Title: MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs
1MPLS over L2TPv3 for support of RFC 2547-based
BGP/MPLS IP VPNs
2MPLS over L2TPv3 w/BGP L3VPNs
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version Version Version Version IHL IHL IHL IHL TOS TOS TOS TOS TOS TOS TOS TOS Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length Total length
Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Identification Flags Flags Flags Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset Fragment offset
TTL TTL TTL TTL TTL TTL TTL TTL Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Protocol 0x73 (L2TPv3) Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum Header checksum
Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address Source IP address
Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router) Destination IP address (IP address of edge router)
Tunnel IP
Session ID (32 bits)
L2TPv3
Cookie (64 bits)
Label Exp S TTL
Version IHL TOS Total length Total length
Identification Identification Identification Flags Fragment offset
TTL TTL Protocol Header checksum Header checksum
Source IP address Source IP address Source IP address Source IP address Source IP address
Destination IP address Destination IP address Destination IP address Destination IP address Destination IP address
VPN IP
MPLS VPN Label
3MPLS over L2TPv3 w/BGP L3VPNs
- L2TPv3 has its own native operation for L2VPNs
defined in draft-ietf-l2tpext-l2tp-base-11.txt - For BGP-based L3VPNs, the same L2TPv3
encapsulation may be leveraged for operation over
IP networks - A single p2mp L2TPv3 session at each PE is used,
e.g., one Session ID/Cookie pair per-PE - Tunnels could be manually configured, however
mechanisms such as those defined below allow for
dynamic tunnel establishment based on
capabilities of the PE (these apply to IP, GRE
and IPsec as well) - draft-nalawade-kapoor-tunnel-safi-01.txt, or
- draft-raggarwa-ppvpn-tunnel-encap-sig-01.txt
4VPN Label Spoofing Attacks (MPLS vs. IP Core)
draft-ietf-l3vpn-gre-ip-2547-00.txt
draft-ietf-l3vpn-ipsec-2547-03.txt
- If MPLS over GRE or IP is enabled on any PE
router, a potential packet insertion
vulnerability is created, requiring management of
L3 ACL lists at all boundary routers. - Managing L3 filter lists at all boundary routers
can be management-intensive, and the their use at
all border routers can affect the performance
seen by all traffic entering the SP's network. - IPsec may be used to authenticate packets
arriving at the PE, but may also be difficult to
manage and deploy.
5Blind Label Spoofing Attacks with MPLS over L2TPv3
- Hacker Profile
- Wishes to insert rogue packets into a customer
VPN by sending spoofed packets to a PE - Can insert spoofed packets past boundary ACLs and
reach a VPN PE - Cannot intercept, analyze and correlate core (PE
to PE) traffic for use in a coordinated attack - The L2TPv3 Cookie provides ample protection from
this type of hacker by introducing 64-bits of
unstructured data unknown by the hacker that must
always match upon receipt at the PE.
6Next Steps for this WG?
- draft-ietf-l3vpn-ipsec-2547-03.txt and
draft-ietf-l3vpn-gre-ip-2547-00.txt describe
RFC2547-based L3VPNs over IP networks using
different types of tunnels. - MPLS over L2TPv3 for support of RFC2547-based
L3VPNs is another tunnel option that falls
squarely within the same scope as the above
methods, with its own implementation and security
tradeoffs. - Creation of draft-ietf-l3vpn-l2tpv3-2547-00.txt
in similar form to the above drafts and inline
with the L3VPN Charter (e.g. protocol
specifications defined elsewhere, with the
functional requirements here)
7End