1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
|
Network Working Group L. Fang, Ed.
Request for Comments: 4111 AT&T Labs.
Category: Informational July 2005
Security Framework for
Provider-Provisioned Virtual Private Networks (PPVPNs)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document addresses security aspects pertaining to Provider-
Provisioned Virtual Private Networks (PPVPNs). First, it describes
the security threats in the context of PPVPNs and defensive
techniques to combat those threats. It considers security issues
deriving both from malicious behavior of anyone and from negligent or
incorrect behavior of the providers. It also describes how these
security attacks should be detected and reported. It then discusses
possible user requirements for security of a PPVPN service. These
user requirements translate into corresponding provider requirements.
In addition, the provider may have additional requirements to make
its network infrastructure secure to a level that can meet the PPVPN
customer's expectations. Finally, this document defines a template
that may be used to describe and analyze the security characteristics
of a specific PPVPN technology.
Table of Contents
1. Introduction ................................................. 2
2. Terminology .................................................. 4
3. Security Reference Model ..................................... 4
4. Security Threats ............................................. 6
4.1. Attacks on the Data Plane .............................. 7
4.2. Attacks on the Control Plane ........................... 9
5. Defensive Techniques for PPVPN Service Providers ............. 11
5.1. Cryptographic Techniques ............................... 12
5.2. Authentication ......................................... 20
5.3. Access Control Techniques .............................. 22
5.4. Use of Isolated Infrastructure ......................... 27
Fang Informational [Page 1]
^L
RFC 4111 PPVPN Security Framework July 2005
5.5. Use of Aggregated Infrastructure ....................... 27
5.6. Service Provider Quality Control Processes ............. 28
5.7. Deployment of Testable PPVPN Service ................... 28
6. Monitoring, Detection, and Reporting of Security Attacks ..... 28
7. User Security Requirements ................................... 29
7.1. Isolation .............................................. 30
7.2. Protection ............................................. 30
7.3. Confidentiality ........................................ 31
7.4. CE Authentication ...................................... 31
7.5. Integrity .............................................. 31
7.6. Anti-replay ............................................ 32
8. Provider Security Requirements ............................... 32
8.1. Protection within the Core Network ..................... 32
8.2. Protection on the User Access Link ..................... 34
8.3. General Requirements for PPVPN Providers ............... 36
9. Security Evaluation of PPVPN Technologies .................... 37
9.1. Evaluating the Template ................................ 37
9.2. Template ............................................... 37
10. Security Considerations ...................................... 40
11. Contributors ................................................. 41
12. Acknowledgement .............................................. 42
13. Normative References ......................................... 42
14. Informative References ....................................... 43
1. Introduction
Security is an integral aspect of Provider-Provisioned Virtual
Private Network (PPVPN) services. The motivation and rationale for
both Provider-Provisioned Layer-2 VPN and Provider-Provisioned
Layer-3 VPN services are provided by [RFC4110] and [RFC4031]. These
documents acknowledge that security is an important and integral
aspect of PPVPN services, for both VPN customers and VPN service
providers. Both will benefit from a PPVPN Security Framework
document that lists the customer and provider security requirements
related to PPVPN services, and that can be used to assess how much a
particular technology protects against security threats and fulfills
the security requirements.
First, we describe the security threats that are relevant in the
context of PPVPNs, and the defensive techniques that can be used to
combat those threats. We consider security issues deriving both from
malicious or incorrect behavior of users and other parties and from
negligent or incorrect behavior of the providers. An important part
of security defense is the detection and report of a security attack,
Fang Informational [Page 2]
^L
RFC 4111 PPVPN Security Framework July 2005
which is also addressed in this document. Special considerations
engendered by IP mobility within PPVPNs are not in the scope of this
document.
Then, we discuss the possible user and provider security requirements
for a PPVPN service. Users expectations must be met for the security
characteristics of a VPN service. These user requirements translate
into corresponding requirements for the providers offering the
service. Furthermore, providers have security requirements to
protect their network infrastructure, securing it to the level
required to provide the PPVPN services in addition to other services.
Finally, we define a template that may be used to describe the
security characteristics of a specific PPVPN technology in a manner
consistent with the security framework described in this document.
It is not within the scope of this document to analyze the security
properties of specific technologies. Instead, our intention is to
provide a common tool, in the form of a checklist, that may be used
in other documents dedicated to an in-depth security analysis of
individual PPVPN technologies to describe their security
characteristics in a comprehensive and coherent way, thereby
providing a common ground for comparison between different
technologies.
It is important to clarify that this document is limited to
describing users' and providers' security requirements that pertain
to PPVPN services. It is not the intention to formulate precise
"requirements" on each specific technology by defining the mechanisms
and techniques that must be implemented to satisfy such users' and
providers' requirements.
This document is organized as follows. Section 2 defines the
terminology used in the document. Section 3 defines the security
reference model for security in PPVPN networks. Section 4 describes
the security threats that are specific of PPVPNs. Section 5 reviews
defense techniques that may be used against those threats. Section 6
describes how attacks may be detected and reported. Section 7
discusses the user security requirements that apply to PPVPN
services. Section 8 describes additional security requirements on
the provider to guarantee the security of the network infrastructure
providing PPVPN services. In Section 9, we provide a template that
may be used to describe the security characteristics of specific
PPVPN technologies. Finally, Section 10 discusses security
considerations.
Fang Informational [Page 3]
^L
RFC 4111 PPVPN Security Framework July 2005
2. Terminology
This document uses PPVPN-specific terminology. Definitions and
details specific to PPVPN terminology can be found in [RFC4026] and
[RFC4110]. The most important definitions are repeated in this
section; for other definitions, the reader is referred to
[RFC4026] and [RFC4110].
CE: Customer Edge device, a router or a switch in the customer
network interfacing with the service provider's network.
P: Provider Router. The Provider Router is a router in the
service provider's core network that does not have interfaces
directly toward the customer. A P router is used to
interconnect the PE routers. A P router does not have to
maintain VPN state and is thus VPN unaware.
PE: Provider Edge device, the equipment in the service provider's
network that interfaces with the equipment in the customer's
network.
PPVPN: Provider-Provisioned Virtual Private Network, a VPN that is
configured and managed by the service provider (and thus not by
the customer itself).
SP: Service Provider.
VPN: Virtual Private Network, which restricts communication
between a set of sites using an IP backbone shared by traffic
that is not going to or coming from those sites.
3. Security Reference Model
This section defines a reference model for security in PPVPN
networks.
A PPVPN core network is the central network infrastructure (P and PE
routers) over which PPVPN services are delivered. A PPVPN core
network consists of one or more SP networks. All network elements in
the core are under the operational control of one or more PPVPN
service providers. Even if the PPVPN core is provided by several
service providers, it appears to the PPVPN users as a single zone of
trust. However, several service providers providing a common PPVPN
core still have to secure themselves against the other providers.
PPVPN services can also be delivered over the Internet, in which case
the Internet forms a logical part of the PPVPN core.
Fang Informational [Page 4]
^L
RFC 4111 PPVPN Security Framework July 2005
A PPVPN user is a company, institution or residential client of the
PPVPN service provider.
A PPVPN service is a private network service made available by a
service provider to a PPVPN user. The service is implemented using
virtual constructs built on a shared PPVPN core network. A PPVPN
service interconnects sites of a PPVPN user.
Extranets are VPNs in which multiple sites are controlled by
different (legal) entities. Extranets are another example of PPVPN
deployment scenarios wherein restricted and controlled communication
is allowed between trusted zones, often via well-defined transit
points.
This document defines each PPVPN as a trusted zone and the PPVPN core
as another trusted zone. A primary concern is security aspects that
relate to breaches of security from the "outside" of a trusted zone
to the "inside" of this zone. Figure 1 depicts the concept of
trusted zones within the PPVPN framework.
+------------+ +------------+
| PPVPN +-----------------------------+ PPVPN |
| user PPVPN user |
| site +---------------------XXX-----+ site |
+------------+ +------------------XXX--+ +------------+
| PPVPN core | | |
+------------------| |--+
| |
| +------\
+--------/ Internet
Figure 1: The PPVPN trusted zone model
In principle, the trusted zones should be separate. However, PPVPN
core networks often offer Internet access, in which case a transit
point (marked "XXX" in the figure) is defined.
The key requirement of a "virtual private" network (VPN) is that the
security of the trusted zone of the VPN is not compromised by sharing
the core infrastructure with other VPNs.
Security against threats that originate within the same trusted zone
as their targets (for example, attacks from a user in a PPVPN to
other users within the same PPVPN, or attacks entirely within the
core network) is outside the scope of this document.
Also outside the scope are all aspects of network security that are
independent of whether a network is a PPVPN network or a private
Fang Informational [Page 5]
^L
RFC 4111 PPVPN Security Framework July 2005
network. For example, attacks from the Internet to a web server
inside a given PPVPN will not be considered here, unless the
provisioning of the PPVPN network could make a difference to the
security of this server.
4. Security Threats
This section discusses the various network security threats that may
endanger PPVPNs. The discussion is limited to threats that are
unique to PPVPNs, or that affect PPVPNs in unique ways. A successful
attack on a particular PPVPN or on a service provider's PPVPN
infrastructure may cause one or more of the following ill effects:
- observation, modification, or deletion of PPVPN user data,
- replay of PPVPN user data,
- injection of non-authentic data into a PPVPN,
- traffic pattern analysis on PPVPN traffic,
- disruption of PPVPN connectivity, or
- degradation of PPVPN service quality.
It is useful to consider that threats to a PPVPN, whether malicious
or accidental, may come from different categories of sources. For
example they may come from:
- users of other PPVPNs provided by the same PPVPN service provider,
- the PPVPN service provider or persons working for it,
- other persons who obtain physical access to a service provider
site,
- other persons who use social engineering methods to influence
behavior of service provider personnel,
- users of the PPVPN itself, i.e., intra-VPN threats (such threats
are beyond the scope of this document), or
- others, i.e., attackers from the Internet at large.
In the case of PPVPNs, some parties may be in more advantageous
positions that enable them to launch types of attacks not available
to others. For example, users of different PPVPNs provided by the
Fang Informational [Page 6]
^L
RFC 4111 PPVPN Security Framework July 2005
same service provider may be able to launch attacks that those who
are completely outside the network cannot.
Given that security is generally a compromise between expense and
risk, it is also useful to consider the likelihood of different
attacks. There is at least a perceived difference in the likelihood
of most types of attacks being successfully mounted in different
environments, such as
- in a PPVPN contained within one service provider's network, or
- in a PPVPN transiting the public Internet.
Most types of attacks become easier to mount, and hence more likely,
as the shared infrastructure that provides VPN service expands from a
single service provider to multiple cooperating providers, and then
to the global Internet. Attacks that may not be sufficiently likely
to warrant concern in a closely controlled environment often merit
defensive measures in broader, more open environments.
The following sections discuss specific types of exploits that
threaten PPVPNs.
4.1. Attacks on the Data Plane
This category encompasses attacks on the PPVPN user's data, as viewed
by the service provider. Note that from the PPVPN user's point of
view, some of this might be control plane traffic, e.g., routing
protocols running from PPVPN user site to PPVPN user site via an L2
PPVPN.
4.1.1. Unauthorized Observation of Data Traffic
This refers to "sniffing" VPN packets and examining their contents.
This can result in exposure of confidential information. It can also
be a first step in other attacks (described below) in which the
recorded data is modified and re-inserted, or re-inserted unchanged.
4.1.2. Modification of Data Traffic
This refers to modifying the contents of packets as they traverse the
VPN.
4.1.3. Insertion of Non-authentic Data Traffic: Spoofing and Replay
This refers to the insertion into the VPN (or "spoofing") of packets
that do not belong there, with the objective of having them accepted
as legitimate by the recipient. Also included in this category is
Fang Informational [Page 7]
^L
RFC 4111 PPVPN Security Framework July 2005
the insertion of copies of once-legitimate packets that have been
recorded and replayed.
4.1.4. Unauthorized Deletion of Data Traffic
This refers to causing packets to be discarded as they traverse the
VPN. This is a specific type of Denial-of-Service attack.
4.1.5. Unauthorized Traffic Pattern Analysis
This refers to "sniffing" VPN packets and examining aspects or meta-
aspects of them that may be visible even when the packets themselves
are encrypted. An attacker might gain useful information based on
the amount and timing of traffic, packet sizes, source and
destination addresses, etc. For most PPVPN users, this type of
attack is generally considered significantly less of a concern than
are the other types discussed in this section.
4.1.6. Denial-of-Service Attacks on the VPN
Denial-of-Service (DoS) attacks are those in which an attacker
attempts to disrupt or prevent the use of a service by its legitimate
users. Taking network devices out of service, modifying their
configuration, or overwhelming them with requests for service are
several of the possible avenues for DoS attack.
Overwhelming the network with requests for service, otherwise known
as a "resource exhaustion" DoS attack, may target any resource in the
network, e.g., link bandwidth, packet forwarding capacity, session
capacity for various protocols, and CPU power.
DoS attacks of the resource exhaustion type can be mounted against
the data plane of a particular PPVPN by attempting to insert (spoof)
an overwhelming quantity of non-authentic data into the VPN from
outside of that VPN. Potential results might be to exhaust the
bandwidth available to that VPN or to overwhelm the cryptographic
authentication mechanisms of the VPN.
Data plane resource exhaustion attacks can also be mounted by
overwhelming the service provider's general (VPN-independent)
infrastructure with traffic. These attacks on the general
infrastructure are not usually a PPVPN-specific issue, unless the
attack is mounted by another PPVPN user from a privileged position.
For example, a PPVPN user might be able to monopolize network data
plane resources and thus to disrupt other PPVPNs.)
Fang Informational [Page 8]
^L
RFC 4111 PPVPN Security Framework July 2005
4.2. Attacks on the Control Plane
This category encompasses attacks on the control structures operated
by the PPVPN service provider.
4.2.1. Denial-of-Service Attacks on Network Infrastructure
Control plane DoS attacks can be mounted specifically against the
mechanisms that the service provider uses to provide PPVPNs (e.g.,
IPsec, MPLS) or against the general infrastructure of the service
provider (e.g., P routers or shared aspects of PE routers.) Attacks
against the general infrastructure are within the scope of this
document only if the attack happens in relation to the VPN service;
otherwise, they are not a PPVPN-specific issue.
Of special concern for PPVPNs is denial of service to one PPVPN user
caused by the activities of another. This can occur, for example, if
one PPVPN user's activities are allowed to consume excessive network
resources of any sort that are also needed to serve other PPVPN
users.
The attacks described in the following sections may each have denial
of service as one of their effects. Other DoS attacks are also
possible.
4.2.2. Attacks on Service Provider Equipment via Management
Interfaces
This includes unauthorized access to service provider infrastructure
equipment, in order, for example, to reconfigure the equipment or to
extract information (statistics, topology, etc.) about one or more
PPVPNs.
This can be accomplished through malicious entrance of the systems,
or as an inadvertent consequence of inadequate inter-VPN isolation in
a PPVPN user self-management interface. (The former is not
necessarily a PPVPN-specific issue.)
4.2.3. Social Engineering Attacks on Service Provider
Infrastructure
Attacks in which the service provider network is reconfigured or
damaged, or in which confidential information is improperly
disclosed, may be mounted through manipulation of service provider
personnel. These types of attacks are PPVPN-specific if they affect
PPVPN-serving mechanisms. It may be observed that the organizational
split (customer, service provider) that is inherent in PPVPNs may
make it easier to mount such attacks against provider-provisioned
Fang Informational [Page 9]
^L
RFC 4111 PPVPN Security Framework July 2005
VPNs than against VPNs that are self-provisioned by the customer at
the IP layer.
4.2.4. Cross-Connection of Traffic between PPVPNs
This refers to events where expected isolation between separate
PPVPNs is breached. This includes cases such as:
- a site being connected into the "wrong" VPN,
- two or more VPNs being improperly merged,
- a point-to-point VPN connecting the wrong two points, or
- any packet or frame being improperly delivered outside the VPN it
is sent in.
Misconnection or cross-connection of VPNs may be caused by service
provider or equipment vendor error, or by the malicious action of an
attacker. The breach may be physical (e.g., PE-CE links
misconnected) or logical (improper device configuration).
Anecdotal evidence suggests that the cross-connection threat is one
of the largest security concerns of PPVPN users (or would-be users).
4.2.5. Attacks against PPVPN Routing Protocols
This encompasses attacks against routing protocols that are run by
the service provider and that directly support the PPVPN service. In
layer 3 VPNs this, typically relates to membership discovery or to
the distribution of per-VPN routes. In layer 2 VPNs, this typically
relates to membership and endpoint discovery. Attacks against the
use of routing protocols for the distribution of backbone (non-VPN)
routes are beyond the scope of this document. Specific attacks
against popular routing protocols have been widely studied and are
described in [RFC3889].
4.2.6. Attacks on Route Separation
"Route separation" refers here to keeping the per-VPN topology and
reachability information for each PPVPN separate from, and
unavailable to, any other PPVPN (except as specifically intended by
the service provider). This concept is only a distinct security
concern for layer-3 VPN types for which the service provider is
involved with the routing within the VPN (i.e., VR, BGP-MPLS, routed
version of IPsec). A breach in the route separation can reveal
topology and addressing information about a PPVPN. It can also cause
Fang Informational [Page 10]
^L
RFC 4111 PPVPN Security Framework July 2005
black hole routing or unauthorized data plane cross-connection
between PPVPNs.
4.2.7. Attacks on Address Space Separation
In layer-3 VPNs, the IP address spaces of different VPNs have to be
kept separate. In layer-2 VPNs, the MAC address and VLAN spaces of
different VPNs have to be kept separate. A control plane breach in
this addressing separation may result in unauthorized data plane
cross-connection between VPNs.
4.2.8. Other Attacks on PPVPN Control Traffic
Besides routing and management protocols (covered separately in the
previous sections), a number of other control protocols may be
directly involved in delivering the PPVPN service (e.g., for
membership discovery and tunnel establishment in various PPVPN
approaches). These include but may not be limited to:
- MPLS signaling (LDP, RSVP-TE),
- IPsec signaling (IKE) ,
- L2TP,
- BGP-based membership discovery, and
- Database-based membership discovery (e.g., RADIUS-based).
Attacks might subvert or disrupt the activities of these protocols,
for example, via impersonation or DoS attacks.
5. Defensive Techniques for PPVPN Service Providers
The defensive techniques discussed in this document are intended to
describe methods by which some security threats can be addressed.
They are not intended as requirements for all PPVPN implementations.
The PPVPN provider should determine the applicability of these
techniques to the provider's specific service offerings, and the
PPVPN user may wish to assess the value of these techniques in regard
to the user's VPN requirements.
The techniques discussed here include encryption, authentication,
filtering, firewalls, access control, isolation, aggregation, and
other techniques.
Nothing is ever 100% secure. Defense therefore protects against
those attacks that are most likely to occur or that could have the
most dire consequences. Absolute protection against these attacks is
seldom achievable; more often it is sufficient to make the cost of a
successful attack greater than what the adversary would be willing to
expend.
Fang Informational [Page 11]
^L
RFC 4111 PPVPN Security Framework July 2005
Successful defense against an attack does not necessarily mean that
the attack must be prevented from happening or from reaching its
target. In many cases, the network can instead be designed to
withstand the attack. For example, the introduction of non-authentic
packets could be defended against by preventing their introduction in
the first place, or by making it possible to identify and eliminate
them before delivery to the PPVPN user's system. The latter is
frequently a much easier task.
5.1. Cryptographic Techniques
PPVPN defenses against a wide variety of attacks can be enhanced by
the proper application of cryptographic techniques. These are the
same cryptographic techniques that are applicable to general network
communications. In general, these techniques can provide
confidentiality (encryption) of communication between devices,
authentication of the identities of the devices, and detection of a
change of the protected data during transit.
Privacy is a key part (the middle name!) of any Virtual Private
Network. In a PPVPN, privacy can be provided by two mechanisms:
traffic separation and encryption. This section focuses on
encryption; traffic separation is addressed separately.
Several aspects of authentication are addressed in some detail in a
separate "Authentication" section.
Encryption adds complexity, and thus it may not be a standard
offering within every PPVPN service. There are a few reasons for
this. Encryption adds an additional computational burden to the
devices performing encryption and decryption. This may reduce the
number of user VPN connections that can be handled on a device or
otherwise reduce the capacity of the device, potentially driving up
the provider's costs. Typically, configuring encryption services on
devices adds to the complexity of the device configuration and adds
incremental labor cost. Encrypting packets typically increases
packet lengths, thereby increasing the network traffic load and the
likelihood of packet fragmentation, with its increased overhead.
(Packet length increase can often be mitigated to some extent by data
compression techniques, but with additional computational burden.)
Finally, some PPVPN providers may employ enough other defensive
techniques, such as physical isolation or filtering/firewall
techniques, that they may not perceive additional benefit from
encryption techniques.
The trust model among the PPVPN user, the PPVPN provider, and other
parts of the network is a key element in determining the
applicability of encryption for any specific PPVPN implementation.
Fang Informational [Page 12]
^L
RFC 4111 PPVPN Security Framework July 2005
In particular, it determines where encryption should be applied, as
follows.
- If the data path between the user's site and the provider's PE
is not trusted, then encryption may be used on the PE-CE link.
- If some part of the backbone network is not trusted,
particularly in implementations where traffic may travel across
the Internet or multiple provider networks, then the PE-PE
traffic may be encrypted.
- If the PPVPN user does not trust any zone outside of its
premises, it may require end-to-end or CE-CE encryption
service. This service fits within the scope of this PPVPN
security framework when the CE is provisioned by the PPVPN
provider.
- If the PPVPN user requires remote access to a PPVPN from a
system that is not at a PPVPN customer location (for example,
access by a traveler), there may be a requirement for
encrypting the traffic between that system and an access point
on the PPVPN or at a customer site. If the PPVPN provider
provides the access point, then the customer must cooperate
with the provider to handle the access control services for the
remote users. These access control services are usually
implemented by using encryption, as well.
Although CE-CE encryption provides confidentiality against third-
party interception, if the PPVPN provider has complete management
control over the CE (encryption) devices, then it may be possible for
the provider to gain access to the user's VPN traffic or internal
network. Encryption devices can potentially be configured to use
null encryption, to bypass encryption processing altogether, or to
provide some means of sniffing or diverting unencrypted traffic.
Thus, a PPVPN implementation using CE-CE encryption has to consider
the trust relationship between the PPVPN user and provider. PPVPN
users and providers may wish to negotiate a service level agreement
(SLA) for CE-CE encryption that will provide an acceptable
demarcation of responsibilities for management of encryption on the
CE devices.
The demarcation may also be affected by the capabilities of the CE
devices. For example, the CE might support some partitioning of
management or a configuration lock-down ability, or it might allow
both parties to verify the configuration. In general, if the managed
CE-CE model is used, the PPVPN user has to have a fairly high level
of trust that the PPVPN provider will properly provision and manage
the CE devices.
Fang Informational [Page 13]
^L
RFC 4111 PPVPN Security Framework July 2005
5.1.1. IPsec in PPVPNs
IPsec [RFC2401] [RFC2402] [RFC2406] [RFC2407] [RFC2411] is the
security protocol of choice for encryption at the IP layer (Layer 3),
as discussed in [RFC3631]. IPsec provides robust security for IP
traffic between pairs of devices. Non-IP traffic must be converted
to IP packets, or it cannot be transported over IPsec. Encapsulation
is a common conversion method.
In the PPVPN model, IPsec can be employed to protect IP traffic
between PEs, between a PE and a CE, or from CE to CE. CE-to-CE IPsec
may be employed in either a provider-provisioned or a user-
provisioned model. The user-provisioned CE-CE IPsec model is outside
the scope of this document and outside the scope of the PPVPN Working
Group. Likewise, data encryption that is performed within the user's
site is outside the scope of this document, as it is simply handled
as user data by the PPVPN. IPsec can also be used to protect IP
traffic between a remote user and the PPVPN.
IPsec does not itself specify an encryption algorithm. It can use a
variety of encryption algorithms with various key lengths, such as
AES encryption. There are trade-offs between key length,
computational burden, and the level of security of the encryption. A
full discussion of these trade-offs is beyond the scope of this
document. In order to assess the level of security offered by a
particular IPsec-based PPVPN service, some PPVPN users may wish to
know the specific encryption algorithm and effective key length used
by the PPVPN provider. However, in practice, any currently
recommended IPsec encryption offers enough security to substantially
reduce the likelihood of being directly targeted by an attacker.
Other, weaker, links in the chain of security are likely to be
attacked first. PPVPN users may wish to use a Service Level
Agreement (SLA) specifying the service provider's responsibility for
ensuring data confidentiality rather than to analyze the specific
encryption techniques used in the PPVPN service.
For many of the PPVPN provider's network control messages and some
PPVPN user requirements, cryptographic authentication of messages
without encryption of the contents of the message may provide
acceptable security. With IPsec, authentication of messages is
provided by the Authentication Header (AH) or by the Encapsulating
Security Protocol (ESP) with authentication only. Where control
messages require authentication but do not use IPsec, other
cryptographic authentication methods are available. Message
authentication methods currently considered to be secure are based on
hashed message authentication codes (HMAC) [RFC2104] implemented with
a secure hash algorithm such as Secure Hash Algorithm 1 (SHA-1)
[RFC3174].
Fang Informational [Page 14]
^L
RFC 4111 PPVPN Security Framework July 2005
One recommended mechanism for providing a combination
confidentiality, data origin authentication, and connectionless
integrity is the use of AES in Cipher Block Chaining (CBC) Mode, with
an explicit Initialization Vector (IV) [RFC3602], as the IPsec ESP.
PPVPNs that provide differentiated services based on traffic type may
encounter some conflicts with IPsec encryption of traffic. As
encryption hides the content of the packets, it may not be possible
to differentiate the encrypted traffic in the same manner as
unencrypted traffic. Although DiffServ markings are copied to the
IPsec header and can provide some differentiation, not all traffic
types can be accommodated by this mechanism.
5.1.2. Encryption for Device Configuration and Management
For configuration and management of PPVPN devices, encryption and
authentication of the management connection at a level comparable to
that provided by IPsec is desirable.
Several methods of transporting PPVPN device management traffic offer
security and confidentiality.
- Secure Shell (SSH) offers protection for TELNET [STD8] or
terminal-like connections to allow device configuration.
- SNMP v3 [STD62] provides encrypted and authenticated protection
for SNMP-managed devices.
- Transport Layer Security (TLS) [RFC2246] and the closely-related
Secure Sockets Layer (SSL) are widely used for securing HTTP-based
communication, and thus can provide support for most XML- and
SOAP-based device management approaches.
- As of 2004, extensive work is proceeding in several organizations
(OASIS, W3C, WS-I, and others) on securing device management
traffic within a "Web Services" framework. This work uses a wide
variety of security models and supports multiple security token
formats, multiple trust domains, multiple signature formats, and
multiple encryption technologies.
- IPsec provides the services with security and confidentiality at
the network layer. With regard to device management, its current
use is primarily focused on in-band management of user-managed
IPsec gateway devices.
Fang Informational [Page 15]
^L
RFC 4111 PPVPN Security Framework July 2005
5.1.3. Cryptographic Techniques in Layer-2 PPVPNs
Layer-2 PPVPNs will generally not be able to use IPsec to provide
encryption throughout the entire network. They may be able to use
IPsec for PE-PE traffic where it is encapsulated in IP packets, but
IPsec will generally not be applicable for CE-PE traffic in Layer-2
PPVPNs.
Encryption techniques for Layer-2 links are widely available but are
not within the scope of this document or IETF documents in general.
Layer-2 encryption could be applied to the links from CE to PE, or it
could be applied from CE to CE, as long as the encrypted Layer-2
packets can be handled properly by the intervening PE devices. In
addition, the upper-layer traffic transported by the Layer-2 VPN can
be encrypted by the user. In this case, confidentiality will be
maintained; however, this is transparent to the PPVPN provider and is
outside the scope of this document.
