Network Security with MPLS
We have heard of Man-in-the-Middle Attack , session hijacking etc.
We hide our private IP scheme using NAT ( in various forms ) to route / switch packets across internet.
With MPLS, we bypass the conventional routing process and and can even overcome the limitations of NAT ( like in IPsec , OSPF, multicast etc. ) . The reason being , we have solution like L3 VPN or more conventionally IP VPN .
However, i m concerned about the security of MPLS ...if can easily come thru misconfigured PE or LSR ;
--what if incorrect Route targets and Route distinguishers are
specified
--What happens if my ISP gets merged or gets acquired by a different company ...
what if the MPLS is backbone already compromised before BGP is peering established
-- my understanding is routes get installed depending on pre-specified route targets, which are service IP address based. These can be spoofed as we have known and potential issues need not exagerated
Does any one have packet level analysis of MPLS
This is a critical issue as enterprises and ISP are moving towards MPLS , IP VPN based solutions not just over WAN but also in large Campus networks or Metro networks ....with OEM provider making and engineering their portfolio towards high speed swithcing processors and related technologies
Finally what about malformed packets from your trusted LAN your MPLS will not protect against that. Hence you continue to have overhead of dedicated hardware and network points for processing headers at higher levels of OSI layer
We hide our private IP scheme using NAT ( in various forms ) to route / switch packets across internet.
With MPLS, we bypass the conventional routing process and and can even overcome the limitations of NAT ( like in IPsec , OSPF, multicast etc. ) . The reason being , we have solution like L3 VPN or more conventionally IP VPN .
However, i m concerned about the security of MPLS ...if can easily come thru misconfigured PE or LSR ;
--what if incorrect Route targets and Route distinguishers are
specified
--What happens if my ISP gets merged or gets acquired by a different company ...
what if the MPLS is backbone already compromised before BGP is peering established
-- my understanding is routes get installed depending on pre-specified route targets, which are service IP address based. These can be spoofed as we have known and potential issues need not exagerated
Does any one have packet level analysis of MPLS
This is a critical issue as enterprises and ISP are moving towards MPLS , IP VPN based solutions not just over WAN but also in large Campus networks or Metro networks ....with OEM provider making and engineering their portfolio towards high speed swithcing processors and related technologies
Finally what about malformed packets from your trusted LAN your MPLS will not protect against that. Hence you continue to have overhead of dedicated hardware and network points for processing headers at higher levels of OSI layer
|