The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Re: Fwd: Re: Fwd: MPLS VPN
That argument is correct, but just based on the fact that the customer traffic is IP and the service the SP is giving is an IP service. Because of that, both have visibility at the same level. How secured is the access to the PE depends on the SP. It may be bullet proof or it may not. But the same way an ATM switch could have some managmenet PVCs opened and it could be possible to do things at the ATM level, and then maybe at the IP level. Almost everything is possible. Again, as it has been said, it depends on how important is the info being transported and how big is the interest (and $$) of someone else to have access to it. IMHO, MPLS VPNs are as secure as a Frame Relay or ATM service. If someone is concerned about the fact that the PE is exposed to the CPE at the IP level, then, use a L2 MPLS VPN, in which the CPE cannot do anything, there is no IP interface anywhere inside the VPN in the SP network. Rgds and Happy New Year. Javier. ----- Mensaje Original ----- Remitente: Roger Clark Williams <rogerw@nordlink.com> Fecha: Lunes, Diciembre 30, 2002 2:02 pm Asunto: Fwd: Re: [MPLS-OPS]: Fwd: MPLS VPN > Got it, Guber, and it is a good point. I had stayed too > theoretical, you > got to the nuts and bolts. Thank you. > > Roger Williams > > > >X-Originating-IP: [203.106.49.226] > >From: "NOC Ops" <theguber@hotmail.com> > >To: rogerw@nordlink.com > >Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN > >Date: Mon, 30 Dec 2002 04:01:21 +0000 > >X-OriginalArrivalTime: 30 Dec 2002 04:01:21.0779 (UTC) > >FILETIME=[1D27DC30:01C2AFB8] > > > >Yes...however.... > > > >If you can gain access to a PE then it is rather an easy task to > debug an > >IP or MPLS packet...and that is my point. > > > >To gain access to an ATM or Frame switch you need to be "inside" > the > >network itself...IE: an employee of the Telco or have physical > access to > >the Central Office gear. Customers inherrently "trust" Telco's so > this has > >not neccessarily been an issue. Can be done on virtually any > transmission > >medium, even leased lines. > > > >Even if you could gain access to an ATM switch there are not > exactly many > >freeware applications out there to debug ATM traffic..it takes a > certain > >skill set... > > > >So yes I understand Wulf's point, (IE: That Telcos are to be > "trusted") > >but I would alway advise any enterprise to run encryption when > being > >offered MPLS/VPN's since the PE's are vulnerable and it does not > take a > >Phd to debug the traffic. > > > > > > > >>From: Roger Clark Williams <rogerw@nordlink.com> > >>To: "NOC Ops" <theguber@hotmail.com> > >>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN > >>Date: Sun, 29 Dec 2002 21:39:03 -0500 > >> > >>Guber, I agree with a point you are raising, that one can often > telnet to > >>unprotected routers, and often more easily and with more > destructive > >>capacity than might be available with switches. Your point is > totally > >>valid, but I think Wulf's point was slightly different. He was > saying > >>that the traffic itself, whether by FR or ATM, is unprotected > in the > >>sense that it is not encrypted or in some way made invisible or > >>unavailable to someone who has access to the traffic. In the > best of all > >>possible worlds no outsiders could get in anywhere and all SP > employees > >>would be completely, unassailably honest. In this case, > unencrypted > >>traffic would be fine - and private, the "P" in VPN. But these > are not > >>the best of all possible worlds and both your and his point is > that the > >>traffic is potentially accessible by one method or another. > Therefore, if > >>one wants security one has to define that, and then to be aware > both of > >>the level available with the technology being used as well as > the demand > >>or need for security. You have opened yet another reason to be > careful in > >>one's awareness of his/her own network's security as a customer, > and of > >>the SP's network security. > >> > >>Roger Williams > >> > >>At 01:03 AM 12/30/2002, you wrote: > >>>Wulf, > >>> > >>>I do not want to get into a religious argument here but I tend > to > >>>disagree with you on your comparison with ATM and > Frame...Neither of > >>>these type of switches have Telnet, SNMP etc, ports exposed to > client > >>>side access that have to be secured....unlike most router based > MPLS > >>>PE's which do. I have on several occassions demonstrated to > operators > >>>the ability to Telnet into their networks from Client side > connections > >>>due to poor security framework and procedures. > >>> > >>> > >>> > >>> > >>>>From: Wulf Losee <qx49@attbi.com> > >>>>To: MPLS-ops Mailing List <mpls-ops@mplsrc.com> > >>>>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN > >>>>Date: Sun, 29 Dec 2002 10:21:02 -0800 > >>>> > >>>>Aleezah: > >>>>I would