5.1.4. End-to-End vs. Hop-by-Hop Encryption Tradeoffs in PPVPNs
In PPVPNs, encryption could potentially be applied to the VPN traffic
at several different places. This section discusses some of the
tradeoffs in implementing encryption in several different connection
topologies among different devices within a PPVPN.
Encryption typically involves a pair of devices that encrypt the
traffic passing between them. The devices may be directly connected
(over a single "hop"), or there may be intervening devices that
transport the encrypted traffic between the pair of devices. The
extreme cases involve hop-by-hop encryption between every adjacent
pair of devices along a given path or "end-to-end" encryption only
between the end devices along a given path. To keep this discussion
within the scope of PPVPNs, we consider the "end to end" case to be
CE to CE rather than fully end to end.
Figure 2 depicts a simplified PPVPN topology, showing the Customer
Edge (CE) devices, the Provider Edge (PE) devices, and a variable
number (three are shown) of Provider core (P) devices that might be
present along the path between two sites in a single VPN, operated by
a single service provider (SP).
Site_1---CE---PE---P---P---P---PE---CE---Site_2
Figure 2: Simplified PPVPN topology
Fang Informational [Page 16]
^L
RFC 4111 PPVPN Security Framework July 2005
Within this simplified topology and assuming that P devices are not
to be involved with encryption, there are four basic feasible
configurations for implementing encryption on connections among the
devices:
1) Site-to-site (CE-to-CE): Encryption can be configured between
the two CE devices, so that traffic will be encrypted
throughout the SP's network.
2) Provider edge-to-edge (PE-to-PE): Encryption can be configured
between the two PE devices. Unencrypted traffic is received at
one PE from the customer's CE; then it is encrypted for
transmission through the SP's network to the other PE, where it
is decrypted and sent to the other CE.
3) Access link (CE-to-PE): Encryption can be configured between
the CE and PE, on each side (or on only one side).
4) Configurations 2) and 3) can be combined, with encryption
running from CE to PE, then from PE to PE, and then from PE to
CE.
Among the four feasible configurations, key tradeoffs in considering
encryption include the following:
- Vulnerability to link eavesdropping: Assuming that an attacker can
observe the data in transit on the links, would it be protected by
encryption?
- Vulnerability to device compromise: Assuming an attacker can get
access to a device (or freely alter its configuration), would the
data be protected?
- Complexity of device configuration and management: Given Nce, the
number of sites per VPN customer, and Npe, the number of PEs
participating in a given VPN, how many device configurations have
to be created or maintained and how do those configurations scale?
- Processing load on devices: How many encryption or decryption
operations must be done, given P packets? This influences
considerations of device capacity and perhaps end-to-end delay.
- Ability of SP to provide enhanced services (QoS, firewall,
intrusion detection, etc.): Can the SP inspect the data in order
to provide these services?
These tradeoffs are discussed below for each configuration.
Fang Informational [Page 17]
^L
RFC 4111 PPVPN Security Framework July 2005
1) Site-to-site (CE-to-CE) Configurations
o Link eavesdropping: Protected on all links.
o Device compromise: Vulnerable to CE compromise.
o Complexity: Single administration, responsible for one device
per site (Nce devices), but overall configuration per VPN
scales as Nce**2.
o Processing load: on each of two CEs, each packet is either
encrypted or decrypted (2P).
o Enhanced services: Severely limited; typically only DiffServ
markings are visible to SP, allowing some QoS services.
2) Provider edge-to-edge (PE-to-PE) Configurations
o Link eavesdropping: Vulnerable on CE-PE links; protected on
SP's network links.
o Device compromise: Vulnerable to CE or PE compromise.
o Complexity: Single administration; Npe devices to configure.
(Multiple sites may share a PE device, so Npe is typically much
less than Nce.) Scalability of the overall configuration
depends on the PPVPN type: If the encryption is separate per
VPN context, it scales as Npe**2 per customer VPN. If the
encryption is per PE, it scales as Npe**2 for all customer VPNs
combined.
o Processing load: On each of two PEs, each packet is either
encrypted or decrypted (2P).
o Enhanced services: Full; SP can apply any enhancements based on
detailed view of traffic.
3) Access link (CE-to-PE) Configuration
o Link eavesdropping: Protected on CE-PE link; vulnerable on SP's
network links.
o Device compromise: Vulnerable to CE or PE compromise.
o Complexity: Two administrations (customer and SP) with device
configuration on each side (Nce + Npe devices to configure),
but as there is no mesh, the overall configuration scales as
Nce.
Fang Informational [Page 18]
^L
RFC 4111 PPVPN Security Framework July 2005
o Processing load: On each of two CEs, each packet is either
encrypted or decrypted. On each of two PEs, each packet is
either encrypted or decrypted (4P).
o Enhanced services: Full; SP can apply any enhancements based on
detailed view of traffic.
4) Combined Access link and PE-to-PE (essentially hop-by-hop).
o Link eavesdropping: Protected on all links.
o Device compromise: Vulnerable to CE or PE compromise.
o Complexity: Two administrations (customer and SP), with device
configuration on each side (Nce + Npe devices to configure).
Scalability of the overall configuration depends on the PPVPN
type. If the encryption is separate per VPN context, it scales
as Npe**2 per customer VPN. If the encryption is per-PE, it
scales as Npe**2 for all customer VPNs combined.
o Processing load: On each of two CEs, each packet is either
encrypted or decrypted. On each of two PEs, each packet is
both encrypted and decrypted (6P).
o Enhanced services: Full; SP can apply any enhancements based on
detailed view of traffic.
Given the tradeoffs discussed above, a few conclusions can be
reached.
- Configurations 2 and 3, which are subsets of 4, may be appropriate
alternatives to 4 under certain threat models. The remainder of
these conclusions compare 1 (CE-to-CE) with 4 (combined access
links and PE-to-PE).
- If protection from link eavesdropping is most important, then
configurations 1 and 4 are equivalent.
- If protection from device compromise is most important and the
threat is to the CE devices, both cases are equivalent; if the
threat is to the PE devices, configuration 1 is best.
- If reducing complexity is most important and the size of the
network is very small, configuration 1 is the best. Otherwise,
the comparison between options 1 and 4 is relatively complex ,
based on a number of issues such as, how close the CE to CE
communication is to a full mesh, and what tools are used for key
management. Option 1 requires configuring keys for each CE-CE
Fang Informational [Page 19]
^L
RFC 4111 PPVPN Security Framework July 2005
pair that is communicating directly. Option 4 requires
configuring keys on both CE and PE devices but may offer benefit
from the fact that the number of PEs is generally much smaller
than the number of CEs.
Also, under some PPVPN approaches, the scaling of 4 is further
improved by sharing the same PE-PE mesh across all VPN contexts.
The scaling characteristics of 4 may be increased or decreased in
any given situation if the CE devices are simpler to configure
than the PE devices, or vice versa. Furthermore, with option 4,
the impact of operational error may be significantly increased.
- If the overall processing load is a key factor, then 1 is best.
- If the availability of enhanced services support from the SP is
most important, then 4 is best.
As a quick overall conclusion, CE-to-CE encryption provides greater
protection against device compromise, but it comes at the cost of
enhanced services and with additional operational complexity due to
the Order(n**2) scaling of the mesh.
This analysis of site-to-site vs. hop-by-hop encryption tradeoffs
does not explicitly include cases where multiple providers cooperate
to provide a PPVPN service, public Internet VPN connectivity, or
remote access VPN service, but many of the tradeoffs will be similar.
5.2. Authentication
In order to prevent security issues from some denial-of-service
attacks or from malicious misconfiguration, it is critical that
devices in the PPVPN should only accept connections or control
messages from valid sources. Authentication refers to methods for
ensuring that message sources are properly identified by the PPVPN
devices with which they communicate. This section focuses on
identifying the scenarios in which sender authentication is required,
and it recommends authentication mechanisms for these scenarios.
Cryptographic techniques (authentication and encryption) do not
protect against some types of denial-of-service attacks,
specifically, resource exhaustion attacks based on CPU or bandwidth
exhaustion. In fact, the processing required to decrypt or check
authentication may in some cases increase the effect of these
resource exhaustion attacks. Cryptographic techniques may, however,
be useful against resource exhaustion attacks based on exhaustion of
state information (e.g., TCP SYN attacks).
Fang Informational [Page 20]
^L
RFC 4111 PPVPN Security Framework July 2005
5.2.1. VPN Member Authentication
This category includes techniques for the CEs to verify that they are
connected to the expected VPN. It includes techniques for CE-PE
authentication, to verify that each specific CE and PE is actually
communicating with its expected peer.
5.2.2. Management System Authentication
Management system authentication includes the authentication of a PE
to a centrally-managed directory server when directory-based "auto-
discovery" is used. It also includes authentication of a CE to its
PPVPN configuration server when a configuration server system is
used.
5.2.3. Peer-to-Peer Authentication
Peer-to-peer authentication includes peer authentication for network
control protocols (e.g., LDP, BGP), and other peer authentication
(i.e., authentication of one IPsec security gateway by another).
5.2.4. Authenticating Remote Access VPN Members
This section describes methods for authentication of remote access
users connecting to a VPN.
Effective authentication of individual connections is a key
requirement for enabling remote access to a PPVPN from an arbitrary
Internet address (for instance, by a traveler).
