04_mpls_security_mcwg_v02
TRANSCRIPT
MPLS Security5th Annual MCWG Forum October 16-20, 2006
Tuesday, October 17, 2006
Harmen van der Linde Product Manager MPLS Cisco - NSSTG [email protected] 2005 Cisco Systems, Inc. All rights reserved.
Contributions By: Michael Behringer Monique Morrow
1
Topics Multi-Protocol Label Switching (MPLS) MPLS Security Overview Framework Risks and Deployment Feature Set Conclusions
2005 Cisco Systems, Inc. All rights reserved.
2
Multi-Protocol Label SwitchingTechnology Overview Network Architecture MPLS Security
2005 Cisco Systems, Inc. All rights reserved.
3
Packet Network EvolutionIP over ATM Challenge IP + ATM Integration Cell Switching Routers IP/Tag Switching IETF Efforts MPLS Innovation and Deployment Traffic Engineering MPLS VPNs Fast Reroute Any Transport over MPLS (AToM) Widespread MPLS Deployments Multi-Service Edge MPLS High Availability with SSO/NSF/FRR MPLS + IPSec MPLS VPN and multicast
Technology Evolution
Service Evolution
Traditional ATM/FR Internet access Remote access VPNs
MPLS VPN services with full mesh and Hub & Spoke connectivity QoS Offerings 2 to 5 Classes
Network Convergence Many Services on converged MPLS core network Triple-play service converge
1995 - 1996
1996 - 2002
2002 and Beyond
2005 Cisco Systems, Inc. All rights reserved.
4
Multi-Protocol Label Switching (MPLS) Established network infrastructure technology Service provider networks and large enterprise networks
Two functional layers in MPLS architecture Control plane Forwarding plane
MPLS control plane Distributes labels and establishes label switched paths Multiple control protocols; LDP, BGP, and RSVP-TE
MPLS forwarding plane Used for MPLS labeled data packet forwarding
MPLS Applications Layer-3 VPNs, Layer-2 VPNs, Traffic Engineering (TE)
2005 Cisco Systems, Inc. All rights reserved.
5
MPLS Network Architecture1. At Ingress Edge: Label imposition: Classify & Label packets PE P
2. In the Core: Label swapping or switching: Forward using labels (not IP addr); label indicates service class and destination
Edge Label Switch Router OR (ATM Switch/ Router) Provider Edge- PE PE Customer A Label Switch Router (LSR) or P (Provider) router Router OR ATM switch + label switch controller
P
3. At Egress Edge: Label disposition: Remove labels and forward packets Customer B
2005 Cisco Systems, Inc. All rights reserved.
6
MPLS SecurityMPLS Area Core MPLS High Availability Management Security
MPLS forwarding (data plane) MPLS signaling (control plane)
Layer-3 VPNs
MPLS High Availability
MPLS Management
MPLS Security
Layer-2 VPNs
Traffic Engineering
2005 Cisco Systems, Inc. All rights reserved.
7
MPLS Security OverviewOverview and Scope Cisco IP NGN Market Drivers and Positioning
2005 Cisco Systems, Inc. All rights reserved.
8
MPLS Security Protection mechanisms for MPLS-specific network resources Protection of MPLS forwarding and signaling
MPLS security protection areas MPLS node access and resiliency Integrity and privacy of MPLS VPN service traffic
Focus areas in MPLS network infrastructure MPLS core (Label between PE pairs) MPLS service edge (PE-CE link) MPLS network interconnect (Inter-AS/SP)
Incremental value-add and integral part of scalable and robust MPLS technology solution
2005 Cisco Systems, Inc. All rights reserved.
9
Scope Focus on security capabilities for MPLS-specific network resources Protection of MPLS forwarding and signaling
Incremental security functionality to existing MPLS functions Use of existing device and IP-level security capabilities assumed for basic level of security CLI passwords, TACACS, ACLs, Firewalls, etc.
