In this section, we discuss PE-specific security considerations. The key point is that the PE is a trusted device and, as such, must be installed in a secure location. A PE must never be located in an insecure location such as a customer premise. If, for example, MPLS is required on a CE, Carrier's Carrier (CsC) should be implemented. The PE has trusted interfaces toward the core and untrusted interfaces toward the CE. These interfaces need to be secured, for example, by blocking all traffic from the outside to the PEs and the rest of the core, with the exception of routing. We discuss the interface security details in the section "Infrastructure Access Lists (iACLs)" later in this chapter.
The service provider's concerns can be generalized to the following issues:
Protection of the backbone infrastructure in terms of availability, accessibility, load, manageability, and so on
Ensuring that committed service level agreements (SLAs) are maintained
Ensuring that billing support functions are uncompromised
Maintaining segregation between different customer domains
Verifying that customers are receiving the services that they are entitled to?no more and no less
The provider edge (PE) is within the SP domain and could have multiple customer relationships; for example, multiple customer VPNs may be provisioned on a single PE. From a security point of view, assuring complete privacy between various customers is of utmost importance for the service provider.
Hardening the control and data plane for a PE is required as a security best practice guideline. To manage forwarding information between the PE and CE, some sort of Layer 3 routing must be performed. There are, in essence, two options: static routing and dynamic routing. The pros and cons of each are well understood in Layer 3 routing environments and apply equally to an MPLS VPN network. However, because an MPLS VPN PE-CE connection involves a relationship between separate corporate entities, due consideration must be given to the security and stability implications of such interconnections.
For example, the concerns of interconnecting two entities may include:
The PE or CE may be subject to floods of routes from its neighbor.
Instabilities in the routing protocol processes may adversely affect CPU utilization.
Invalid routes injected into either network space may cause traffic flows resulting in suboptimal or insecure paths.
These issues are no different than those faced by most service providers today, although generally, SPs do not utilize IGPs in their interconnection points, relying solely on BGP for this purpose. MPLS VPN customers may desire the use of mechanisms other than BGP, and as a result consideration needs to be given to the requirements this may impose.