There are several widely used standards-based protocols to support
remote access authentication. These include RADIUS [RFC2865] and
DIAMETER [RFC3588]. Digital certificate systems also provide
authentication. In addition, there has been extensive development
and deployment of mechanisms for securely transporting individual
remote access connections within tunneling protocols, including L2TP
[RFC2661] and IPsec.
Remote access involves connection to a gateway device, which provides
access to the PPVPN. The gateway device may be managed by the user
at a user site, or by the PPVPN provider at any of several possible
locations in the network. The user-managed case is of limited
interest within the PPVPN security framework, and it is not
considered at this time.
When a PPVPN provider manages authentication at the remote access
gateway, this implies that authentication databases, which are
usually extremely confidential user-managed systems, will have to be
Fang Informational [Page 21]
^L
RFC 4111 PPVPN Security Framework July 2005
referenced in a secure manner by the PPVPN provider. This can be
accomplished through proxy authentication services, which accept an
encrypted authentication credential from the remote access user, pass
it to the PPVPN user's authentication system, and receive a yes/no
response as to whether the user has been authenticated. Thus, the
PPVPN provider does not have access to the actual authentication
database, but it can use it on behalf of the PPVPN user to provide
remote access authentication.
Specific cryptographic techniques for handling authentication are
described in the following sections.
5.2.5. Cryptographic Techniques for Authenticating Identity
Cryptographic techniques offer several mechanisms for authenticating
the identity of devices or individuals. These include the use of
shared secret keys, one-time keys generated by accessory devices or
software, user-ID and password pairs, and a range of public-private
key systems. Another approach is to use a hierarchical Certificate
Authority system to provide digital certificates.
This section describes or provides references to the specific
cryptographic approaches for authenticating identity. These
approaches provide secure mechanisms for most of the authentication
scenarios required in operating a PPVPN.
5.3. Access Control Techniques
Access control techniques include packet-by-packet or packet flow -
by - packet flow access control by means of filters and firewalls, as
well as by means of admitting a "session" for a
control/signaling/management protocol that is being used to implement
PPVPNs. Enforcement of access control by isolated infrastructure
addresses is discussed elsewhere in this document.
We distinguish between filtering and firewalls primarily by the
direction of traffic flow. We define filtering as being applicable
to unidirectional traffic, whereas a firewall can analyze and control
both sides of a conversation.
There are two significant corollaries of this definition:
- Routing or traffic flow symmetry: A firewall typically requires
routing symmetry, which is usually enforced by locating a firewall
where the network topology assures that both sides of a
conversation will pass through the firewall. A filter can then
operate upon traffic flowing in one direction without considering
traffic in the reverse direction.
Fang Informational [Page 22]
^L
RFC 4111 PPVPN Security Framework July 2005
- Statefulness: Because it receives both sides of a conversation, a
firewall may be able to obtain a significant amount of information
concerning that conversation and to use this information to
control access. A filter can maintain some limited state
information on a unidirectional flow of packets, but it cannot
determine the state of the bi-directional conversation as
precisely as a firewall can.
5.3.1. Filtering
It is relatively common for routers to filter data packets. That is,
routers can look for particular values in certain fields of the IP or
higher level (e.g., TCP or UDP) headers. Packets that match the
criteria associated with a particular filter may be either discarded
or given special treatment.
In discussing filters, it is useful to separate the filter
characteristics that may be used to determine whether a packet
matches a filter from the packet actions that are applied to packets
that match a particular filter.
o Filter Characteristics
Filter characteristics are used to determine whether a particular
packet or set of packets matches a particular filter.
In many cases, filter characteristics may be stateless. A
stateless filter determines whether a particular packet matches a
filter based solely on the filter definition, on normal forwarding
information (such as the next hop for a packet), and on the
characteristics of that individual packet. Typically, stateless
filters may consider the incoming and outgoing logical or physical
interface, information in the IP header, and information in higher
layer headers such as the TCP or UDP header. Information in the
IP header to be considered may, for example, include source and
destination IP address, Protocol field, Fragment Offset, and TOS
field. Filters may also consider fields in the TCP or UDP header
such as the Port fields and the SYN field in the TCP header.
Stateful filtering maintains packet-specific state information to
aid in determining whether a filter has been met. For example, a
device might apply stateless filters to the first fragment of a
fragmented IP packet. If the filter matches, then the data unit
ID may be remembered, and other fragments of the same packet may
then be considered to match the same filter. Stateful filtering
is more commonly done in firewalls, although firewall technology
may be added to routers.
Fang Informational [Page 23]
^L
RFC 4111 PPVPN Security Framework July 2005
o Actions Based on Filter Results
If a packet, or a series of packets, match a specific filter, then
there are a variety of actions that may be taken based on that
filter match. Examples of such actions include:
- Discard
In many cases, filters may be set to catch certain undesirable
packets. Examples may include packets with forged or invalid
source addresses, packets that are part of a DoS or DDoS
attack, or packets that are trying to access forbidden
resources (such as network management packets from an
unauthorized source). Where such filters are activated, it is
common to silently discard the packet or set of packets
matching the filter. The discarded packets may also be counted
and/or logged, of course.
- Set CoS
A filter may be used to set the Class of Service associated
with the packet.
- Count Packets and/or Bytes
- Rate Limit
In some cases, the set of packets that match a particular
filter may be limited to a specified bandwidth. Packets and/or
bytes would be counted and forwarded normally up to the
specified limit. Excess packets may be discarded or marked
(for example, by setting a "discard eligible" bit in the IP ToS
field or the MPLS EXP field).
- Forward and Copy
It is useful in some cases not only to forward some set of
packets normally, but also to send a copy to a specified other
address or interface. For example, this may be used to
implement a lawful intercept capability, or to feed selected
packets to an Intrusion Detection System.
o Other Issues Related to Packet Filters
There may be a very wide variation in the performance impact of
filtering. This may occur both due to differences between
implementations, and due to differences between types or numbers
Fang Informational [Page 24]
^L
RFC 4111 PPVPN Security Framework July 2005
of filters deployed. For filtering to be useful, the performance
of the equipment has to be acceptable in the presence of filters.
The precise definition of "acceptable" may vary from service
provider to service provider and may depend on the intended use of
the filters. For example, for some uses a filter may be turned on
all the time in order to set CoS, to prevent an attack, or to
mitigate the effect of a possible future attack. In this case it
is likely that the service provider will want the filter to have
minimal or no impact on performance. In other cases, a filter may
be turned on only in response to a major attack (such as a major
DDoS attack). In this case a greater performance impact may be
acceptable to some service providers.
A key consideration with the use of packet filters is that they
can provide few options for filtering packets carrying encrypted
data. Because the data itself is not accessible, only packet
header information or other unencrypted fields can be used for
filtering.
5.3.2. Firewalls
Firewalls provide a mechanism for control over traffic passing
between different trusted zones in the PPVPN model, or between a
trusted zone and an untrusted zone. Firewalls typically provide much
more functionality than filters, as they may be able to apply
detailed analysis and logical functions to flows and not just to
individual packets. They may offer a variety of complex services,
such as threshold-driven denial-of-service attack protection, virus
scanning, or acting as a TCP connection proxy. As with other access
control techniques, the value of firewalls depends on a clear
understanding of the topologies of the PPVPN core network, the user
networks, and the threat model. Their effectiveness depends on a
topology with a clearly defined inside (secure) and outside (not
secure).
Within the PPVPN framework, traffic typically is not allowed to pass
between the various user VPNs. This inter-VPN isolation is usually
not performed by a firewall, but it is a part of the basic VPN
mechanism. An exception to the total isolation of VPNs is the case
of "extranets", which allow specific external access to a user's VPN,
potentially from another VPN. Firewalls can be used to provide the
services required for secure extranet implementation.
Fang Informational [Page 25]
^L
RFC 4111 PPVPN Security Framework July 2005
In a PPVPN, firewalls can be applied between the public Internet and
user VPNs, in cases where Internet access services are offered by the
provider to the VPN user sites. In addition, firewalls may be
applied between VPN user sites and any shared network-based services
offered by the PPVPN provider.
Firewalls may be applied to help protect PPVPN core network functions
from attacks originating from the Internet or from PPVPN user sites,
but typically other defensive techniques will be used for this
purpose.
Where firewalls are employed as a service to protect user VPN sites
from the Internet, different VPN users, and even different sites of a
single VPN user, may have varying firewall requirements. The overall
PPVPN logical and physical topology, along with the capabilities of
the devices implementing the firewall services, will have a
significant effect on the feasibility and manageability of such
varied firewall service offerings.
Another consideration with the use of firewalls is that they can
provide few options for handling packets carrying encrypted data. As
the data itself is not accessible, only packet header information,
other unencrypted fields, or analysis of the flow of encrypted
packets can be used for making decisions on accepting or rejecting
encrypted traffic.
5.3.3. Access Control to Management Interfaces
Most of the security issues related to management interfaces can be
addressed through the use of authentication techniques described in
the section on authentication. However, additional security may be
provided by controlling access to management interfaces in other
ways.
Management interfaces, especially console ports on PPVPN devices, may
be configured so that they are only accessible out of band, through a
system that is physically or logically separated from the rest of the
PPVPN infrastructure.
Where management interfaces are accessible in-band within the PPVPN
domain, filtering or firewalling techniques can be used to restrict
unauthorized in-band traffic from having access to management
interfaces. Depending on device capabilities, these filtering or
firewalling techniques can be configured either on other devices
through which the traffic might pass, or on the individual PPVPN
devices themselves.
Fang Informational [Page 26]
^L
RFC 4111 PPVPN Security Framework July 2005
5.4. Use of Isolated Infrastructure
One way to protect the infrastructure used for support of VPNs is to
separate the VPN support resources from the resources used for other
purposes (such as support of Internet services). In some cases, this
may require the use of physically separate equipment for VPN
services, or even a physically separate network.
For example, PE-based L3 VPNs may be run on a separate backbone not
connected to the Internet, or they may use separate edge routers from
those used to support Internet service. Private IP addresses (local
to the provider and non-routable over the Internet) are sometimes
used to provide additional separation.
It is common for CE-based L3VPNs to make use of CE devices that are
dedicated to one specific VPN. In many or most cases, CE-based VPNs
may make use of normal Internet services to interconnect CE devices.
5.5. Use of Aggregated Infrastructure
In general it is not feasible to use a completely separate set of
resources for support of each VPN. One of the main reasons for VPN
services is to allow sharing of resources between multiple users,
including multiple VPNs. Thus, even if VPN services make use of a
separate network from Internet services, there will still be multiple
VPN users sharing the same network resources. In some cases, VPN
services will share the use of network resources with Internet
services or other services.
It is therefore important for VPN services to provide protection
between resource use by different VPNs. Thus, a well-behaved VPN
user should be protected from possible misbehavior by other VPNs.
This requires that limits be placed on the amount of resources that
can be used by any one VPN. For example, both control traffic and
user data traffic may be rate limited. In some cases or in some
parts of the network where a sufficiently large number of queues are
available, each VPN (and, optionally, each VPN and CoS within the
VPN) may make use of a separate queue. Control-plane resources such
as link bandwidth and CPU and memory resources may be reserved on a
per-VPN basis.
The techniques that are used to provision resource protection between
multiple VPNs served by the same infrastructure can also be used to
protect VPN services from Internet services.
The use of aggregated infrastructure allows the service provider to
benefit from stochastic multiplexing of multiple bursty flows and may
Fang Informational [Page 27]
^L
RFC 4111 PPVPN Security Framework July 2005
also, in some cases, thwart traffic pattern analysis by combining the
data from multiple VPNs.
5.6. Service Provider Quality Control Processes
Deployment of provider-provisioned VPN services requires a relatively
large amount of configuration by the service provider. For example,
the service provider has to configure which VPN each site belongs to,
as well as QoS and SLA guarantees. This large amount of required
configuration leads to the possibility of misconfiguration.
It is important for the service provider to have operational
processes in place to reduce the potential impact of
misconfiguration. CE-to-CE authentication may also be used to detect
misconfiguration when it occurs.
5.7. Deployment of Testable PPVPN Service
This refers to solutions that can readily be tested for correct
configuration. For example, for a point-point VPN, checking that the
intended connectivity is working largely ensures that there is not
connectivity to some unintended site.
6. Monitoring, Detection, and Reporting of Security Attacks
A PPVPN service may be subject to attacks from a variety of security
threats. Many threats are described in another part of this
document. Many of the defensive techniques described in this
document and elsewhere provide significant levels of protection from
a variety of threats. However, in addition to silently employing
defensive techniques to protect against attacks, PPVPN services can
add value for both providers and customers by implementing security-
monitoring systems that detect and report on any security attacks
that occur, regardless of whether the attacks are effective.
Attackers often begin by probing and analyzing defenses, so systems
that can detect and properly report these early stages of attacks can
provide significant benefits.
Information concerning attack incidents, especially if available
quickly, can be useful in defending against further attacks. It can
be used to help identify attackers and their specific targets at an
early stage. This knowledge about attackers and targets can be used
to further strengthen defenses against specific attacks or attackers,
or to improve the defensive services for specific targets on an as-
needed basis. Information collected on attacks may also be useful in
identifying and developing defenses against novel attack types.
Fang Informational [Page 28]
^L
RFC 4111 PPVPN Security Framework July 2005
Monitoring systems used to detect security attacks in PPVPNs will
typically operate by collecting information from Provider Edge (PE),
Customer Edge (CE), and/or Provider backbone (P) devices. Security
monitoring systems should have the ability to actively retrieve
information from devices (e.g., SNMP get) or to passively receive
reports from devices (e.g., SNMP notifications). The specific
information exchanged will depend on the capabilities of the devices
and on the type of VPN technology. Particular care should be given
to securing the communications channel between the monitoring systems
and the PPVPN devices.
The CE, PE, and P devices should employ efficient methods to acquire
and communicate the information needed by the security monitoring
systems. It is important that the communication method between PPVPN
devices and security monitoring systems be designed so that it will
not disrupt network operations. As an example, multiple attack
events may be reported through a single message, rather than allow
each attack event to trigger a separate message, which might result
in a flood of messages, essentially becoming a denial-of-service
attack against the monitoring system or the network.
The mechanisms for reporting security attacks should be flexible
enough to meet the needs of VPN service providers, VPN customers, and
regulatory agencies. The specific reports will depend on the
capabilities of the devices, the security monitoring system, the type
of VPN, and the service level agreements between the provider and
customer.
7. User Security Requirements
This section defines a list of security-related requirements that the
users of PPVPN services may have for their PPVPN service. Typically,
these translate into requirements for the provider in offering the
service.
The following sections detail various requirements that ensure the
security of a given trusted zone. Since in real life there are
various levels of security, a PPVPN may fulfill any or all of these
security requirements. This document does not state that a PPVPN
must fulfill all of these requirements to be secure. As mentioned in
the Introduction, it is not within the scope of this document to
define the specific requirements that each VPN technology must
fulfill in order to be secure.
Fang Informational [Page 29]
^L
RFC 4111 PPVPN Security Framework July 2005
7.1. Isolation
A virtual private network usually defines "private" as isolation from
other PPVPNs and the Internet. More specifically, isolation has
several components, which are discussed in the following sections.
7.1.1. Address Separation
A given PPVPN can use the full Internet address range, including
private address ranges [RFC1918], without interfering with other
PPVPNs that use PPVPN services from the same service provider(s).
When Internet access is provided (e.g., by the same service provider
that is offering PPVPN service), NAT functionality may be needed.
In layer-2 VPNs, the same requirement exists for the layer 2
addressing schemes, such as MAC addresses.
7.1.2. Routing Separation
A PPVPN core must maintain routing separation between the trusted
zones. This means that routing information must not leak from any
trusted zone to any other, unless the zones are specifically
engineered this way (e.g., for Internet access.)
In layer-2 VPNs, the switching information must be kept separate
between the trusted zones, so that switching information of one PPVPN
does not influence other PPVPNs or the PPVPN core.
7.1.3. Traffic Separation
Traffic from a given trusted zone must never leave this zone, and
traffic from another zone must never enter this zone. Exceptions are
made where zones are is specifically engineered that way (e.g., for
extranet purposes or Internet access.)
7.2. Protection
The common perception is that a completely separated "private"
network has defined entry points and is only subject to attack or
intrusion over those entry points. By sharing a common core, a PPVPN
appears to lose some of these clear interfaces to networks outside
the trusted zone. Thus, one of the key security requirements of
PPVPN services is that they offer the same level of protection as
private networks.
Fang Informational [Page 30]
^L
RFC 4111 PPVPN Security Framework July 2005
7.2.1. Protection against Intrusion
An intrusion is defined here as the penetration of a trusted zone
from outside. This could be from the Internet, another PPVPN, or the
core network itself.
The fact that a network is "virtual" must not expose it to additional
threats over private networks. Specifically, it must not add new
interfaces to other parts outside the trusted zone. Intrusions from
known interfaces such as Internet gateways are outside the scope of
this document.
7.2.2. Protection against Denial-of-Service Attacks
A denial-of-service (DoS) attack aims at making services or devices
unavailable to legitimate users. In the framework of this document,
only those DoS attacks are considered that are a consequence of
providing network service through a VPN. DoS attacks over the
standard interfaces into a trusted zone are not considered here.
The requirement is that a PPVPN is not more vulnerable against DoS
attacks than it would be if the same network were private.
7.2.3. Protection against Spoofing
It must not be possible to violate the integrity of a PPVPN by
changing the sender identification (source address, source label,
etc) of traffic in transit. For example, if two CEs are connected to
the same PE, it must not be possible for one CE to send crafted
packets that make the PE believe those packets are coming from the
other CE, thus inserting them into the wrong PPVPN.
7.3. Confidentiality
This requirement means that data must be cryptographically secured in
transit over the PPVPN core network to avoid eavesdropping.
7.4. CE Authentication
Where CE authentication is provided, it is not possible for an
outsider to install a CE and pretend to belong to a specific PPVPN to
which this CE does not belong in reality.
7.5. Integrity
Data in transit must be secured in such a manner that it cannot be
altered or that any alteration may be detected at the receiver.
Fang Informational [Page 31]
^L
RFC 4111 PPVPN Security Framework July 2005
7.6. Anti-replay
Anti-replay means that data in transit cannot be recorded and
replayed later. To protect against anti-replay attacks, the data
must be cryptographically secured.
Note: Even private networks do not necessarily meet the requirements
of confidentiality, integrity, and anti-reply. Thus, when private
and "virtually private" PPVPN services are compared, these
requirements are only applicable if the comparable private service
also included these services. However, the fact that VPNs operate
over a shared infrastructure may make some of these requirements more
important in a VPN environment than in a private network environment.
8. Provider Security Requirements
In this section, we discuss additional security requirements that the
provider may have in order to secure its network infrastructure as it
provides PPVPN services.