Leverage existing security capabilities of lower layer protocols where possible Instead of replication of functionality focus on integration of MPLS with existing security capabilities For example, LDP use of TCP MD5 authentication capabilities
2005 Cisco Systems, Inc. All rights reserved.
10
Cisco IP NGN Secure Network LayerApplication LayerGaming Data Center PresenceBased Telephony Web Services Mobile Apps IP Contact Center
MPLS Security Service ExchangeOpen Framework Self Identity Policy Billing MPLS Service MPLS Network Service MPLS Core Edge Inter-connect for Enabling Triple Play on the Move(Data, Voice, Video, Mobility)
Mobility
Network Layer
Customer Element
Access/ Aggregation
Intelligent Edge
Multiservice Core
Transport
Intelligent Networking 2005 Cisco Systems, Inc. All rights reserved.11
Operational Layer
Service Layer
MPLS Security EvolutionInitial MPLS Deployments Service Provider MPLS technology adoption Code features and stability Large & Widespread MPLS Deployments MPLS scale and enhanced features Enterprise MPLS technology adoption Manageability and operations Next-Generation MPLS Deployments Complexity of new enhanced services (Extranets, mcast) MPLS network convergence MPLS network inter-connects
Challenges
Security Focus
MPLS as a secure technology replacement for legacy Layer-2 technologies (FR/ATM)
Inter-AS MPLS network connects New RFP compliance reqs Enterprise network security
Increasing service configuration complexity New security reqs for support of converged triple play services
1996 - 2002
2002 - 2005
2005 and Beyond
2005 Cisco Systems, Inc. All rights reserved.
12
MPLS Security DriversMPLS CustomersService Provider Segment Tier-1 (Global) Tier-2 (National) Enterprise Segment Financials Education/Research Other Government Segment Government agencies and institutionsRegulations driving new network security requirements US Homeland Security Regulatory compliance Extranet security User traffic segmentation Regulatory compliance Extranet security MPLS technology value-add Extranet partner connectivity Sarbanes-Oxley Act Financial application access Secure campus connectivity Network convergence Network convergence and network interconnect Triple play and public/private services convergence Inter-AS/SP network inter-connect
MPLS Security Drivers
Examples
2005 Cisco Systems, Inc. All rights reserved.
13
Concerns and GoalsConcernsService Provider Market Segment Unauthorized customer VPN access Public Internet traffic access/impact on private MPLS VPNs
Goals Customer VPN traffic separation Public Internet and private VPN traffic separation
Enterprise Market Segment
Unauthorized access to internal user VPNs Public Internet traffic access/impact on private LAN traffic
User group VPN traffic separation WAN and extranet VPN traffic separation and privacy
Federal Market Segment
Unauthorized access to internal user VPNs WAN/public Internet traffic access/impact on private LAN traffic
User group VPN traffic separation WAN and VPN traffic separation and privacy
2005 Cisco Systems, Inc. All rights reserved.
14
MPLS Security FrameworkService Provider View Enterprise View Threat Model
2005 Cisco Systems, Inc. All rights reserved.
15
Threat ModelSecurity Threats Malicious user behavior Security Vulnerability Description
Denial of Service (DoS) attacks
MPLS network resources become unavailable to authorized users
Intrusion attacks
MPLS network resources become available to unauthorized users
Unintended human error and mis-configuration
MPLS device misconfiguration
MPLS network resources become available to unauthorized users
2005 Cisco Systems, Inc. All rights reserved.
16
MPLS Security FrameworkTrusted Zone
External Network
MPLS NetworkExternal Network Interface External Network Interface
External Network
Control Plane Forwarding Plane
MPLS core signaling LDP, RSVP, and BGP
MPLS edge signaling BGP, LDP, RIP, OSPF
MPLS packet forwarding
IP or MPLS packet forwarding
2005 Cisco Systems, Inc. All rights reserved.
17
MPLS Security Service Provider ViewTrusted Zone
Customer Network
MPLS NetworkExternal Service Interface External Network Connect Interface
Peer SP Network
MPLS Edge Security Security for VPN service interface Focus on control plane access and resources on PE router
MPLS Core Security Security for end-to-end (PE-PE) MPLS traffic integrity Focus on MPLS packet forwarding
MPLS Inter-AS Security Security for network interconnect interface Focus on data/control plane access on ASBR
