The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Fwd: Re: Fwd: MPLS VPN
Got it, Guber, and it is a good point. I had stayed too theoretical, you got to the nuts and bolts. Thank you. Roger Williams >X-Originating-IP: [203.106.49.226] >From: "NOC Ops" <theguber@hotmail.com> >To: rogerw@nordlink.com >Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN >Date: Mon, 30 Dec 2002 04:01:21 +0000 >X-OriginalArrivalTime: 30 Dec 2002 04:01:21.0779 (UTC) >FILETIME=[1D27DC30:01C2AFB8] > >Yes...however.... > >If you can gain access to a PE then it is rather an easy task to debug an >IP or MPLS packet...and that is my point. > >To gain access to an ATM or Frame switch you need to be "inside" the >network itself...IE: an employee of the Telco or have physical access to >the Central Office gear. Customers inherrently "trust" Telco's so this has >not neccessarily been an issue. Can be done on virtually any transmission >medium, even leased lines. > >Even if you could gain access to an ATM switch there are not exactly many >freeware applications out there to debug ATM traffic..it takes a certain >skill set... > >So yes I understand Wulf's point, (IE: That Telcos are to be "trusted") >but I would alway advise any enterprise to run encryption when being >offered MPLS/VPN's since the PE's are vulnerable and it does not take a >Phd to debug the traffic. > > > >>From: Roger Clark Williams <rogerw@nordlink.com> >>To: "NOC Ops" <theguber@hotmail.com> >>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN >>Date: Sun, 29 Dec 2002 21:39:03 -0500 >> >>Guber, I agree with a point you are raising, that one can often telnet to >>unprotected routers, and often more easily and with more destructive >>capacity than might be available with switches. Your point is totally >>valid, but I think Wulf's point was slightly different. He was saying >>that the traffic itself, whether by FR or ATM, is unprotected in the >>sense that it is not encrypted or in some way made invisible or >>unavailable to someone who has access to the traffic. In the best of all >>possible worlds no outsiders could get in anywhere and all SP employees >>would be completely, unassailably honest. In this case, unencrypted >>traffic would be fine - and private, the "P" in VPN. But these are not >>the best of all possible worlds and both your and his point is that the >>traffic is potentially accessible by one method or another. Therefore, if >>one wants security one has to define that, and then to be aware both of >>the level available with the technology being used as well as the demand >>or need for security. You have opened yet another reason to be careful in >>one's awareness of his/her own network's security as a customer, and of >>the SP's network security. >> >>Roger Williams >> >>At 01:03 AM 12/30/2002, you wrote: >>>Wulf, >>> >>>I do not want to get into a religious argument here but I tend to >>>disagree with you on your comparison with ATM and Frame...Neither of >>>these type of switches have Telnet, SNMP etc, ports exposed to client >>>side access that have to be secured....unlike most router based MPLS >>>PE's which do. I have on several occassions demonstrated to operators >>>the ability to Telnet into their networks from Client side connections >>>due to poor security framework and procedures. >>> >>> >>> >>> >>>>From: Wulf Losee <qx49@attbi.com> >>>>To: MPLS-ops Mailing List <mpls-ops@mplsrc.com> >>>>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN >>>>Date: Sun, 29 Dec 2002 10:21:02 -0800 >>>> >>>>Aleezah: >>>>I would like to amplify on what Roger said. Since the LSP is solely >>>>within the Service Provider's network, and MPLS VPN is considered >>>>"secure". And certainly it is no less secure than a Frame Relay PVC or >>>>an ATM PVC. It is considered extremely unlikely that other corporations >>>>or entities are snooping the traffic that run across FR or ATM PVCs. >>>>Corporations put a huge amount of traffic over Frame Relay and ATM, and >>>>very few worry about the security of their traffic -- because the SP is >>>>considered to be an secure broker. However, for those corporations who >>>>are extra paranoid, there is no reason that they can't run IPsec VPNs >>>>between their sites. The MPLS VPN is transparent to them, but the SP's >>>>MPLS VPNs would carry the corporation's IPsec VPNs. >>>> >>>>MPLS VPNs are implemented by Service Providers for the purpose of TE, >>>>etc. While they tend to leave IPsec VPNs for their corporate customers >>>>to implement... >>>> >>>>--Wulf >>>> >>>> >>>>At 10:32 AM 12/29/02 -0500, Roger Clark Williams wrote: >>>>>Aleezah, security is relative. To take a simple example, are you more >>>>>secure with a 56-bit key or a 128-bit key? It all depends on the >>>>>capability of those who 1) have access to the traffic, and 2) the >>>>>ability they can muster to crack the encryption. It is relative. >>>>> >>>>>With a MPLS VPN the data within the original IP packet is still in >>>>>clear-text format, there is no encryption. Granted, the LSP you >>>>>mention may be secure, but who has access to that path? Can all those >>>>>people be trusted completely? It is all relative. >>>>> >>>>>There is no such thing as absolute security, there is only relatively >>>>>better and relatively worse security. For better security over an MPLS >>>>>VPN, I would use IPsec. Others will certainly argue for something >>>>>better, longer keys, whatever. Perhaps stenographically embedding >>>>>encrypted data in a file that is then encrypted within a packet that >>>>>itself is encrypted...... Again, it is all relative. What is the value >>>>>of your traffic? >>>>> >>>>>I would bring to your attention the very reasonable and informative >>>>>writings of Bruce Schneier, founder of Counterpane, and his newsletter >>>>>called Crypto-gram. Available to all at >>>>>http://www.counterpane.com/crypto-gram.html or send a blank message to >>>>>crypto-gram-subscribe@chaparraltree.com >>>>> >>>>>Roger Williams >>>>> >>>>> >>>>>>X-Originating-IP: [203.135.5.55] >>>>>>From: "aleezah khan" <aleezahkhan2k@hotmail.com> >>>>>>To: rogerw@nordlink.com >>>>>>Subject: MPLS VPN >>>>>>Date: Sun, 29 Dec 2002 14:55:22 +0000 >>>>>>X-OriginalArrivalTime: 29 Dec 2002 14:55:22.0298 (UTC) >>>>>>FILETIME=[4FEA21A0:01C2AF4A] >>>>>> >>>>>> >>>>>>Hi, >>>>>>merry christmass to u!! >>>>>>i need some help .i hope u can guide me... >>>>>>In MPLS VPN with the use of VPN identifier (RD) and secure LSP ,is >>>>>>data security still an issue? >>>>>>DO you think encrypting the data is the only way to secure our data >>>>>>running in BGP MPLS VPN? >>>>>>If not then what are your recommendations >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>_________________________________________________________________ >>>>>>Add photos to your messages with MSN 8. Get 2 months FREE*. >>>>>>http://join.msn.com/?page=features/featuredemail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= >>>>>>http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_addphotos_3mf >>>>> >>>>>------- >>>>>The MPLS-OPS Mailing List >>>>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml >>>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml >>>> >>>> >>>>------- >>>>The MPLS-OPS Mailing List >>>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml >>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml >>> >>> >>>_________________________________________________________________ >>>MSN 8: advanced junk mail protection and 3 months FREE*. >>>http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= >>>http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_advancedjmf_3mf >>> >>>------- >>>The MPLS-OPS Mailing List >>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml >>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > >_________________________________________________________________ >The new MSN 8: smart spam protection and 3 months FREE*. >http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= >http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_smartspamprotection_3mf ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml |
|