PE-CE Connectivity Security Issues

Various QoS mechanisms can be used to protect the PE and CE router interfaces from undue traffic volumes. A higher than expected traffic flow may be caused by a deliberate DoS assault, or it may simply be the result of a misconfigured device somewhere within the network. However, as these mechanisms are inserted directly into the forwarding path, they do have an impact on packet forwarding rates, especially on software-based platforms. As such, these features should be applied with care and due consideration given to the environment where they are to be applied. The concept of a traffic anomaly?that is, understanding the customer and SP traffic patterns and detecting deltas in these patterns?is important in order for the service provider to determine whether or not a spike in traffic is due to a DoS or DDoS attack.

Similarly, the customer may wish to provide some degree of access to the CE router in order to enhance the SP's ability to troubleshoot a network problem. In the case of a managed CE, the same set of questions would be applicable. Generally speaking, one should not permit access to a given router beyond the minimally required set for good network operations and maintenance. Because the PE is generally a device supporting multiple customers' connections, and because there is no per-vrf segmentation of resource views, access to router statistics should be limited to SP personnel only. From the opposite perspective, the customer should also refrain from providing interactive access to systems under their direct control to the SP.