The MPLS-OPS Archive

[Wulf Losee <qx49@attbi.com>]

Gube:
Point well taken! You're quite right, PE security for MPLS VPNs (or plain 
old IP services) is definitely dependent on disabling the possibility of 
attacks from the customer side. Likewise, you are quite right, it would be 
impossible to mount an attack using TCP/IP applications on a "dumb" FR 
port. But my point was: once the data crosses the PE-threshold, it doesn't 
matter if it's riding in a PVC or LSP, the innate security/vulnerability of 
PVCs and LSPs are the same.

So, from a customer's perspective the security of FR and ATM vs. MPLS VPNs 
is equal. Now you might well repond: "if a Service Provider can have it's 
MPLS PE routers subverted from the customer side, then, Frame Relay or ATM 
services must be more secure!". But if the SP offers *any* IP services 
whatsoever to the outside world (and just about all of them do), then those 
services could be used as the jumping off point to subverting the "secure" 
FR or ATM infrastructure. Security is only as good as the weakest link.

Moreover, I think you might just be a little too blase about the security 
of Service Provider networks to internally mounted attacks (e.g. 
disgruntled employees, etc.). As a customer, I don't think I'd want to 
depend on the SP for *all* my security. As a security-conscious IT 
professional, if I were purchasing PVCs or LSPs from the SP, I'd still want 
to use IPsec to encrypt my traffic. Given the scenario where an intruder 
subverts the SP's network, the intruder would have great difficulty making 
use of my traffic. At worst my traffic wouldn't get through. For those 
customers with more demanding availability requirements, well, having a 
secondary SP would be a requirement.

Whew!
--Wulf

At 01:03 AM 12/30/02 +0000, NOC Ops wrote:
>Wulf,
>
>I do not want to get into a religious argument here but I tend to disagree 
>with you on your comparison with ATM and Frame...Neither of these type of 
>switches have Telnet, SNMP etc, ports exposed to client side access that 
>have to be secured....unlike most router based MPLS PE's which do. I have 
>on several occassions demonstrated to operators the ability to Telnet into 
>their networks from Client side connections due to poor security framework 
>and procedures.
>
>
>>From: Wulf Losee <qx49@attbi.com>
>>To: MPLS-ops Mailing List <mpls-ops@mplsrc.com>
>>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN
>>Date: Sun, 29 Dec 2002 10:21:02 -0800
>>
>>Aleezah:
>>I would like to amplify on what Roger said. Since the LSP is solely 
>>within the Service Provider's network, and MPLS VPN is considered 
>>"secure". And certainly it is no less secure than a Frame Relay PVC or an 
>>ATM PVC. It is considered extremely unlikely that other corporations or 
>>entities are snooping the traffic that run across FR or ATM PVCs. 
>>Corporations put a huge amount of traffic over Frame Relay and ATM, and 
>>very few worry about the security of their traffic -- because the SP is 
>>considered to be an secure broker. However, for those corporations who 
>>are extra paranoid, there is no reason that they can't run IPsec VPNs 
>>between their sites. The MPLS VPN is transparent to them, but the SP's 
>>MPLS VPNs would carry the corporation's IPsec VPNs.
>>
>>MPLS VPNs are implemented by Service Providers for the purpose of TE, 
>>etc. While they tend to leave IPsec VPNs for their corporate customers to 
>>implement...
>>
>>--Wulf
>>
>>
>>At 10:32 AM 12/29/02 -0500, Roger Clark Williams wrote:
>>>Aleezah, security is relative. To take a simple example, are you more 
>>>secure with a 56-bit key or a 128-bit key? It all depends on the 
>>>capability of those who 1) have access to the traffic, and 2) the 
>>>ability they can muster to crack the encryption. It is relative.
>>>
>>>With a MPLS VPN the data within the original IP packet is still in 
>>>clear-text format, there is no encryption. Granted, the LSP you mention 
>>>may be secure, but who has access to that path? Can all those people be 
>>>trusted completely? It is all relative.
>>>
>>>There is no such thing as absolute security, there is only relatively 
>>>better and relatively worse security. For better security over an MPLS 
>>>VPN, I would use IPsec. Others will certainly argue for something 
>>>better, longer keys, whatever. Perhaps stenographically embedding 
>>>encrypted data in a file that is then encrypted within a packet that 
>>>itself is encrypted...... Again, it is all relative. What is the value 
>>>of your traffic?
>>>
>>>I would bring to your attention the very reasonable and informative 
>>>writings of Bruce Schneier, founder of Counterpane, and his newsletter 
>>>called Crypto-gram. Available to all at 
>>>http://www.counterpane.com/crypto-gram.html or send a blank message to 
>>>crypto-gram-subscribe@chaparraltree.com
>>>
>>>Roger Williams
>>>
>>>
>>>>X-Originating-IP: [203.135.5.55]
>>>>From: "aleezah khan" <aleezahkhan2k@hotmail.com>
>>>>To: rogerw@nordlink.com
>>>>Subject: MPLS VPN
>>>>Date: Sun, 29 Dec 2002 14:55:22 +0000
>>>>X-OriginalArrivalTime: 29 Dec 2002 14:55:22.0298 (UTC) 
>>>>FILETIME=[4FEA21A0:01C2AF4A]
>>>>
>>>>
>>>>Hi,
>>>>merry christmass to u!!
>>>>i need some help .i hope u can guide me...
>>>>In MPLS VPN with the use of  VPN identifier (RD) and secure LSP ,is 
>>>>data security still an issue?
>>>>DO you think encrypting the data is the only way to secure our data 
>>>>running in BGP MPLS VPN?
>>>>If not then what are your recommendations
>>>>
>>>>
>>>>
>>>>
>>>>_________________________________________________________________
>>>>Add photos to your messages with MSN 8. Get 2 months FREE*. 
>>>>http://join.msn.com/?page=features/featuredemail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= 
>>>>http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_addphotos_3mf
>>>
>>>-------
>>>The MPLS-OPS Mailing List
>>>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
>>
>>
>>-------
>>The MPLS-OPS Mailing List
>>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
>
>
>_________________________________________________________________
>MSN 8: advanced junk mail protection and 3 months FREE*. 
>http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= 
>http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_advancedjmf_3mf


-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml