1. Home
  2. Networking
  3. Mpls VPN security

LAN Security Issues

In this section we discuss LAN security issues as they pertain to core security. We also illustrate LAN factors for peering constructs.

In the case of a LAN-based Layer 2 interconnect, the PE router will need to maintain ARP entries for all of the end system addresses that are reachable beyond that interface.

The number of entries may be considerable depending on the size of the connected site, and it can considerably impact router CPU and memory. It is generally viewed that an excess of 20,000 ARP entries can lead to issues on the connected router and, as such, it may be desirable to segment such a large campus.

As well, because there is no Layer 3 "CE" router in this scenario, there are no reasonable mechanisms available to ensure that the only accesses into the VPN from this interface are those authorized to do so. That is, given some large number of hosts on this Layer 2 domain, it is difficult, if not impossible, to create access controls that can ensure that only the appropriate traffic sources exist?the Layer 2 domain must be a "trusted" network space. This must be an operational consideration of the entity controlling the Layer 2 network?be it the customer or the SP. Intrusion into the network at this point will give access to much if not all of the entire VPN (depending on VLAN arrangements).

Also, because this is a Layer 2 environment, there are no Layer 3 opportunities for controlling denial of service (DoS) issues beyond the PE edge. If an assault or intrusion reaches the Layer 2 space, it must be dealt with at that level. For example, a broadcast-oriented attack would have an immediate impact on all nodes within the same Layer 2 domain.

The SP must also determine the degree of interaction it wants to perform with respect to L2 operations?spanning tree termination, Cisco Discovery Protocol (CDP) functions, quality of service (QoS), trusted ports, and so on.

LAN Factors for Peering Constructs

A third party in the same VLAN (such as Internet Exchange Point, or IXP) can insert spoofed packets into VPNs, thus introducing a risk scenario for a service provider.

Note that within a VLAN, attacks are easy (these will be further discussed in Chapter 7) via ARP spoofing (hacking tool hunt, arpspoof); CAM overflow (hacking tool macof); DoS against Spanning Tree, and DoS storms (for which a hacking tool exists). An example of a solution includes, for 1 and 2, port security.

Few service providers do this normally, so this attack is not difficult; and to disable Spanning Tree on the router port, hard code Root Bridge is a factor here.

For labeled packets on a VLAN, the data plane attributes are that any label combination can be sent, by any station in the VLAN, and for Carriers Carrier, the top label (LSP) is checked by the PE.

NOTE

For both CsC and Inter-AS deployments, implement only on private peerings due to vulnerabilities highlighted above. For Inter-AS and CsC (when labeled packets are exchanged), do not use a shared VLAN.

Best recommendation: Dedicated connection

Second best recommendation: Dedicated VLAN




    		Part I: MPLS VPN and Security Fundamentals
    		Part II: Advanced MPLS VPN Security Issues
    		Chapter 3. MPLS Security Analysis
    		Chapter 4. Secure MPLS VPN Designs
    		Chapter 5. Security Recommendations
    		General Router Security
    		CE-Specific Router Security and Topology Design Considerations
    		PE-Specific Router Security
    		PE Data Plane Security
    		PE-CE Connectivity Security Issues
    		P-Specific Router Security
    		Securing the Core
    		Routing Security
    		CE-PE Routing Security Best Practices
    		Internet Access
    		Sharing End-to-End Resources
    		LAN Security Issues
    		IPsec: CE to CE
    		MPLS over IP Operational Considerations: L2TPv3
    		Securing Core and Routing Check List
    		Summary
    		Part III: Practical Guidelines to MPLS VPN Security
    		Part IV: Case Studies and Appendixes