The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] RE: security of MPLS VPN
> >When someone sends a fallacious IP address package to the PE, >as PE just assigns the RD and label by the IP address >information, one can enter the VPN easily. No, that is not true, as each interface is associated with a Routing table which only contains routes relevant for that VPN. So in order to spoof, an intruder would need to enter the PE on the same interface as the connection to the CE of that VPN. The only way to spoof a MPLS/VPN network is whenever a bogus packet enters the core via an internal interface AND this packet has the correct labels assigned ( outerlabel to reach the correct egress PE and inner label to go into that VPN). as those label are not visisble outside the PEs this is not very likely. However like on any transport network, someone inside the provider can do some harm, but that is true for ISDN, Frame Relay, ATM,.... as well. I have seen third party security evaluations which confirm, that the security of an MPLS/VPN network is comparable to the security given in a Frame Relay network. with best regards Alexander ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
|
|