The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2000-Nov> msg00025



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

RE: security

  • From: "Donkin, Richard" <rdonkin@orchestream.com>
  • Date: Mon, 20 Nov 2000 20:37:46 -0000
  • Cc: list mpls <mpls-ops@mplsrc.com>
  • Resent-Date: Mon, 20 Nov 2000 16:36:16 -0500
  • To: "'Giaccio, Gustavo'" <giacciog@metrored.com.ar>
  • X-MIME-Autoconverted: from quoted-printable to 8bit by host.secure4-hosting.net id eAKKgcZ13573

> -----Original Message-----
> From: Giaccio, Gustavo [mailto:giacciog@metrored.com.ar]
> Sent: Mon 20 November 2000 19:55
> To: list mpls
> Subject: security
> 
> 
> Hi friends !!!!!!!
> 
> I need information about MPLS security becuase I have make a 
> comparation
> between MPLS and ATM security.
> My question is the security issues on the MPLS BACKBONE when 
> I make a trace
> between two CEīs I found a lot of hops that are in my private Backbone
> Network.
> 
> Traceroute example:
> 
> CE1-------------------------PE1-------------P---------------P-
> -----------PE2
> ---------------CE2
> 
> 200.49.85.5-----------10.4.4.4------10.4.4.2------10.4.4.7----
> --10.4.4.8----
> ----200.49.85.38
> 
> This address that I write are an example....
> 
> My problem is that the customer can see my address planning.
> What is the security solution for this problem.

First of all, I believe it's possible to make the core LSRs invisible to
traceroute with some vendors' equipment, through changing their TTL handling
- check their documentation.

Also, although the PE and P LSR addresses appear in the results of your
traceroute, the real issue is whether you have a route to them - if you
deploy MPLS VPNs as in RFC 2547, the core LSRs are completely invisible to
the CE, i.e. CE routes are exchanged with other CEs, and there are never any
routes to core LSRs.  The VPNs are created by setting up VPN-specific
routing tables on the PEs, preventing a site in VPN A from seeing any routes
that would give access to VPN B.

> I think that if the solution to this problem is similar to an 
> "IP CLOUD"
> therefore, I think that the MPLS thatīs not provide the same level of
> security than ATM.

For your security comparison, you should really be looking at MPLS VPNs and
how they compare to ATM.  MPLS alone is simply a way of separating routing
from forwarding, enabling some performance improvements; the important part
is how it supports traffic engineering and VPNs.

Richard
-- 
rdonkin@orchestream.com                   http://www.orchestream.com
Tel: +44 (0)20 7348 1507 (direct)         Orchestream Ltd.
     +44 (0)20 7348 1500 (switchboard)    Avon House, Kensington Village,
Fax: +44 (0)20 7348 1501                  Avonmore Road
>>>> IP Service Activation >>>>           London W14 8TS, UK
 

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml