The MPLS-OPS Archive

[Roger Clark Williams <rogerw@nordlink.com>]

Jim, you are completely right. I think the discussion has gotten away a bit 
from Aleezah's original question of the relative security of MPLS VPNs. You 
point out that everything goes bad if basic network security gets lax. A 
VPN, unless encrypted, provides very little privacy if the doors to the 
network are left wide open. That should be elementary - but it is not 
always done or done correctly. By example, I think it may be the ICND 
course, the basic Cisco course, that points out the difference between 
telneting through a device vs. telneting to a device.

Roger Williams

>From: "Jim Guichard" <jguichar@cisco.com>
>To: "fraanro" <fraanro@arrakis.es>,
>    "Roger Clark Williams" <rogerw@nordlink.com>
>Cc: "MPLS-ops Mailing List" <mpls-ops@mplsrc.com>
>Subject: RE: Fwd: Re: [MPLS-OPS]: Fwd: MPLS VPN
>Date: Tue, 31 Dec 2002 15:05:43 -0500
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>Importance: Normal
>
>the PE need not be exposed to the CPE at the IP level - if it is exposed
>then the correct security procedures have not been enabled at the router. A
>simple access-list at the interface level can block unwanted access but
>still provide routing protocol support.. Jim
>
> > >-----Original Message-----
> > >From: fraanro [mailto:fraanro@arrakis.es]
> > >Sent: Tuesday, December 31, 2002 12:44 PM
> > >To: Roger Clark Williams
> > >Cc: MPLS-ops Mailing List
> > >Subject: Re: Fwd: Re: [MPLS-OPS]: Fwd: MPLS VPN
> > >
> > >
> > >That argument is correct, but just based on the fact that the customer
> > >traffic is IP and the service the SP is giving is an IP service.
> > >Because of that, both have visibility at the same level. How secured is
> > >the access to the PE depends on the SP. It may be bullet proof or it
> > >may not. But the same way an ATM switch could have some managmenet PVCs
> > >opened and it could be possible to do things at the ATM level, and then
> > >maybe at the IP level. Almost everything is possible. Again, as it has
> > >been said, it depends on how important is the info being transported
> > >and how big is the interest (and $$) of someone else to have access to
> > >it.
> > >IMHO, MPLS VPNs are as secure as a Frame Relay or ATM service. If
> > >someone is concerned about the fact that the PE is exposed to the CPE
> > >at the IP level, then, use a L2 MPLS VPN, in which the CPE cannot do
> > >anything, there is no IP interface anywhere inside the VPN in the SP
> > >network.
> > >
> > >Rgds and Happy New Year.
> > >Javier.
> > >
> > >----- Mensaje Original -----
> > >Remitente: Roger Clark Williams <rogerw@nordlink.com>
> > >Fecha: Lunes, Diciembre 30, 2002 2:02 pm
> > >Asunto: Fwd: Re: [MPLS-OPS]: Fwd: MPLS VPN
> > >
> > >> Got it, Guber, and it is a good point. I had stayed too
> > >> theoretical, you
> > >> got to the nuts and bolts. Thank you.
> > >>
> > >> Roger Williams
> > >>
> > >>
> > >> >X-Originating-IP: [203.106.49.226]
> > >> >From: "NOC Ops" <theguber@hotmail.com>
> > >> >To: rogerw@nordlink.com
> > >> >Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN
> > >> >Date: Mon, 30 Dec 2002 04:01:21 +0000
> > >> >X-OriginalArrivalTime: 30 Dec 2002 04:01:21.0779 (UTC)
> > >> >FILETIME=[1D27DC30:01C2AFB8]
> > >> >
> > >> >Yes...however....
> > >> >
> > >> >If you can gain access to a PE then it is rather an easy task to
> > >> debug an
> > >> >IP or MPLS packet...and that is my point.
> > >> >
> > >> >To gain access to an ATM or Frame switch you need to be "inside"
> > >> the
> > >> >network itself...IE: an employee of the Telco or have physical
> > >> access to
> > >> >the Central Office gear. Customers inherrently "trust" Telco's so
> > >> this has
> > >> >not neccessarily been an issue. Can be done on virtually any
> > >> transmission
> > >> >medium, even leased lines.
> > >> >
> > >> >Even if you could gain access to an ATM switch there are not
> > >> exactly many
> > >> >freeware applications out there to debug ATM traffic..it takes a
> > >> certain
> > >> >skill set...
> > >> >
> > >> >So yes I understand Wulf's point, (IE: That Telcos are to be
> > >> "trusted")
> > >> >but I would alway advise any enterprise to run encryption when
> > >> being
> > >> >offered MPLS/VPN's since the PE's are vulnerable and it does not
> > >> take a
> > >> >Phd to debug the traffic.
> > >> >
> > >> >
> > >> >
> > >> >>From: Roger Clark Williams <rogerw@nordlink.com>
> > >> >>To: "NOC Ops" <theguber@hotmail.com>
> > >> >>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN
> > >> >>Date: Sun, 29 Dec 2002 21:39:03 -0500
> > >> >>
> > >> >>Guber, I agree with a point you are raising, that one can often
> > >> telnet to
> > >> >>unprotected routers, and often more easily and with more
> > >> destructive
> > >> >>capacity than might be available with switches. Your point is
> > >> totally
> > >> >>valid, but I think Wulf's point was slightly different. He was
> > >> saying
> > >> >>that the traffic itself, whether by FR or ATM,  is unprotected
> > >> in the
> > >> >>sense that it is not encrypted or in some way made invisible or
> > >> >>unavailable to someone who has access to the traffic. In the
> > >> best of all
> > >> >>possible worlds no outsiders could get in anywhere and all SP
> > >> employees
> > >> >>would be completely, unassailably honest. In this case,
> > >> unencrypted
> > >> >>traffic would be fine - and private, the "P" in VPN. But these
> > >> are not
> > >> >>the best of all possible worlds and both your and his point is
> > >> that the
> > >> >>traffic is potentially accessible by one method or another.
> > >> Therefore, if
> > >> >>one wants security one has to define that, and then to be aware
> > >> both of
> > >> >>the level available with the technology being used as well as
> > >> the demand
> > >> >>or need for security. You have opened yet another reason to be
> > >> careful in
> > >> >>one's awareness of his/her own network's security as a customer,
> > >> and of
> > >> >>the SP's network security.
> > >> >>
> > >> >>Roger Williams
> > >> >>
> > >> >>At 01:03 AM 12/30/2002, you wrote:
> > >> >>>Wulf,
> > >> >>>
> > >> >>>I do not want to get into a religious argument here but I tend
> > >> to
> > >> >>>disagree with you on your comparison with ATM and
> > >> Frame...Neither of
> > >> >>>these type of switches have Telnet, SNMP etc, ports exposed to
> > >> client
> > >> >>>side access that have to be secured....unlike most router based
> > >> MPLS
> > >> >>>PE's which do. I have on several occassions demonstrated to
> > >> operators
> > >> >>>the ability to Telnet into their networks from Client side
> > >> connections
> > >> >>>due to poor security framework and procedures.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>>From: Wulf Losee <qx49@attbi.com>
> > >> >>>>To: MPLS-ops Mailing List <mpls-ops@mplsrc.com>
> > >> >>>>Subject: Re: [MPLS-OPS]: Fwd: MPLS VPN
> > >> >>>>Date: Sun, 29 Dec 2002 10:21:02 -0800
> > >> >>>>
> > >> >>>>Aleezah:
> > >> >>>>I would like to amplify on what Roger said. Since the LSP is
> > >> solely
> > >> >>>>within the Service Provider's network, and MPLS VPN is
> > >> considered
> > >> >>>>"secure". And certainly it is no less secure than a Frame
> > >> Relay PVC or
> > >> >>>>an ATM PVC. It is considered extremely unlikely that other
> > >> corporations
> > >> >>>>or entities are snooping the traffic that run across FR or ATM
> > >> PVCs.
> > >> >>>>Corporations put a huge amount of traffic over Frame Relay and
> > >> ATM, and
> > >> >>>>very few worry about the security of their traffic -- because
> > >> the SP is
> > >> >>>>considered to be an secure broker. However, for those
> > >> corporations who
> > >> >>>>are extra paranoid, there is no reason that they can't run
> > >> IPsec VPNs
> > >> >>>>between their sites. The MPLS VPN is transparent to them, but
> > >> the SP's
> > >> >>>>MPLS VPNs would carry the corporation's IPsec VPNs.
> > >> >>>>
> > >> >>>>MPLS VPNs are implemented by Service Providers for the purpose
> > >> of TE,
> > >> >>>>etc. While they tend to leave IPsec VPNs for their corporate
> > >> customers
> > >> >>>>to implement...
> > >> >>>>
> > >> >>>>--Wulf
> > >> >>>>
> > >> >>>>
> > >> >>>>At 10:32 AM 12/29/02 -0500, Roger Clark Williams wrote:
> > >> >>>>>Aleezah, security is relative. To take a simple example, are
> > >> you more
> > >> >>>>>secure with a 56-bit key or a 128-bit key? It all depends on
> > >> the
> > >> >>>>>capability of those who 1) have access to the traffic, and 2)
> > >> the
> > >> >>>>>ability they can muster to crack the encryption. It is relative.
