沃尔夫网络 
2003-7-15 
|
13. Security 13.1. Data Plane By security in the "data plane", we mean protection against the following possibilities: - Packets from within a VPN travel to a site outside the VPN, other than in a manner consistent with the policies of the VPN. - Packets from outside a VPN enter one of the VPN's sites, other than in a manner consistent with the policies of the VPN. Under the following conditions: 1. a backbone router does not accept labeled packets over a particular data link, unless it is known that that data link attaches only to trusted systems, or unless it is known that such packets will leave the backbone bef ore the IP header or any labels lower in the stack will be inspected, and 2. labeled VPN-IPv4 routes are not accepted from untrusted or unreliab le routing peers, 3. no successful attacks have been mounted on the control plane, the data plane security provided by this architecture is virtually identi cal to that provided to VPNs by Frame Relay or ATM backbones. If the devices under the control of the SP are properly configured, data will not enter or leave a VPN unless authorized to do so. 这种体系结构提供的数据平面安全性与Frame Relay 或 ATM主干网提供的VPN的安全性相 同。如果SP控制的设备设置得正确,数据不会出入VPN,除非得到授权。 Condition 1 above can be stated more precisely. One should discard a lab eled packet received from a particular neighbor unless one of the following two conditions holds: - the packet's top label has a label value which the receiving system has distributed to that neighbor, or - the packet's top label has a label value which the receiving system h as distributed to a system beyond that neighbor (i.e., when it is known that the path from the system to which the label was distributed to the receivin g system may be via that neighbor). Condition 2 above is of most interest in the case of inter-provider VPNs (see section 10). For inter-provider VPNs constructed according to scheme b ) of section 10, condition 2 is easily checked. (The issue of security whe n scheme c) of section 10 is used is for further study.) It is worth noting that the use of MPLS makes it much simpler to provide data plane security than might be possible if one attempted to use some form of IP tunneling in place of the MPLS outer label. It is a simple matter to have one's border routers refuse to accept a labeled packet unless the first of the above conditions applies to it. It is rather more difficult to conf igure a router to refuse to accept an IP packet if that packet is an IP tunn elled packet whose destination address is that of a PE router; certainly thi s is not impossible to do, but it has both management and performance implic ations. Note that if the PE routers support any "MPLS in IP" or "MPLS in GRE" or similar encapsulations, security is compromised unless either any such packe ts are filtered at the borders, or else some acceptable means of authenticat ion (e.g., IPsec authentication) is carried in the packet itself. In the case where a number of CE routers attach to a PE router via a LAN interface, to ensure proper security, one of the following conditions must h old: 1. All the CE routers on the LAN belong to the same VPN, or 2. A trusted and secured LAN switch divides the LAN into multiple VLAN s, with each VLAN containing only systems of a single VPN; in this case the switch will attach the appropriate VLAN tag to any packet before forwarding it to the PE router. Cryptographic privacy is not provided by this architecture, nor by Frame Relay or ATM VPNs. These architectures are all compatible with the use of c ryptography on a CE-CE basis, if that is desired. 不提供加密保护,但可以使用 CE-CE间的加密。 The use of cryptography on a PE-PE basis is for further study. 13.2. Control Plane The data plane security of the previous section depends on the security o f the control plane. To ensure security, neither BGP nor LDP connections sho uld be made with untrusted peers. The TCP/IP MD5 authentication option shou ld be used with both these protocols. The routing protocol within the SP's network should also be secured in a similar manner. 数据平面的安全取决于控制平面的安全。要保证,BGP和LDP连接都必须建立在信任的对 等体间。BGP和LDP协议应采用TCP/IP MD5加密,SP网络中的路由协议也采取类似的安全 措施。 13.3. Security of P and PE devices If the physical security of these devices is compromised, data plane secu rity may also be compromised. The usual steps should be take to ensure that IP traffic from the public Internet cannot be used to modify the configuration of these devices, or to mount Denial of Service attacks on them. 14. Quality of Service Although not the focus of this paper, Quality of Service is a key compone nt of any VPN service. In MPLS/BGP VPNs, existing L3 QoS capabilities can b e applied to labeled packets through the use of the "experimental" bits in t he shim header [MPLS-ENCAPS], or, where ATM is used as the backbone, through the use of ATM QoS capabilities. The traffic engineering work discussed in [MPLS-RSVP] is also directly applicable to MPLS/BGP VPNs. Traffic engineeri ng could even be used to establish label switched paths with particular QoS characteristics between particular pairs of sites, if that is desirable. Wh ere an MPLS/BGP VPN spans multiple SPs, the architecture described in [PASTE ] may be useful. An SP may apply either intserv or diffserv capabilities to a particular VPN, as appropriate. 15. Scalability We have discussed scalability issues throughout this paper. In this sect ion, we briefly summarize the main characteristics of our model with respect to scalability. The Service Provider backbone network consists of (a) PE routers, (b) BGP Route Reflectors, (c) P routers (which are neither PE routers nor Route Ref lectors), and, in the case of multi-provider VPNs, (d) ASBRs. P routers do not maintain any VPN routes. In order to properly forward V PN traffic, the P routers need only maintain routes to the PE routers and th e ASBRs. The use of two levels of labeling is what makes it possible to keep the VPN routes out of the P routers. A PE router maintains VPN routes, but only for those VPNs to which it is directly attached. Route reflectors can be partitioned among VPNs so that each partition car ries routes for only a subset of the VPNs supported by the Service Provider. Thus no single route reflector is required to maintain routes for all VPNs . For inter-provider VPNs, if the ASBRs maintain and distribute VPN-IPv4 ro utes, then the ASBRs can be partitioned among VPNs in a similar manner, with the result that no single ASBR is required to maintain routes for all the i nter-provider VPNs. If multi-hop EBGP is used, then the ASBRs need not main tain and distribute VPN-IPv4 routes at all. As a result, no single component within the Service Provider network has to maintain all the routes for all the VPNs. So the total capacity of the n etwork to support increasing numbers of VPNs is not limited by the capacity of any individual component. 16. Intellect | |
 相关文章 |
热门文章 |
|
| 个人观点:Cisco认证和Juniper认证的比较 JNCIE考试心得 路由器启动进程及初始配置 Olive完整介绍--权威版 Install IPSO on PC Juniper提升路由器服务功能 RFC2547 BGP/MPLS VPN RFC 2547bis (1) RFC 2547bis (2) RFC 2547bis (3) |
| 文章评论 | |||