Presentation is loading. Please wait.

Presentation is loading. Please wait.

MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs

Published byTamsin Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs"— Presentation transcript:

1 MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs

2 MPLS over L2TPv3 w/BGP L3VPNs
1 2 3 4 5 6 7 8 9 Version IHL TOS Total length Identification Flags Fragment offset TTL Protocol == 0x73 (L2TPv3) Header checksum Source IP address Destination IP address (IP address of edge router) Tunnel IP Session ID (32 bits) Cookie (64 bits) L2TPv3 Label Exp S TTL Version IHL TOS Total length Identification Flags Fragment offset TTL Protocol Header checksum Source IP address Destination IP address VPN IP MPLS VPN Label

3 MPLS over L2TPv3 w/BGP L3VPNs
L2TPv3 has its own native operation for L2VPNs defined in draft-ietf-l2tpext-l2tp-base-11.txt For BGP-based L3VPNs, the same L2TPv3 encapsulation may be leveraged for operation over IP networks A single p2mp L2TPv3 session at each PE is used, e.g., one Session ID/Cookie pair per-PE Tunnels could be manually configured, however mechanisms such as those defined below allow for dynamic tunnel establishment based on capabilities of the PE (these apply to IP, GRE and IPsec as well): draft-nalawade-kapoor-tunnel-safi-01.txt, or draft-raggarwa-ppvpn-tunnel-encap-sig-01.txt

4 VPN Label Spoofing Attacks (MPLS vs. IP Core)
MPLS Core PE CE VPN Spoofed MPLS over GRE or IP Packets draft-ietf-l3vpn-gre-ip txt draft-ietf-l3vpn-ipsec txt If MPLS over GRE or IP is enabled on any PE router, a potential packet insertion vulnerability is created, requiring management of L3 ACL lists at all boundary routers. Managing L3 filter lists at all boundary routers can be management-intensive, and the their use at all border routers can affect the performance seen by all traffic entering the SP's network. IPsec may be used to authenticate packets arriving at the PE, but may also be difficult to manage and deploy.

5 Blind Label Spoofing Attacks with MPLS over L2TPv3
Hacker Profile: Wishes to insert rogue packets into a customer VPN by sending spoofed packets to a PE Can insert spoofed packets past boundary ACLs and reach a VPN PE Cannot intercept, analyze and correlate core (PE to PE) traffic for use in a coordinated attack The L2TPv3 Cookie provides ample protection from this type of hacker by introducing 64-bits of unstructured data unknown by the hacker that must always match upon receipt at the PE.

6 Next Steps for this WG? draft-ietf-l3vpn-ipsec txt and draft-ietf-l3vpn-gre-ip txt describe RFC2547-based L3VPNs over IP networks using different types of tunnels. MPLS over L2TPv3 for support of RFC2547-based L3VPNs is another tunnel option that falls squarely within the same scope as the above methods, with its own implementation and security tradeoffs. Creation of draft-ietf-l3vpn-l2tpv txt in similar form to the above drafts and inline with the L3VPN Charter (e.g. protocol specifications defined elsewhere, with the functional requirements here)

7 End

Download ppt "MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Deployment of MPLS VPN in Large ISP Networks

Deployment of MPLS VPN in Large ISP Networks
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.
W. Mark Townsley townsley@cisco.com Pseudowires and L2TPv3 W. Mark Townsley townsley@cisco.com.

W. Mark Townsley Pseudowires and L2TPv3 W. Mark Townsley
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
CS 672 1 Summer 2003 Lecture 14. CS 672 2 Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.

CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.
CS 672 1 Summer 2003 Lecture 13. CS 672 2 Summer 2003 MP_REACH_NLRI Attribute The MP_REACH_NLRI attribute is encoded as shown below: +---------------------------------------------------------+

CS Summer 2003 Lecture 13. CS Summer 2003 MP_REACH_NLRI Attribute The MP_REACH_NLRI attribute is encoded as shown below:
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.
MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,
SMUCSE 8344 MPLS Virtual Private Networks (VPNs).

SMUCSE 8344 MPLS Virtual Private Networks (VPNs).
BGP L3VPN Virtual PE draft-fang-l3vpn-virtual-pe-01

BGP L3VPN Virtual PE draft-fang-l3vpn-virtual-pe-01
Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.

Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.
Multicast in L3VPNs Bruce Davie 1 draft-ietf-l3vpn-2547bis-mcast-03.txt 1. Not a draft co-author, or a multicast expert.

Multicast in L3VPNs Bruce Davie 1 draft-ietf-l3vpn-2547bis-mcast-03.txt 1. Not a draft co-author, or a multicast expert.
1 Solving the Softwire Mesh Problem Chris Metz, IETF Softwire WG Interim Meeting Hong Kong February 2006.

1 Solving the Softwire Mesh Problem Chris Metz, IETF Softwire WG Interim Meeting Hong Kong February 2006.
November 200770th Requirements for supporting Customer RSVP and RSVP-TE over a BGP/MPLS IP-VPN draft-kumaki-l3VPN-e2e-mpls-rsvp-te-reqts-05.txt.

November th Requirements for supporting Customer RSVP and RSVP-TE over a BGP/MPLS IP-VPN draft-kumaki-l3VPN-e2e-mpls-rsvp-te-reqts-05.txt.
Www.huawei.com Encapsulating MPLS in UDP draft-xu-mpls-in-udp-02 Xiaohu Xu (Huawei) Marshall Eubanks (AmericaFree.TV) Lucy Yong (Huawei) Nischal Sheth.

Encapsulating MPLS in UDP draft-xu-mpls-in-udp-02 Xiaohu Xu (Huawei) Marshall Eubanks (AmericaFree.TV) Lucy Yong (Huawei) Nischal Sheth.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
Network Connectivity Options Currently offered by Wyless.

Network Connectivity Options Currently offered by Wyless.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

Similar presentations

Ads by Google