like to amplify on what Roger said. Since the LSP is > solely > >>>>within the Service Provider's network, and MPLS VPN is > considered > >>>>"secure". And certainly it is no less secure than a Frame > Relay PVC or > >>>>an ATM PVC. It is considered extremely unlikely that other > corporations > >>>>or entities are snooping the traffic that run across FR or ATM > PVCs. > >>>>Corporations put a huge amount of traffic over Frame Relay and > ATM, and > >>>>very few worry about the security of their traffic -- because > the SP is > >>>>considered to be an secure broker. However, for those > corporations who > >>>>are extra paranoid, there is no reason that they can't run > IPsec VPNs > >>>>between their sites. The MPLS VPN is transparent to them, but > the SP's > >>>>MPLS VPNs would carry the corporation's IPsec VPNs. > >>>> > >>>>MPLS VPNs are implemented by Service Providers for the purpose > of TE, > >>>>etc. While they tend to leave IPsec VPNs for their corporate > customers > >>>>to implement... > >>>> > >>>>--Wulf > >>>> > >>>> > >>>>At 10:32 AM 12/29/02 -0500, Roger Clark Williams wrote: > >>>>>Aleezah, security is relative. To take a simple example, are > you more > >>>>>secure with a 56-bit key or a 128-bit key? It all depends on > the > >>>>>capability of those who 1) have access to the traffic, and 2) > the > >>>>>ability they can muster to crack the encryption. It is relative. > >>>>> > >>>>>With a MPLS VPN the data within the original IP packet is > still in > >>>>>clear-text format, there is no encryption. Granted, the LSP > you > >>>>>mention may be secure, but who has access to that path? Can > all those > >>>>>people be trusted completely? It is all relative. > >>>>> > >>>>>There is no such thing as absolute security, there is only > relatively > >>>>>better and relatively worse security. For better security > over an MPLS > >>>>>VPN, I would use IPsec. Others will certainly argue for > something > >>>>>better, longer keys, whatever. Perhaps stenographically > embedding > >>>>>encrypted data in a file that is then encrypted within a > packet that > >>>>>itself is encrypted...... Again, it is all relative. What is > the value > >>>>>of your traffic? > >>>>> > >>>>>I would bring to your attention the very reasonable and > informative > >>>>>writings of Bruce Schneier, founder of Counterpane, and his > newsletter > >>>>>called Crypto-gram. Available to all at > >>>>>http://www.counterpane.com/crypto-gram.html or send a blank > message to > >>>>>crypto-gram-subscribe@chaparraltree.com > >>>>> > >>>>>Roger Williams > >>>>> > >>>>> > >>>>>>X-Originating-IP: [203.135.5.55] > >>>>>>From: "aleezah khan" <aleezahkhan2k@hotmail.com> > >>>>>>To: rogerw@nordlink.com > >>>>>>Subject: MPLS VPN > >>>>>>Date: Sun, 29 Dec 2002 14:55:22 +0000 > >>>>>>X-OriginalArrivalTime: 29 Dec 2002 14:55:22.0298 (UTC) > >>>>>>FILETIME=[4FEA21A0:01C2AF4A] > >>>>>> > >>>>>> > >>>>>>Hi, > >>>>>>merry christmass to u!! > >>>>>>i need some help .i hope u can guide me... > >>>>>>In MPLS VPN with the use of VPN identifier (RD) and secure > LSP ,is > >>>>>>data security still an issue? > >>>>>>DO you think encrypting the data is the only way to secure > our data > >>>>>>running in BGP MPLS VPN? > >>>>>>If not then what are your recommendations > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>_________________________________________________________________ > >>>>>>Add photos to your messages with MSN 8. Get 2 months FREE*. > >>>>>>http://join.msn.com/? page=features/featuredemail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= > >>>>>>http://www.hotmail.msn.com/cgi- > bin/getmsg&HL=1216hotmailtaglines_addphotos_3mf>>>>> > >>>>>------- > >>>>>The MPLS-OPS Mailing List > >>>>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > >>>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > >>>> > >>>> > >>>>------- > >>>>The MPLS-OPS Mailing List > >>>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > >>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > >>> > >>> > >>>_________________________________________________________________ > >>>MSN 8: advanced junk mail protection and 3 months FREE*. > >>>http://join.msn.com/? page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= > >>>http://www.hotmail.msn.com/cgi- > bin/getmsg&HL=1216hotmailtaglines_advancedjmf_3mf>>> > >>>------- > >>>The MPLS-OPS Mailing List > >>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > >>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > > > >_________________________________________________________________ > >The new MSN 8: smart spam protection and 3 months FREE*. > >http://join.msn.com/? page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= > >http://www.hotmail.msn.com/cgi- > bin/getmsg&HL=1216hotmailtaglines_smartspamprotection_3mf > ------- > The MPLS-OPS Mailing List > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
|
|