2005 Cisco Systems, Inc. All rights reserved.
18
MPLS Security Enterprise ViewTrusted Zone
Extranet Customer Network
MPLS NetworkExtranet Service Interface External WAN Interface
SP MPLS Network
Extranet Edge Security Security of extranet VPN interface Focus on data/control plane access across interface with partner
MPLS Core Security Security for end-to-end (PE-PE) MPLS traffic integrity Focus on MPLS traffic segmentation
WAN Edge Security Security of WAN interface with SP Focus on data/control plane access across PE-CE link with SP
2005 Cisco Systems, Inc. All rights reserved.
19
Security ThreatsCE PE P ASBR ASBR P PE CE
MPLS Service Edge (PE Router) Malicious user behavior Unintended human error and misconfiguration Control plane DoS attacks Unauthorized control plane access (e.g., SNMP, CDP) Unintended VPN Route leakage due to VRF mis-configuration PE router access due to incorrect/missing access configuration
MPLS Core (P routers) Control plane DoS attacks (e.g., LDP)
MPLS Inter-AS Edge (ASBR) Unauthorized VPN/IGP access via label spoofing Control plane DoS attack
Unintended P router access due Unintended VPN Route leakage to incorrect ACL configuration due to incorrect VPN route distribution ASBR router access due to incorrect/missing access configuration
2005 Cisco Systems, Inc. All rights reserved.
20
MPLS Security Risks and DeploymentSecurity Risk MPLS Deployment Scenarios Network Complexity versus Capital Costs
2005 Cisco Systems, Inc. All rights reserved.
21
MPLS Security and Risks MPLS security associated with MPLS deployment and risk Risk of MPLS design or configuration error
MPLS deployment components Network design, implementation, and operation
Basic risk components Security vulnerability event Probability of event Impact of event
MPLS security focused on mitigating potential security vulnerability events Minimizing probability and associated impacts of potential events
2005 Cisco Systems, Inc. All rights reserved.
22
MPLS Deployment Framework Identify/analyze potential security vulnerabilities in MPLS network infrastructure Identify MPLS security capabilities that need to be implemented Design and specify device command parameters
Monitor and analyze network anomalities, which could indicate a security attack
Network Design
Set up and configuration of security policies and commands in MPLS network
Network Operation
Network Implementation
2005 Cisco Systems, Inc. All rights reserved.
23
MPLS Deployment Risk MPLS network deployment complexity level determines perceived security risks More complexity requires more detailed design, and associated network implementation and operation More complexity increases the possibility of design and configuration errors
Influencing factors of MPLS deployment complexity Network architecture (e.g., physical v.s. logical separation) Networking services run on top of MPLS network
Types of networking services Public IP services (Internet) Private (VPN) connectivity services 2005 Cisco Systems, Inc. All rights reserved.24
Public and Private Connectivity ServicesService Characteristics Access to the Internet Connectivity to anybody anywhere on the Internet Best effort traffic Business Focus Focus on ubiquitous IP connectivity General public access to web sites, email, etc. Examples at&t: Managed Internet Service (MIS) Sprint Nextel: Internet Access Verizon Business: Dedicated Internet Access
Public IP Connectivity Services
Private IP VPN Connectivity Services
Connectivity to selective set of end-nodes connected to same VPN QoS support
Focus of secure and reliable connectivity Service Level Agreements (SLAs)
at&t: IPeFR, eVPN Masergy: Private IP Sprint Nextel: MPLS VPN Verizon Business: Private IP
2005 Cisco Systems, Inc. All rights reserved.
25
MPLS Deployment ScenariosShared MPLS Core & EdgePublic/Private PE
Shared MPLS Core & Separate EdgePublic PE Private PE
Separate MPLS Core & EdgePublic PE Private PE
MPLS Core
MPLS Core
MPLS Core
MPLS Core
MPLS Core Network
Single MPLS core for both public IP and private VPN traffic Optional BGP/Internet free core
Single MPLS core for both public IP and private VPN traffic Optional BGP/Internet free core
Separate MPLS cores for public IP and private VPN traffic Optional BGP/Internet free core
MPLS Edge Network
PE routers terminate both public IP and private VPN connections
Dedicated PE routers used for termination of public IP and private VPN connections
Dedicated PE routers used for termination of public IP and private VPN connections
2005 Cisco Systems, Inc. All rights reserved.
26
Current MPLS Deployments Internal survey of key SP customers on deployment of public and private MPLS services Separate MPLS core & edge Shared MPLS core & separate edge Shared MPLS core & edge31%
38%
31%
Separate MPLS Core & Edge Shared MPLS Core & Separate Edge Shared MPLS Core & Edge
No common MPLS deployment preference Balanced distribution of various MPLS deployment scenariosSource: Internal 2006 MPLS Security Survey by Michael Behringer.
2005 Cisco Systems, Inc. All rights reserved.
27
Future MPLS Deployment Plans Future MPLS deployment plans indicate increasing network consolidation Increasing number of shared MPLS core deployments19%
31%
50%
Common MPLS core for public and private services Migration of both public and private services onto single MPLS edge
Separate MPLS Core & Edge Shared MPLS Core & Separate Edge Shared MPLS Core & Edge
Source: Internal 2006 MPLS Security Survey by Michael Behringer.
2005 Cisco Systems, Inc. All rights reserved.
28
Network Complexity versus Capital CostsLogical Separation Network Complexity (Risk)Shared MPLS Core & EdgePublic/Private PE
Simplifications for implementing MPLS security mechanisms reducing MPLS deployment risks. MPLS security mechanism enable secure logical separation of MPLS traffic forwarding and signaling Shared MPLS Core & Separate Edge
MPLS Core
Public PE
Private PE
MPLS Core
Separate MPLS Core & EdgePublic PE Private PE
Lower cost MPLS deployments with reduced complexity and increased resiliency
Goal
MPLS Core
MPLS Core
Physical Separation
Capital Costs 2005 Cisco Systems, Inc. All rights reserved.29
MPLS Security FeaturesCore Network Security Service Edge Security Network Inter-Connect Security
2005 Cisco Systems, Inc. All rights reserved.
30
Feature PortfolioSecurity Focus MPLS VPN traffic separation Network Topology hiding MPLS control plane protection VPN address space separation and route control PE-CE link control plane access
Feature Areas MPLS traffic forwarding MPLS packet TTL hiding Control plane session authentication
MPLS Core
MPLS Service Edge
Control plane policing VPN route control BGP session prefix filtering and control Control plane session authentication Control plane policing VPN route control Control plane session authentication
MPLS Network Inter-Connect
MPLS VPN traffic separation ASBR link control plane protection
2005 Cisco Systems, Inc. All rights reserved.
31
MPLS Security Core NetworkRequirementVPN traffic separation MPLS control plane protection (access control) MPLS control plane authentication
Available Feature Capabilities
Comments
MPLS labeled packet forwarding using different FECs, Native MPLS capability LSPs, and label imposition/dispositioning Selective enablement of BGP/LDP on core I/Fs Selective IGP route assignment/distribution MD5 authentication of LDP sessions MD5 authentication of iBGP sessions ACL route filtering in edge network assumed -
MPLS Core Network SecurityBGP Route Reflector PE Router PE Router
P Router
P Router
LDP Session iBGP Session
MPLS Core Network 2005 Cisco Systems, Inc. All rights reserved.32
Infrastructure Access-Lists (ACLs)CE.2 1.1.1.0/30 .1
PEVPN
PEVPN
CE.1 1.1.1.8/30 .2
CE.2 1.1.1.4/30 .1
PEVPN
PEVPN
CE.1 1.1.1.12/30 .2
Example: deny ip any 1.1.1.0 0.0.0.255 permit ip any any
This Is VPN Address Space, Not Core!
Caution: This also blocks packets to the CEs! Alternatives: List all PE interfaces in ACL or use secondary interface on CE
2005 Cisco Systems, Inc. All rights reserved.
33
Best Practices MPLS Core Security Dedicated management access to P and PE routers Out-of-band or in-band
Use AAA for device access Logging device configuration changes Limited access to logging facility
Use command authorization where possible Keep logs in a secure place Malicious employee might change logs too
Use access-control list on PE routers for blocking any potential external traffic Option of use MD5 authentication for LDP May be required as part of security conformance policies
2005 Cisco Systems, Inc. All rights reserved.
34
MPLS Security Service EdgeRequirementPE-CE link control plane protection (access control) VPN route access control and address space separation PE-CE link control plane authentication
Available Feature Capabilities Selective control plane prefix filtering Control Plane Policing (CoPP) VPN address space separation via VRFs BGP max-prefix limit (per eBGP session) VRF max route (per VRF) MD5 authentication of eBGP sessions
Comments ACL protocol port filtering on PE router assumed VRF ~ customer RIB Filtering control of BGP RIB and VPN route updates -
MPLS Service Edge SecurityBGP Route Reflector PE Router PE Router CE Router
P Router
P Router
LDP Session iBGP Session eBGP Session
MPLS Core Network
MPLS Edge Network
Customer Edge Network35
2005 Cisco Systems, Inc. All rights reserved.
Controlling VPN Route MaximumPotential Security Vulnerability: Injection of too many routes into VPN table (VRF) Potential memory overflow Potential (control plane) DoS attack
Protection Mechanism: Specify maximum number of VPN routes for VPN route table (VRF)VPN routing table (VRF) Maximum of 500 VPN prefixes
ip vrf vpn01Send warning message when maximum routes 500 80 (400) threshold is reached80%
2005 Cisco Systems, Inc. All rights reserved.
36
Controlling BGP Prefix MaximumPotential Security Vulnerability: Injection of too many BGP prefix updates Potential memory overflow Potential (control plane) DoS attack
Protection Mechanism: Specify maximum number of BGP prefix for a specific BGP neighbor sessionRemote BGP neighbor Accept maximum of BGP 500 prefixes, if more reset BGP session Restart BGP session after 2 minutes
router bgp 10 neighbor 140.0.250.2 maximum-prefix 500 80 restart 2Send warning message when 80% (400) threshold is reached
2005 Cisco Systems, Inc. All rights reserved.
37
MPLS VPN Configuration
Reduce potential MPLS VPN configuration errors via automation of service configuration and validation on PE routers
2005 Cisco Systems, Inc. All rights reserved.
38
MPLS Network Monitoring
2005 Cisco Systems, Inc. All rights reserved.
39
Best Practices MPLS Edge Security Access-list configuration of PE routers Disable external traffic destined to MPLS core or edge nodes
Control plane traffic filtering on PE routers Control Plane Policing (CoPP)
Disable selective control plane protocols on VRF-enabled interfaces E.g., disable SNMP, CDP access for CE routers
Configuration of max allowable VRF routes Configuration of max number of BGP prefix updates per eBPG peer In case dynamic routing is configured across PE-CE link option to use MD5-based BGP session authentication May be required as part of security conformance policies
2005 Cisco Systems, Inc. All rights reserved.
40
MPLS Security Network Inter-ConnectRequirementPE-CE link control plane protection (access control) VPN route access control and address space separation ASBR link control plane authentication
Available Feature Capabilities VPNv4 route filtering Control Plane Policing (CoPP) VPN address space separation via VRFs BGP max-prefix limit (per eBGP session) VRF max route (per VRF) MD5 authentication of eBGP sessions
Comments ACL protocol port filtering on PE router assumed VRF ~ VPN-specific RIB Filtering control of BGP RIB and VPN route updates -
MPLS Network Connect SecurityBGP Route Reflector PE Router ASBR Router ASBR Router
P Router
P Router
LDP Session iBGP Session eBGP Session
MPLS Core Network
MPLS Edge Network
External MPLS Network41
2005 Cisco Systems, Inc. All rights reserved.
Wrap-upIETF References Conclusions
2005 Cisco Systems, Inc. All rights reserved.
42
IETF IETF L3VPN Working Group: Working on Layer 3 VPN architectures, such as MPLS IP VPNs, IP VPNs using virtual routers, and IPsec VPNs http://www.ietf.org/html.charters/l3vpn-charter.html
IETF L2VPN Working Group: Working on Layer 2 VPN architectures, such as VPLS and VPWS http://www.ietf.org/html.charters/l2vpn-charter.html
RFC4381 Analysis of MPLS VPN Security
RFC2196 Site Security Handbook
RFC2385 Protection of BGP Sessions via the TCP MD5 Signature Option
RFC3013 Recommended Internet Service Provider Security Services and Procedures 2005 Cisco Systems, Inc. All rights reserved.43
Conclusions MPLS security covers protection mechanisms for MPLS forwarding and signaling MPLS security requires holistic approach including network design, implementation, and operation Level of MPLS network deployment complexity determines perceived network security risks Growing importance of MPLS security as a result of network and service convergence
2005 Cisco Systems, Inc. All rights reserved.
44
2005 Cisco Systems, Inc. All rights reserved.
45