Chapter 4. Secure MPLS VPN Designs

In this chapter, you learn about the following:

  • How to design an MPLS core for Internet access

  • How to provision secure extranet access and firewalling

  • How to design a DoS-resistant core

  • How to secure Inter-AS and CsC solutions

The previous chapters analyzed MPLS VPN security from an abstract point of view based on the architectural standards. However, the requirements of VPN users often go beyond simple architectures:

  • The MPLS core should support Internet access.

  • Several independent VPN users need to access a common extranet.

  • A VPN user's network spans several countries and involves several service providers.

  • An Internet service provider (ISP) wants to resell MPLS VPN services.

All of these more complex designs have a number of security implications, and sometimes a small design change affects security significantly. This chapter discusses their security properties and gives guidance on how to build advanced MPLS VPN designs securely.