The MPLS-OPS Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]
Re: Fwd: MPLS VPN

From: "NOC Ops" <theguber@hotmail.com>
Date: Mon, 30 Dec 2002 01:03:26 +0000
Resent-Date: Sun, 29 Dec 2002 21:35:52 -0500
To: qx49@attbi.com, mpls-ops@mplsrc.com
X-OriginalArrivalTime: 30 Dec 2002 01:03:26.0796 (UTC) FILETIME=[425EB8C0:01C2AF9F]
X-Originating-IP: [203.106.49.124]
Wulf,

I do not want to get into a religious argument here but I tend to disagree 
with you on your comparison with ATM and Frame...Neither of these type of 
switches have Telnet, SNMP etc, ports exposed to client side access that 
have to be secured....unlike most router based MPLS PE's which do. I have on 
several occassions demonstrated to operators the ability to Telnet into 
their networks from Client side connections due to poor security framework 
and procedures.




>From: Wulf Losee <qx49@attbi.com>
>To: MPLS-ops Mailing List <mpls-ops@mplsrc.com>
>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN
>Date: Sun, 29 Dec 2002 10:21:02 -0800
>
>Aleezah:
>I would like to amplify on what Roger said. Since the LSP is solely within 
>the Service Provider's network, and MPLS VPN is considered "secure". And 
>certainly it is no less secure than a Frame Relay PVC or an ATM PVC. It is 
>considered extremely unlikely that other corporations or entities are 
>snooping the traffic that run across FR or ATM PVCs. Corporations put a 
>huge amount of traffic over Frame Relay and ATM, and very few worry about 
>the security of their traffic -- because the SP is considered to be an 
>secure broker. However, for those corporations who are extra paranoid, 
>there is no reason that they can't run IPsec VPNs between their sites. The 
>MPLS VPN is transparent to them, but the SP's MPLS VPNs would carry the 
>corporation's IPsec VPNs.
>
>MPLS VPNs are implemented by Service Providers for the purpose of TE, etc. 
>While they tend to leave IPsec VPNs for their corporate customers to 
>implement...
>
>--Wulf
>
>
>At 10:32 AM 12/29/02 -0500, Roger Clark Williams wrote:
>>Aleezah, security is relative. To take a simple example, are you more 
>>secure with a 56-bit key or a 128-bit key? It all depends on the 
>>capability of those who 1) have access to the traffic, and 2) the ability 
>>they can muster to crack the encryption. It is relative.
>>
>>With a MPLS VPN the data within the original IP packet is still in 
>>clear-text format, there is no encryption. Granted, the LSP you mention 
>>may be secure, but who has access to that path? Can all those people be 
>>trusted completely? It is all relative.
>>
>>There is no such thing as absolute security, there is only relatively 
>>better and relatively worse security. For better security over an MPLS 
>>VPN, I would use IPsec. Others will certainly argue for something better, 
>>longer keys, whatever. Perhaps stenographically embedding encrypted data 
>>in a file that is then encrypted within a packet that itself is 
>>encrypted...... Again, it is all relative. What is the value of your 
>>traffic?
>>
>>I would bring to your attention the very reasonable and informative 
>>writings of Bruce Schneier, founder of Counterpane, and his newsletter 
>>called Crypto-gram. Available to all at 
>>http://www.counterpane.com/crypto-gram.html or send a blank message to 
>>crypto-gram-subscribe@chaparraltree.com
>>
>>Roger Williams
>>
>>
>>>X-Originating-IP: [203.135.5.55]
>>>From: "aleezah khan" <aleezahkhan2k@hotmail.com>
>>>To: rogerw@nordlink.com
>>>Subject: MPLS VPN
>>>Date: Sun, 29 Dec 2002 14:55:22 +0000
>>>X-OriginalArrivalTime: 29 Dec 2002 14:55:22.0298 (UTC) 
>>>FILETIME=[4FEA21A0:01C2AF4A]
>>>
>>>
>>>Hi,
>>>merry christmass to u!!
>>>i need some help .i hope u can guide me...
>>>In MPLS VPN with the use of  VPN identifier (RD) and secure LSP ,is data 
>>>security still an issue?
>>>DO you think encrypting the data is the only way to secure our data 
>>>running in BGP MPLS VPN?
>>>If not then what are your recommendations
>>>
>>>
>>>
>>>
>>>_________________________________________________________________
>>>Add photos to your messages with MSN 8. Get 2 months FREE*. 
>>>http://join.msn.com/?page=features/featuredemail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= 
>>>http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_addphotos_3mf
>>
>>-------
>>The MPLS-OPS Mailing List
>>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
>
>
>-------
>The MPLS-OPS Mailing List
>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml


_________________________________________________________________
MSN 8: advanced junk mail protection and 3 months FREE*. 
http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= 
http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_advancedjmf_3mf

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
Follow-Ups:
- Re: Fwd: MPLS VPN
  - From: Wulf Losee <qx49@attbi.com>