The PPVPN service provider requirements defined here are the
requirements for the PPVPN core in the reference model. The core
network can be implemented with different types of network
technologies, and each core network may use different technologies to
provide the PPVPN services to users with different levels of offered
security. Therefore, a PPVPN service provider may fulfill any number
of the security requirements listed in this section. This document
does not state that a PPVPN must fulfill all of these requirements to
be secure.
These requirements are focused on 1) how to protect the PPVPN core
from various attacks outside the core, including PPVPN users and
non-PPVPN alike, both accidentally and maliciously, and 2) how to
protect the PPVPN user VPNs and sites themselves. Note that a PPVPN
core is not more vulnerable against attacks than a core that does not
provide PPVPNs. However, providing PPVPN services over such a core
may lead to additional security requirements, if only because most
users are expecting higher security standards in a core delivering
PPVPN services.
8.1. Protection within the Core Network
8.1.1. Control Plane Protection
- Protocol Authentication within the Core:
PPVPN technologies and infrastructure must support mechanisms for
authentication of the control plane. For an IP core, IGP and BGP
Fang Informational [Page 32]
^L
RFC 4111 PPVPN Security Framework July 2005
sessions may be authenticated by using TCP MD5 or IPsec. If an
MPLS core is used, LDP sessions may be authenticated by using TCP
MD5. In addition, IGP and BGP authentication should also be
considered. For a core providing layer-2 services, PE to PE
authentication may also be used via IPsec.
With the cost of authentication coming down rapidly, the
application of control plane authentication may not increase the
cost of implementation for providers significantly, and it will
improve the security of the core. If the core is dedicated to VPN
services and there are no interconnects to third parties, then it
may reduce the requirement for authentication of the core control
plane.
- Elements protection
Here we discuss means to hide the provider's infrastructure nodes.
A PPVPN provider may make the infrastructure routers (P and PE
routers) unreachable by outside users and unauthorized internal
users. For example, separate address space may be used for the
infrastructure loopbacks.
Normal TTL propagation may be altered to make the backbone look
like one hop from the outside, but caution should be taken for
loop prevention. This prevents the backbone addresses from being
exposed through trace route; however, it must also be assessed
against operational requirements for end-to-end fault tracing.
An Internet backbone core may be re-engineered to make Internet
routing an edge function, for example, by using MPLS label
switching for all traffic within the core and possibly by making
the Internet a VPN within the PPVPN core itself. This helps
detach Internet access from PPVPN services.
PE devices may implement separate control plane, data plane, and
management plane functionality in terms of hardware and software,
to improve security. This may help limit the problems when one
particular area is attacked, and it may allow each plane to
implement additional security measurement separately.
PEs are often more vulnerable to attack than P routers, since, by
their very nature, PEs cannot be made unreachable to outside
users. Access to core trunk resources can be controlled on a
per-user basis by the application of inbound rate-
limiting/shaping. This can be further enhanced on a per-Class of
Service basis (see section 8.2.3).
Fang Informational [Page 33]
^L
RFC 4111 PPVPN Security Framework July 2005
In the PE, using separate routing processes for Internet and PPVPN
service may help improve the PPVPN security and better protect VPN
customers. Furthermore, if the resources, such as CPU and memory,
may be further separated based on applications, or even on
individual VPNs, it may help provide improved security and
reliability to individual VPN customers.
Many of these were not particular issues when an IP core was
designed to support Internet services only. Providing PPVPN
services introduces new security requirements for VPN services.
Similar consideration apply to L2 VPN services.
8.1.2. Data Plane Protection
PPVPN using IPsec technologies provides VPN users with encryption of
secure user data.
In today's MPLS, ATM, and Frame Relay networks, encryption is not
provided as a basic feature. Mechanisms can be used to secure the
MPLS data plane and to secure the data carried over the MPLS core.
Additionally, if the core is dedicated to VPN services and there are
no external interconnects to third party networks, then there is no
obvious need for encryption of the user data plane.
Inter-working IPsec/L3 PPVPN technologies or IPsec/L2 PPVPN
technologies may be used to provide PPVPN users with end-to-end PPVPN
services.
8.2. Protection on the User Access Link
Peer/Neighbor protocol authentication may be used to enhance
security. For example, BGP MD5 authentication may be used to enhance
security on PE-CE links using eBGP. In the case of an inter-provider
connection, authentication/encryption mechanisms between ASes, such
as IPsec, may be used.
WAN link address space separation for VPN and non-VPN users may be
implemented to improve security in order to protect VPN customers if
multiple services are provided on the same PE platform.
Firewall/Filtering: Access control mechanisms can be used to filter
out any packets destined for the service provider's infrastructure
prefix or to eliminate routes identified as illegitimate.
Fang Informational [Page 34]
^L
RFC 4111 PPVPN Security Framework July 2005
Rate limiting may be applied to the user interface/logical interfaces
against DDoS bandwidth attack. This is very helpful when the PE
device is supporting both VPN services and Internet services,
especially when it supports VPN and Internet services on the same
physical interfaces through different logical interfaces.
8.2.1. Link Authentication
Authentication mechanisms can be employed to validate site access to
the PPVPN network via fixed or logical (e.g., L2TP, IPsec)
connections. When the user wishes to hold the 'secret' associated to
acceptance of the access and site into the VPN, then PPVPN based
solutions require the flexibility for either direct authentication by
the PE itself or interaction with a customer PPVPN authentication
server. Mechanisms are required in the latter case to ensure that
the interaction between the PE and the customer authentication server
is controlled, for example, by limiting it simply to an exchange in
relation to the authentication phase and with other attributes (e.g.,
optional filtering of RADIUS).
8.2.2. Access Routing
Mechanisms may be used to provide control at a routing protocol level
(e.g., RIP, OSPF, BGP) between the CE and PE. Per-neighbor and per-
VPN routing policies may be established to enhance security and
reduce the impact of a malicious or non-malicious attack on the PE,
in particular, the following mechanisms should be considered:
- Limiting the number of prefixes that may be advertised into the PE
on a per-access basis . Appropriate action may be taken should a
limit be exceeded; for example, the PE might shut down the peer
session to the CE.
- Applying route dampening at the PE on received routing updates.
- Definition of a per-VPN prefix limit, after which additional
prefixes will not be added to the VPN routing table.
In the case of inter-provider connection, access protection, link
authentication, and routing policies as described above may be
applied. Both inbound and outbound firewall/filtering mechanism may
be applied between ASes. Proper security procedures must be
implemented in inter-provider VPN interconnection to protect the
providers' network infrastructure and their customer VPNs. This may
be custom designed for each inter-Provider VPN peering connection,
and both providers must agree on it.
Fang Informational [Page 35]
^L
RFC 4111 PPVPN Security Framework July 2005
8.2.3. Access QoS
PPVPN providers offering QoS-enabled services require mechanisms to
ensure that individual accesses are validated against their
subscribed QOS profile and are granted access to core resources that
match their service profile. Mechanisms such as per-Class of Service
rate limiting/traffic shaping on ingress to the PPVPN core are one
option in providing this level of control. Such mechanisms may
require the per-Class of Service profile to be enforced by marking,
remarking, or discarding traffic that is outside of the profile.
8.2.4. Customer VPN Monitoring Tools
End users requiring visibility of VPN-specific statistics on the core
(e.g., routing table, interface status, QoS statistics) impose
requirements for mechanisms at the PE both to validate the incoming
user and to limit the views available to that particular user's VPN.
Mechanisms should also be considered to ensure that such access
cannot be used to create a DoS attack (either malicious or
accidental) on the PE itself. This could be accomplished either
through separation of these resources within the PE itself or via the
capability to rate-limit such traffic on a per-VPN basis.
8.3. General Requirements for PPVPN Providers
The PPVPN providers must support the users' security requirements as
listed in Section 7. Depending on the technologies used, these
requirements may include the following.
- User control plane separation: Routing isolation.
- User address space separation: Supporting overlapping addresses
from different VPNs.
- User data plane separation: One VPN traffic cannot be intercepted
by other VPNs or any other users.
- Protection against intrusion, DoS attacks and spoofing.
- Access Authentication.
- Techniques highlighted through this document identify
methodologies for the protection of PPVPN resources and
infrastructure.
Hardware or software bugs in equipment that lead to security breaches
are outside the scope of this document.
Fang Informational [Page 36]
^L
RFC 4111 PPVPN Security Framework July 2005
9. Security Evaluation of PPVPN Technologies
This section presents a brief template that may be used to evaluate
and summarize how a given PPVPN approach (solution) measures up
against the PPVPN Security Framework. An evaluation using this
template should appear in the applicability statement for each PPVPN
approach.
9.1. Evaluating the Template
The first part of the template is in the form of a list of security
assertions. For each assertion the approach is assessed and one or
more of the following ratings is assigned:
- The requirement is not applicable to the VPN approach because ...
(fill in reason).
- The base VPN approach completely addresses the requirement by ...
(fill in technique).
- The base VPN approach partially addresses the requirement by ...
(fill in technique and extent to which it addresses the
requirement).
- An optional extension to the VPN approach completely addresses the
requirement by ... (fill in technique).
- An optional extension to the VPN approach partially addresses the
requirement by ... (fill in technique and extent to which it
addresses the requirement).
- The requirement is addressed in a way that is beyond the scope of
the VPN approach. (Explain.) (One example of this would be a VPN
approach in which some aspect, such as membership discovery, is
done via configuration. The protection afforded to the
configuration would be beyond the scope of the VPN approach.).
- The VPN approach does not meet the requirement.
9.2. Template
The following assertions solicit responses of the types listed in the
previous section.
1. The approach provides complete IP address space separation for
each L3 VPN.
Fang Informational [Page 37]
^L
RFC 4111 PPVPN Security Framework July 2005
2. The approach provides complete L2 address space separation for
each L2 VPN.
3. The approach provides complete VLAN ID space separation for each
L2 VPN.
4. The approach provides complete IP route separation for each L3
VPN.
5. The approach provides complete L2 forwarding separation for each
L2 VPN.
6. The approach provides a means to prevent improper cross-
connection of sites in separate VPNs.
7. The approach provides a means to detect improper cross-connection
of sites in separate VPNs.
8. The approach protects against the introduction of unauthorized
packets into each VPN
a. in the CE-PE link,
b. in a single- or multi-provider PPVPN backbone, or
c. in the Internet used as PPVPN backbone.
9. The approach provides confidentiality (secrecy) protection for
PPVPN user data
a. in the CE-PE link,
b. in a single- or multi-provider PPVPN backbone, or
c. in the Internet used as PPVPN backbone.
10. The approach provides sender authentication for PPVPN user data.
a. in the CE-PE link,
b. in a single- or multi-provider PPVPN backbone, or
c. in the Internet used as PPVPN backbone.
11. The approach provides integrity protection for PPVPN user data
a. in the CE-PE link,
b. in a single- or multi- provider PPVPN backbone, or
c. in the Internet used as PPVPN backbone.
12. The approach provides protection against replay attacks for PPVPN
user data
a. in the CE-PE link,
b. in a single- or multi-provider PPVPN backbone, or
c. in the Internet used as PPVPN backbone.
Fang Informational [Page 38]
^L
RFC 4111 PPVPN Security Framework July 2005
13. The approach provides protection against unauthorized traffic
pattern analysis for PPVPN user data
a. in the CE-PE link,
b. in a single- or multi-provider PPVPN backbone, or
c. in the Internet used as PPVPN backbone.
14. The control protocol(s) used for each of the following functions
provides message integrity and peer authentication
a. VPN membership discovery.
b. Tunnel establishment.
c. VPN topology and reachability advertisement:
i. PE-PE.
ii. PE-CE.
d. VPN provisioning and management.
e. VPN monitoring, attack detection, and reporting.
f. Other VPN-specific control protocols, if any (list).
The following questions solicit free-form answers.
15. Describe the protection, if any, the approach provides against
PPVPN-specific DoS attacks (i.e., inter-trusted-zone DoS
attacks):
a. Protection of the service provider infrastructure against
Data Plane or Control Plane DoS attacks originated in a
private (PPVPN user) network and aimed at PPVPN mechanisms.
b. Protection of the service provider infrastructure against
Data Plane or Control Plane DoS attacks originated in the
Internet and aimed at PPVPN mechanisms.
c. Protection of PPVPN users against Data Plane or Control
Plane DoS attacks originated from the Internet or from other
PPVPN users and aimed at PPVPN mechanisms.
16. Describe the protection, if any, the approach provides against
unstable or malicious operation of a PPVPN user network
a. Protection against high levels of, or malicious design of,
routing traffic from PPVPN user networks to the service
provider network.
b. Protection against high levels of, or malicious design of,
network management traffic from PPVPN user networks to the
service provider network.
Fang Informational [Page 39]
^L
RFC 4111 PPVPN Security Framework July 2005
c. Protection against worms and probes originated in the PPVPN
user networks, sent toward the service provider network.
17. Is the approach subject to any approach-specific vulnerabilities
not specifically addressed by this template? If so, describe the
defense or mitigation, if any, that the approach provides for
each.
10. Security Considerations
Security considerations constitute the sole subject of this memo and
hence are discussed throughout. Here we recap what has been
presented and explain at a very high level the role of each type of
consideration in an overall secure PPVPN system. The document
describes a number of potential security threats. Some of these
threats have already been observed occurring in running networks;
others are largely theoretical at this time.
DoS attacks and intrusion attacks from the Internet against service
provider infrastructure have been seen. DoS "attacks" (typically not
malicious) have also been seen in which CE equipment overwhelms PE
equipment with high quantities or rates of packet traffic or routing
information. Operational/provisioning errors are cited by service
providers as one of their prime concerns.
The document describes a variety of defensive techniques that may be
used to counter the suspected threats. All of the techniques
presented involve mature and widely implemented technologies that are
practical to implement.
The document describes the importance of detecting, monitoring, and
reporting both successful and unsuccessful attacks. These activities
are essential for "understanding one's enemy", mobilizing new
defenses, and obtaining metrics about how secure the PPVPN service
is. As such, they are vital components of any complete PPVPN
security system.
The document evaluates PPVPN security requirements from a customer
perspective and from a service provider perspective. These sections
re-evaluate the identified threats from the perspectives of the
various stakeholders and are meant to assist equipment vendors and
service providers, who must ultimately decide what threats to protect
against in any given equipment or service offering.
Finally, the document includes a template for use by authors of PPVPN
technical solutions for evaluating how those solutions measure up
against the security considerations presented in this memo.
Fang Informational [Page 40]
^L
RFC 4111 PPVPN Security Framework July 2005
11. Contributors
The following people made major contributions to writing this
document: Michael Behringer, Ross Callon, Fabio Chiussi, Jeremy De
Clerque, Paul Hitchen, and Paul Knignt.
Michael Behringer
Cisco
Village d'Entreprises Green Side, Phone: +33.49723-2652
400, Avenue Roumanille, Bat. T 3 EMail: mbehring@cisco.com
06410 Biot, Sophia Antipolis
France
Ross Callon
Juniper Networks
10 Technology Park Drive Phone: 978-692-6724
Westford, MA 01886 EMail: rcallon@juniper.net
Fabio Chiussi Phone: 1 978 367-8965
Airvana EMail: fabio@airvananet.com
19 Alpha Road
Chelmsford, Massachusetts 01824
Jeremy De Clercq
Alcatel
Fr. Wellesplein 1, 2018 Antwerpen EMail: jeremy.de_clercq@alcatel.be
Belgium
Mark Duffy
Sonus Networks
250 Apollo Drive Phone: 1 978-614-8748
Chelmsford, MA 01824 EMail: mduffy@sonusnet.com
Paul Hitchen
BT
BT Adastral Park
Martlesham Heath Phone: 44-1473-606-344
Ipswich IP53RE EMail: paul.hitchen@bt.com
UK
Paul Knight
Nortel
600 Technology Park Drive Phone: 978-288-6414
Billerica, MA 01821 EMail: paul.knight@nortel.com
Fang Informational [Page 41]
^L
RFC 4111 PPVPN Security Framework July 2005
12. Acknowledgement
The author and contributors would also like to acknowledge the
helpful comments and suggestions from Paul Hoffman, Eric Gray, Ron
Bonica, Chris Chase, Jerry Ash, and Stewart Bryant.
13. Normative References
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot,
G., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, February 1996.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[RFC2402] Kent, S. and R. Atkinson, "IP Authentication Header",
RFC 2402, November 1998.
[RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[RFC2407] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998.
[RFC2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn,
G., and B. Palter, "Layer Two Tunneling Protocol
"L2TP"", RFC 2661, August 1999.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
Arkko, "Diameter Base Protocol", RFC 3588, September
2003.
[RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC
Cipher Algorithm and Its Use with IPsec", RFC 3602,
September 2003.
Fang Informational [Page 42]
^L
RFC 4111 PPVPN Security Framework July 2005
[STD62] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC
3411, December 2002.
Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple
Network Management Protocol (SNMP)", STD 62, RFC 3412,
December 2002.
Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62, RFC
3413, December 2002.
Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415, December
2002.
Presuhn, R., "Version 2 of the Protocol Operations for
the Simple Network Management Protocol (SNMP)", STD 62,
RFC 3416, December 2002.
Presuhn, R., "Transport Mappings for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3417, December
2002.
Presuhn, R., "Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)", STD 62, RFC
3418, December 2002.
[STD8] Postel, J. and J. Reynolds, "Telnet Protocol
Specification", STD 8, RFC 854, May 1983.
14. Informative References
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
Keyed-Hashing for Message Authentication", RFC 2104,
February 1997.
[RFC2411] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998.
Fang Informational [Page 43]
^L
RFC 4111 PPVPN Security Framework July 2005
[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
1 (SHA1)", RFC 3174, September 2001.
[RFC3631] Bellovin, S., Schiller, J., and C. Kaufman, "Security
Mechanisms for the Internet", RFC 3631, December 2003.
[RFC3889] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to
Routing Protocols", RFC 3889, October 2004.
[RFC4026] Andersson, L. and T. Madsen, "Provider Provisioned
Virtual Private Network (VPN) Terminology", RFC 4026,
March 2005.
[RFC4031] Carugi, M. and D. McDysan, Eds., "Service Requirements
for Layer 3 Provider Provisioned Virtual Private
Networks (PPVPNs)", RFC 4031, April 2005.
[RFC4110] Callon, R. and M. Suzuki, "A Framework for Layer 3
Provider Provisioned Virtual Private Networks", RFC
4110, July 2005.
Author's Address
Luyuan Fang
AT&T Labs.
200 Laurel Avenue, Room C2-3B35
Middletown, NJ 07748
Phone: 732-420-1921
EMail: luyuanfang@att.com
Fang Informational [Page 44]
^L
RFC 4111 PPVPN Security Framework July 2005
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Fang Informational [Page 45]
^L
|