MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs - PowerPoint PPT Presentation

About This Presentation
Title:

MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs

Description:

... or draft-raggarwa-ppvpn-tunnel-encap-sig-01.txt VPN Label Spoofing Attacks (MPLS vs. IP Core) Blind Label Spoofing Attacks with MPLS over L2TPv3 Hacker Profile: ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 8
Provided by: MarkTowns
Learn more at: https://www.ietf.org
Category:
Tags: bgp | l2tpv3 | mpls | rfc | based | over | spoofing | support | vpns

less

Transcript and Presenter's Notes

Title: MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs


1
MPLS over L2TPv3 for support of RFC 2547-based
BGP/MPLS IP VPNs
2
MPLS over L2TPv3 w/BGP L3VPNs
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version Version Version Version IHL IHL IHL IHL TOS TOS TOS TOS TOS TOS TOS TOS Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length
Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Flags Flags Flags Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset
TTL TTL TTL TTL TTL TTL TTL TTL Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum
Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address
Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router)
Tunnel IP
Session ID (32 bits)
L2TPv3
Cookie (64 bits)
Label Exp S TTL
Version IHL TOS Total length Total length
Identification Identification Identification Flags Fragment offset
TTL TTL Protocol Header checksum Header checksum
Source IP address Source IP address Source IP address Source IP address Source IP address
Destination IP address Destination IP address Destination IP address Destination IP address Destination IP address
VPN IP
MPLS VPN Label
3
MPLS over L2TPv3 w/BGP L3VPNs
  • L2TPv3 has its own native operation for L2VPNs
    defined in draft-ietf-l2tpext-l2tp-base-11.txt
  • For BGP-based L3VPNs, the same L2TPv3
    encapsulation may be leveraged for operation over
    IP networks
  • A single p2mp L2TPv3 session at each PE is used,
    e.g., one Session ID/Cookie pair per-PE
  • Tunnels could be manually configured, however
    mechanisms such as those defined below allow for
    dynamic tunnel establishment based on
    capabilities of the PE (these apply to IP, GRE
    and IPsec as well)
  • draft-nalawade-kapoor-tunnel-safi-01.txt, or
  • draft-raggarwa-ppvpn-tunnel-encap-sig-01.txt

4
VPN Label Spoofing Attacks (MPLS vs. IP Core)
draft-ietf-l3vpn-gre-ip-2547-00.txt
draft-ietf-l3vpn-ipsec-2547-03.txt
  • If MPLS over GRE or IP is enabled on any PE
    router, a potential packet insertion
    vulnerability is created, requiring management of
    L3 ACL lists at all boundary routers.
  • Managing L3 filter lists at all boundary routers
    can be management-intensive, and the their use at
    all border routers can affect the performance
    seen by all traffic entering the SP's network.
  • IPsec may be used to authenticate packets
    arriving at the PE, but may also be difficult to
    manage and deploy.

5
Blind Label Spoofing Attacks with MPLS over L2TPv3
  • Hacker Profile
  • Wishes to insert rogue packets into a customer
    VPN by sending spoofed packets to a PE
  • Can insert spoofed packets past boundary ACLs and
    reach a VPN PE
  • Cannot intercept, analyze and correlate core (PE
    to PE) traffic for use in a coordinated attack
  • The L2TPv3 Cookie provides ample protection from
    this type of hacker by introducing 64-bits of
    unstructured data unknown by the hacker that must
    always match upon receipt at the PE.

6
Next Steps for this WG?
  • draft-ietf-l3vpn-ipsec-2547-03.txt and
    draft-ietf-l3vpn-gre-ip-2547-00.txt describe
    RFC2547-based L3VPNs over IP networks using
    different types of tunnels.
  • MPLS over L2TPv3 for support of RFC2547-based
    L3VPNs is another tunnel option that falls
    squarely within the same scope as the above
    methods, with its own implementation and security
    tradeoffs.
  • Creation of draft-ietf-l3vpn-l2tpv3-2547-00.txt
    in similar form to the above drafts and inline
    with the L3VPN Charter (e.g. protocol
    specifications defined elsewhere, with the
    functional requirements here)

7
End
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!