authentication + + BGP/MPLS IP VPNs themselves do not provide encryption, integrity, or + authentication service. If these are required, IPsec should be used + over the MPLS infrastructure. The same applies to ATM and Frame + Relay: IPsec can provide these missing services. + +5.3. Customer Network Security + + BGP/MPLS IP VPNs can be secured so that they are comparable with + other VPN services. However, the security of the core network is + only one factor for the overall security of a customer's network. + Threats in today's networks do not come only from an "outside" + connection, but also from the "inside" and from other entry points + (modems, for example). To reach a good security level for a customer + network in a BGP/MPLS infrastructure, MPLS security is necessary but + not sufficient. The same applies to other VPN technologies like ATM + or Frame Relay. See also RFC 2196 [5] for more information on how to + secure a network. + + + + +Behringer Informational [Page 17] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +6. Layer 2 Security Considerations + + In most cases of Inter-AS or Carrier's Carrier solutions, a network + will be interconnected to other networks via a point-to-point private + connection. This connection cannot be interfered with by third + parties. It is important to understand that the use of any + shared-medium layer 2 technology for such interconnections, such as + Ethernet switches, may carry additional security risks. + + There are two types of risks with layer 2 infrastructure: + + a) Attacks against layer 2 protocols or mechanisms + + Risks in a layer 2 environment include many different forms of + Address Resolution Protocol (ARP) attacks, VLAN trunking attacks, or + Content Addressable Memory (CAM) overflow attacks. For example, ARP + spoofing allows an attacker to redirect traffic between two routers + through his device, gaining access to all packets between those two + routers. + + These attacks can be prevented by appropriate security measures, but + often these security concerns are overlooked. It is of the utmost + importance that if a shared medium (such as a switch) is used in the + above scenarios, that all available layer 2 security mechanisms are + used to prevent layer 2 based attacks. + + b) Traffic insertion attacks + + Where many routers share a common layer 2 network (for example, at an + Internet exchange point), it is possible for a third party to + introduce packets into a network. This has been abused in the past + on traditional exchange points when some service providers have + defaulted to another provider on this exchange point. In effect, + they are sending all their traffic into the other SP's network even + though the control plane (routing) might not allow that. + + For this reason, routers on exchange points (or other shared layer 2 + connections) should only accept non-labeled IP packets into the + global routing table. Any labeled packet must be discarded. This + maintains the security of connected networks. + + Some of the above designs require the exchange of labeled packets. + This would make it possible for a third party to introduce labeled + packets, which if correctly crafted might be associated with certain + VPNs on an BGP/MPLS IP VPN network, effectively introducing false + packets into a VPN. + + + + + +Behringer Informational [Page 18] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + The current recommendation is therefore to discard labeled packets on + generic shared-medium layer 2 networks such as Internet exchange + points (IXPs). Where labeled packets need to be exchanged, it is + strongly recommended to use private connections. + +7. Summary and Conclusions + + BGP/MPLS IP VPNs provide full address and traffic separation as in + traditional layer-2 VPN services. It hides addressing structures of + the core and other VPNs, and it is not possible to intrude into other + VPNs abusing the BGP/MPLS mechanisms. It is also impossible to + intrude into the MPLS core if this is properly secured. However, + there is a significant difference between BGP/MPLS-based IP VPNs and, + for example, FR- or ATM-based VPNs: The control structure of the core + is layer 3 in the case of MPLS. This caused significant skepticism + in the industry towards MPLS, since this might open the architecture + to DoS attacks from other VPNs or the Internet (if connected). + + As shown in this document, it is possible to secure a BGP/MPLS IP VPN + infrastructure to the same level of security as a comparable ATM or + FR service. It is also possible to offer Internet connectivity to + MPLS VPNs in a secure manner, and to interconnect different VPNs via + firewalls. Although ATM and FR services have a strong reputation + with regard to security, it has been shown that also in these + networks security problems can exist [14]. + + As far as attacks from within the MPLS core are concerned, all VPN + classes (BGP/MPLS, FR, ATM) have the same problem: If an attacker can + install a sniffer, he can read information in all VPNs, and if the + attacker has access to the core devices, he can execute a large + number of attacks, from packet spoofing to introducing new peer + routers. There are a number of precautionary measures outlined above + that a service provider can use to tighten security of the core, but + the security of the BGP/MPLS IP VPN architecture depends on the + security of the service provider. If the service provider is not + trusted, the only way to fully secure a VPN against attacks from the + "inside" of the VPN service is to run IPsec on top, from the CE + devices or beyond. + + This document discussed many aspects of BGP/MPLS IP VPN security. It + has to be noted that the overall security of this architecture + depends on all components and is determined by the security of the + weakest part of the solution. For example, a perfectly secured + static BGP/MPLS IP VPN network with secured Internet access and + secure management is still open to many attacks if there is a weak + remote access solution in place. + + + + + +Behringer Informational [Page 19] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +8. Security Considerations + + The entire document is discussing security considerations of the RFC + 4364 [1] architecture. + +9. Acknowledgements + + The author would like to thank everybody who has provided input to + this document. Specific thanks go to Yakov Rekhter, for his + continued strong support, and Eric Rosen, Loa Andersson, Alexander + Renner, Jim Guichard, Monique Morrow, Eric Vyncke, and Steve Simlo, + for their extended feedback and support. + +10. Normative References + + [1] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private Networks + (VPNs)", RFC 4364, February 2006. + +11. Informative References + + [2] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. + Lear, "Address Allocation for Private Internets", BCP 5, + RFC 1918, February 1996. + + [3] Baker, F., Atkinson, R., and G. Malkin, "RIP-2 MD5 + Authentication", RFC 2082, January 1997. + + [4] Murphy, S., Badger, M., and B. Wellington, "OSPF with Digital + Signatures", RFC 2154, June 1997. + + [5] Fraser, B., "Site Security Handbook", RFC 2196, September 1997. + + [6] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 + Signature Option", RFC 2385, August 1998. + + [7] Rosen, E. and Y. Rekhter, "BGP/MPLS VPNs", RFC 2547, + March 1999. + + [8] Bates, T., Rekhter, Y., Chandra, R., and D. Katz, + "Multiprotocol Extensions for BGP-4", RFC 2858, June 2000. + + [9] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol Label + Switching Architecture", RFC 3031, January 2001. + + [10] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL + Security Mechanism (GTSM)", RFC 3682, February 2004. + + + + + +Behringer Informational [Page 20] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + + [11] Fang, L., "Security Framework for Provider-Provisioned Virtual + Private Networks (PPVPNs)", RFC 4111, July 2005. + + [12] Behringer, M., Guichard, J., and P. Marques, "MPLS VPN + Import/Export Verification", Work in Progress, June 2004. + + [13] Bonica, R. and Y. Rekhter, "CE-to-CE Member Verification for + Layer 3 VPNs", Work in Progress, September 2003. + + [14] DataComm, "Data Communications Report, Vol 15, No 4: Frame + Relay and ATM: Are they really secure?", February 2000. + +Author's Address + + Michael H. Behringer + Cisco Systems Inc + Village d'Entreprises Green Side + 400, Avenue Roumanille, Batiment T 3 + Biot - Sophia Antipolis 06410 + France + + EMail: mbehring@cisco.com + URI: http://www.cisco.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Behringer Informational [Page 21] + +RFC 4381 Security of BGP/MPLS IP VPNs February 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78 and at www.rfc-editor.org/copyright.html, and + except as set forth therein, the authors retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Behringer Informational [Page 22] + -- cgit v1.2.3