The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Re: security of MPLS VPN
Alexander, > >When someone sends a fallacious IP address package to the PE, > >as PE just assigns the RD and label by the IP address > >information, one can enter the VPN easily. > > No, that is not true, as each interface is associated with a Routing table > which only contains routes relevant for that VPN. > > So in order to spoof, an intruder would need to enter the PE on the same > interface as the connection to the CE of that VPN. > > The only way to spoof a MPLS/VPN network is whenever a bogus packet enters > the core via an internal interface AND this packet has the correct labels > assigned ( outerlabel to reach the correct egress PE and inner label to go > into that VPN). > as those label are not visisble outside the PEs this is not very likely. > > However like on any transport network, someone inside the provider can do > some harm, but that is true for ISDN, Frame Relay, ATM,.... as well. > > I have seen third party security evaluations which confirm, that the > security of an MPLS/VPN network is comparable to the security given in a > Frame Relay network. Just to add, folks interested in the security aspect of BGP/MPLS VPNs may also look at the Internet Draft draft-behringer-mpls-security-00.txt. yakov. > > with best regards > > Alexander > > > ------- > The MPLS-OPS Mailing List > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
|
|