The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] RE: Fwd: Re: Fwd: MPLS VPN
the PE need not be exposed to the CPE at the IP level - if it is exposed then the correct security procedures have not been enabled at the router. A simple access-list at the interface level can block unwanted access but still provide routing protocol support.. Jim > >-----Original Message----- > >From: fraanro [mailto:fraanro@arrakis.es] > >Sent: Tuesday, December 31, 2002 12:44 PM > >To: Roger Clark Williams > >Cc: MPLS-ops Mailing List > >Subject: Re: Fwd: Re: [MPLS-OPS]: Fwd: MPLS VPN > > > > > >That argument is correct, but just based on the fact that the customer > >traffic is IP and the service the SP is giving is an IP service. > >Because of that, both have visibility at the same level. How secured is > >the access to the PE depends on the SP. It may be bullet proof or it > >may not. But the same way an ATM switch could have some managmenet PVCs > >opened and it could be possible to do things at the ATM level, and then > >maybe at the IP level. Almost everything is possible. Again, as it has > >been said, it depends on how important is the info being transported > >and how big is the interest (and $$) of someone else to have access to > >it. > >IMHO, MPLS VPNs are as secure as a Frame Relay or ATM service. If > >someone is concerned about the fact that the PE is exposed to the CPE > >at the IP level, then, use a L2 MPLS VPN, in which the CPE cannot do > >anything, there is no IP interface anywhere inside the VPN in the SP > >network. > > > >Rgds and Happy New Year. > >Javier. > > > >----- Mensaje Original ----- > >Remitente: Roger Clark Williams <rogerw@nordlink.com> > >Fecha: Lunes, Diciembre 30, 2002 2:02 pm > >Asunto: Fwd: Re: [MPLS-OPS]: Fwd: MPLS VPN > > > >> Got it, Guber, and it is a good point. I had stayed too > >> theoretical, you > >> got to the nuts and bolts. Thank you. > >> > >> Roger Williams > >> > >> > >> >X-Originating-IP: [203.106.49.226] > >> >From: "NOC Ops" <theguber@hotmail.com> > >> >To: rogerw@nordlink.com > >> >Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN > >> >Date: Mon, 30 Dec 2002 04:01:21 +0000 > >> >X-OriginalArrivalTime: 30 Dec 2002 04:01:21.0779 (UTC) > >> >FILETIME=[1D27DC30:01C2AFB8] > >> > > >> >Yes...however.... > >> > > >> >If you can gain access to a PE then it is rather an easy task to > >> debug an > >> >IP or MPLS packet...and that is my point. > >> > > >> >To gain access to an ATM or Frame switch you need to be "inside" > >> the > >> >network itself...IE: an employee of the Telco or have physical > >> access to > >> >the Central Office gear. Customers inherrently "trust" Telco's so > >> this has > >> >not neccessarily been an issue. Can be done on virtually any > >> transmission > >> >medium, even leased lines. > >> > > >> >Even if you could gain access to an ATM switch there are not > >> exactly many > >> >freeware applications out there to debug ATM traffic..it takes a > >> certain > >> >skill set... > >> > > >> >So yes I understand Wulf's point, (IE: That Telcos are to be > >> "trusted") > >> >but I would alway advise any enterprise to run encryption when > >> being > >> >offered MPLS/VPN's since the PE's are vulnerable and it does not > >> take a > >> >Phd to debug the traffic. > >> > > >> > > >> > > >> >>From: Roger Clark Williams <rogerw@nordlink.com> > >> >>To: "NOC Ops" <theguber@hotmail.com> > >> >>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN > >> >>Date: Sun, 29 Dec 2002 21:39:03 -0500 > >> >> > >> >>Guber, I agree with a point you are raising, that one can often > >> telnet to > >> >>unprotected routers, and often more easily and with more > >> destructive > >> >>capacity than might be available with switches. Your point is > >> totally > >> >>valid, but I think Wulf's point was slightly different. He was > >> saying > >> >>that the traffic itself, whether by FR or ATM, is unprotected > >> in the > >> >>sense that it is not encrypted or in some way made invisible or > >> >>unavailable to someone who has access to the traffic. In the > >> best of all > >> >>possible worlds no outsiders could get in anywhere and all SP > >> employees > >> >>would be completely, unassailably honest. In this case, > >> unencrypted > >> >>traffic would be fine - and private, the "P" in VPN. But these > >> are not > >> >>the best of all possible worlds and both your and his point is > >> that the > >> >>traffic is potentially accessible by one method or another. > >> Therefore, if > >> >>one wants security one has to define that, and then to be aware > >> both of > >> >>the level available with the technology being used as well as > >> the demand > >> >>or need for security. You have opened yet another reason to be > >> careful in > >> >>one's awareness of his/her own network's security as a customer, > >> and of > >> >>the SP's network security. > >> >> > >> >>Roger Williams > >> >> > >> >>At 01:03 AM 12/30/2002, you wrote: > >> >>>Wulf, > >> >>> > >> >>>I do not want to get into a religious argument here but I tend > >> to > >> >>>disagree with you on your comparison with ATM and > >> Frame...Neither of > >> >>>these type of switches have Telnet, SNMP etc, ports exposed to > >> client > >> >>>side access that have to be secured....unlike most router based > >> MPLS > >> >>>PE's which do. I have on several occassions demonstrated to > >> operators > >> >>>the ability to Telnet into their networks from Client side > >> connections > >> >>>due to poor security framework and procedures. > >> >>> > >> >>> > >> >>> > >> >>> > >> >>>>From: Wulf Losee <qx49@attbi.com> > >> >>>>To: MPLS-ops Mailing List <mpls-ops@mplsrc.com> > >> >>>>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN > >> >>>>Date: Sun, 29 Dec 2002 10:21:02 -0800 > >> >>>> > >> >>>>Aleezah: > >> >>>>I would like to amplify on what Roger said. Since the LSP is > >> solely > >> >>>>within the Service Provider's network, and MPLS VPN is > >> considered > >> >>>>"secure". And certainly it is no less secure than a Frame > >> Relay PVC or > >> >>>>an ATM PVC. It is considered extremely unlikely that other > >> corporations > >> >>>>or entities are snooping the traffic that run across FR or ATM > >> PVCs. > >> >>>>Corporations put a huge amount of traffic over Frame Relay and > >> ATM, and > >> >>>>very few worry about the security of their traffic -- because > >> the SP is > >> >>>>considered to be an secure broker. However, for those > >> corporations who > >> >>>>are extra paranoid, there is no reason that they can't run > >> IPsec VPNs > >> >>>>between their sites. The MPLS VPN is transparent to them, but > >> the SP's > >> >>>>MPLS VPNs would carry the corporation's IPsec VPNs. > >> >>>> > >> >>>>MPLS VPNs are implemented by Service Providers for the purpose > >> of TE, > >> >>>>etc. While they tend to leave IPsec VPNs for their corporate > >> customers > >> >>>>to implement... > >> >>>> > >> >>>>--Wulf > >> >>>> > >> >>>> > >> >>>>At 10:32 AM 12/29/02 -0500, Roger Clark Williams wrote: > >> >>>>>Aleezah, security is relative. To take a simple example, are > >> you more > >> >>>>>secure with a 56-bit key or a 128-bit key? It all depends on > >> the > >> >>>>>capability of those who 1) have access to the traffic, and 2) > >> the > >> >>>>>ability they can muster to crack the encryption. It is relative. > >> >>>>> > >> >>>>>With a MPLS VPN the data within the original IP packet is > >> still in > >> >>>>>clear-text format, there is no encryption. Granted, the LSP > >> you > >> >>>>>mention may be secure, but who has access to that path? Can > >> all those > >> >>>>>people be trusted completely? It is all relative. > >> >>>>> > >> >>>>>There is no such thing as absolute security, there is only > >> relatively > >> >>>>>better and relatively worse security. For better security > >> over an MPLS > >> >>>>>VPN, I would use IPsec. Others will certainly argue for > >> something > >> >>>>>better, longer keys, whatever. Perhaps stenographically > >> embedding > >> >>>>>encrypted data in a file that is then encrypted within a > >> packet that > >> >>>>>itself is encrypted...... Again, it is all relative. What is > >> the value > >> >>>>>of your traffic? > >> >>>>> > >> >>>>>I would bring to your attention the very reasonable and > >> informative > >> >>>>>writings of Bruce Schneier, founder of Counterpane, and his > >> newsletter > >> >>>>>called Crypto-gram. Available to all at > >> >>>>>http://www.counterpane.com/crypto-gram.html or send a blank > >> message to > >> >>>>>crypto-gram-subscribe@chaparraltree.com > >> >>>>> > >> >>>>>Roger Williams > >> >>>>> > >> >>>>> > >> >>>>>>X-Originating-IP: [203.135.5.55] > >> >>>>>>From: "aleezah khan" <aleezahkhan2k@hotmail.com> > >> >>>>>>To: rogerw@nordlink.com > >> >>>>>>Subject: MPLS VPN > >> >>>>>>Date: Sun, 29 Dec 2002 14:55:22 +0000 > >> >>>>>>X-OriginalArrivalTime: 29 Dec 2002 14:55:22.0298 (UTC) > >> >>>>>>FILETIME=[4FEA21A0:01C2AF4A] > >> >>>>>> > >> >>>>>> > >> >>>>>>Hi, > >> >>>>>>merry christmass to u!! > >> >>>>>>i need some help .i hope u can guide me... > >> >>>>>>In MPLS VPN with the use of VPN identifier (RD) and secure > >> LSP ,is > >> >>>>>>data security still an issue? > >> >>>>>>DO you think encrypting the data is the only way to secure > >> our data > >> >>>>>>running in BGP MPLS VPN? > >> >>>>>>If not then what are your recommendations > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> > >>>>>>>_________________________________________________________________ > >> >>>>>>Add photos to your messages with MSN 8. Get 2 months FREE*. > >> >>>>>>http://join.msn.com/? > >page=features/featuredemail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= > >> >>>>>>http://www.hotmail.msn.com/cgi- > >> bin/getmsg&HL=1216hotmailtaglines_addphotos_3mf>>>>> > >> >>>>>------- > >> >>>>>The MPLS-OPS Mailing List > >> >>>>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > >> >>>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > >> >>>> > >> >>>> > >> >>>>------- > >> >>>>The MPLS-OPS Mailing List > >> >>>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > >> >>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > >> >>> > >> >>> > >> >>>_________________________________________________________________ > >> >>>MSN 8: advanced junk mail protection and 3 months FREE*. > >> >>>http://join.msn.com/? > >page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= > >> >>>http://www.hotmail.msn.com/cgi- > >> bin/getmsg&HL=1216hotmailtaglines_advancedjmf_3mf>>> > >> >>>------- > >> >>>The MPLS-OPS Mailing List > >> >>>Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > >> >>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > >> > > >> > > >> >_________________________________________________________________ > >> >The new MSN 8: smart spam protection and 3 months FREE*. > >> >http://join.msn.com/? > >page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= > >> >http://www.hotmail.msn.com/cgi- > >> bin/getmsg&HL=1216hotmailtaglines_smartspamprotection_3mf > >> ------- > >> The MPLS-OPS Mailing List > >> Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > >> Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > >> > > > >------- > >The MPLS-OPS Mailing List > >Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
|
|