1. Home
  2. Networking
  3. Mpls VPN security

Generic Layer 2 Security Considerations

Ethernet over MPLS (EoMPLS) is being increasingly deployed in environments where the service provider (SP) does not wish to participate in the management of the customer's Layer 3 routing mechanisms and wishes only to provide a Layer 2 solution similar to traditional Frame Relay and ATM service offerings. Alternatively, some customers may not wish to offload their Layer 3 operations to a service provider, preferring to maintain control over that aspect of their networks themselves. In either of these scenarios, the Layer 2 VPN can meet the applicable network requirements.

In order to protect customer networks, the SP's access network and backbone, and to ensure that service-level expectations can be met, the security considerations of the network must be addressed.

Security in MPLS networks can be viewed from a Layer 2 and Layer 3 perspective. SPs need to concern themselves with securing the network from both layers in order to assure service integrity. In addition, customers need to ensure the security of their own networks, be they L2 implementations or L3-oriented designs. In this section, we introduce generic Layer 2 security issues with a focus on Ethernet, which links Layer 2 with emerging architectures such as Virtual Private LAN Service (VPLS) and Virtual Private Wire Service (VPWS), which will be discussed in the next sections of this chapter.

NOTE

The main security issue behind Layer 2 security is that on a shared Layer 2 medium, for example an Ethernet switch, there is often no control over which side the packets are coming from?whether it be from the customer or other Internet service providers, for example?and consequently, this lack of control permits insertion of traffic from a third party allowing for spoofing of Layer 3 information such as IP addresses. While the control protocols such as routing can be secured via Message Digest-5 (MD-5) mechanisms, the data plane usually is not. So, for example, there may be two CEs connected to a single PE over a shared Ethernet medium, and the security risk is to have all Layer 3 security subverted.

Therefore, it is recommended not to implement this example and to be very cognizant of these issues associated with a shared Ethernet switch example.




    		Part I: MPLS VPN and Security Fundamentals
    		Part II: Advanced MPLS VPN Security Issues
    		Part III: Practical Guidelines to MPLS VPN Security
    		Chapter 6. How IPsec Complements MPLS
    		Chapter 7. Security of MPLS Layer 2 VPNs
    		Generic Layer 2 Security Considerations
    		C2 Ethernet Topologies
    		C3 VPLS Overview
    		C4 VPWS Overview
    		C5 VPLS and VPWS Service Summary and Metro Ethernet Architecture Overview
    		C6 VPLS and VPWS Security Overview
    		Customer Edge
    		Summary
    		Chapter 8. Secure Operation and Maintenance of an MPLS Core
    		Part IV: Case Studies and Appendixes