> > >> >>>>>
> > >> >>>>>With a MPLS VPN the data within the original IP packet is
> > >> still in
> > >> >>>>>clear-text format, there is no encryption. Granted, the LSP
> > >> you
> > >> >>>>>mention may be secure, but who has access to that path? Can
> > >> all those
> > >> >>>>>people be trusted completely? It is all relative.
> > >> >>>>>
> > >> >>>>>There is no such thing as absolute security, there is only
> > >> relatively
> > >> >>>>>better and relatively worse security. For better security
> > >> over an MPLS
> > >> >>>>>VPN, I would use IPsec. Others will certainly argue for
> > >> something
> > >> >>>>>better, longer keys, whatever. Perhaps stenographically
> > >> embedding
> > >> >>>>>encrypted data in a file that is then encrypted within a
> > >> packet that
> > >> >>>>>itself is encrypted...... Again, it is all relative. What is
> > >> the value
> > >> >>>>>of your traffic?
> > >> >>>>>
> > >> >>>>>I would bring to your attention the very reasonable and
> > >> informative
> > >> >>>>>writings of Bruce Schneier, founder of Counterpane, and his
> > >> newsletter
> > >> >>>>>called Crypto-gram. Available to all at
> > >> >>>>>http://www.counterpane.com/crypto-gram.html or send a blank
> > >> message to
> > >> >>>>>crypto-gram-subscribe@chaparraltree.com
> > >> >>>>>
> > >> >>>>>Roger Williams
> > >> >>>>>
> > >> >>>>>
> > >> >>>>>>X-Originating-IP: [203.135.5.55]
> > >> >>>>>>From: "aleezah khan" <aleezahkhan2k@hotmail.com>
> > >> >>>>>>To: rogerw@nordlink.com
> > >> >>>>>>Subject: MPLS VPN
> > >> >>>>>>Date: Sun, 29 Dec 2002 14:55:22 +0000
> > >> >>>>>>X-OriginalArrivalTime: 29 Dec 2002 14:55:22.0298 (UTC)
> > >> >>>>>>FILETIME=[4FEA21A0:01C2AF4A]
> > >> >>>>>>
> > >> >>>>>>
> > >> >>>>>>Hi,
> > >> >>>>>>merry christmass to u!!
> > >> >>>>>>i need some help .i hope u can guide me...
> > >> >>>>>>In MPLS VPN with the use of  VPN identifier (RD) and secure
> > >> LSP ,is
> > >> >>>>>>data security still an issue?
> > >> >>>>>>DO you think encrypting the data is the only way to secure
> > >> our data
> > >> >>>>>>running in BGP MPLS VPN?
> > >> >>>>>>If not then what are your recommendations
> > >> >>>>>>
> > >> >>>>>>
> > >> >>>>>>
> > >> >>>>>>
> > >>
> > >>>>>>>_________________________________________________________________
> > >> >>>>>>Add photos to your messages with MSN 8. Get 2 months FREE*.
> > >> >>>>>>http://join.msn.com/?
> > >page=features/featuredemail&xAPID=42&PS=47575&PI=7324&DI=7474&SU=
> > >> >>>>>>http://www.hotmail.msn.com/cgi-
> > >> bin/getmsg&HL=1216hotmailtaglines_addphotos_3mf>>>>>
> > >> >>>>>-------
> > >> >>>>>The MPLS-OPS Mailing List
> > >> >>>>>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> > >> >>>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
> > >> >>>>
> > >> >>>>
> > >> >>>>-------
> > >> >>>>The MPLS-OPS Mailing List
> > >> >>>>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> > >> >>>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
> > >> >>>
> > >> >>>
> > >> >>>_________________________________________________________________
> > >> >>>MSN 8: advanced junk mail protection and 3 months FREE*.
> > >> >>>http://join.msn.com/?
> > >page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU=
> > >> >>>http://www.hotmail.msn.com/cgi-
> > >> bin/getmsg&HL=1216hotmailtaglines_advancedjmf_3mf>>>
> > >> >>>-------
> > >> >>>The MPLS-OPS Mailing List
> > >> >>>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> > >> >>>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
> > >> >
> > >> >
> > >> >_________________________________________________________________
> > >> >The new MSN 8: smart spam protection and 3 months FREE*.
> > >> >http://join.msn.com/?
> > >page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU=
> > >> >http://www.hotmail.msn.com/cgi-
> > >> bin/getmsg&HL=1216hotmailtaglines_smartspamprotection_3mf
> > >> -------
> > >> The MPLS-OPS Mailing List
> > >> Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> > >> Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
> > >>
> > >
> > >-------
> > >The MPLS-OPS Mailing List
> > >Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> > >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml