You are on page 1of 25

L3 MPLS/VPN SECURITY CONSIDERATIONS

SUMMARY/PURPOSE OF DOCUMENT:

The intent of this document is to provide a detailed reference guide with respect to
security best practices for organizations who either implement Layer 3 MPLS VPN’s as a
service offering or for consumers of such services. As such, security considerations from
a service provider perspective as well as from a customer perspective are examined. This
document will address current perspectives/practices to protect the network elements,
services carried thereon and the data itself from compromises ensuing from unintentional
errors as well as deliberate attacks.

The document begins with a discussion of the various network scenarios currently being
encountered in the MPLS/VPN environments and the issues, which predominate in them.
Then, these areas are examined in further detail with respect to the technology currently
available. It then addresses these issues by detailing a set of best current practices
including sample configurations.

Since considerable effort has already been expended with respect to best practices for
Internet Service Providers and since the issues in an MPLS/VPN environment frequently
overlap those encountered by ISP’s and their customers, this document will reference
other publicly available information in support of the practices discussed herein
whenever possible.

Detailed Definitions:

1.0 Scenarios

In general, MPLS/VPN implementations may be characterized into 5 sets which


present differing requirements with respect to the CE-PE arrangements, namely:

1.1 Managed VPNs

In the “Managed VPN” environment, the customer edge equipment (CE) is


managed by the service provider (SP). That is, the SP’s control extends all the way
out to a point-of-presence within the customers’ IGP. As such, the SP has full control
of the CE configuration including:

- access to the router itself


- interaction with the rest of the customers’ IGP
- interaction with the SP’s PE routing mechanism
- openness to customer statistics gathering
- management requirements specific to the SP operation
Detailed Definitions:

1.0 Scenarios (cont’d)

1.1 Managed VPNs (cont’d)

This model provides the SP with the greatest degree of control over the potential
impact of the customers’ operations on the SP’s network itself as well as greater
control over issues which may arise affecting other SP customer VPN’s.

In converse, this arrangement implies some degree of trust on the part of the
customer in terms of:

- customer allows another company (the SP) to have access to their IGP
- customer trusts the SP to map it’s network communications solely to
endpoints approved by the customer
- customer assumes that SP will provide majority of fault analysis and
resolution activity (since their own access is somewhat limited)

Additionally, there may be environments where customer demands call for some
degree of sharing of responsibility between the SP and themselves. In these
situations, the span of control with respect to the above parameters may shift in
one direction or the other.

1.2 Unmanaged VPNs

Unmanaged VPN’s are distinguished by the notion that the CE router is owned
controlled by the customer. In this scenario, the demarcation point between the SP
and the customer is usually the dataset at the customer premises (although it is quite
possible that the communication facility provider may not in fact be the layer 3
MPLS/VPN provider). The customer has full control of the configuration of the CE
router and interacts with the SP’s network over some mutually agreed arrangement
between the SP and the customer.

In this situation, the SP may have some exposure of his network operation to the
customer’s configurations of the CE router. As such, the SP needs to take additional
steps to ensure that their network operations are not disturbed by changes in the
customers’ network environment or CE router setups.

However, this operative mode may be more palatable to some customers who desire
to maintain the following:

- complete control of their IGP


- additional fault analysis/troubleshooting information access
- minimized exposure of their network to the SP
Detailed Definitions:

1.0 Scenarios (cont’d)

1.2 Unmanaged VPNs (cont’d)

From the SP’s perspective, the unmanaged VPN environment changes the span of
control significantly. This approach impacts the SP in a number of ways, including:

- need to protect layer 3 interconnect between the CE and PE


- possible need to protect the layer 2 interconnect (if shared)
- requirement for clear definition of SLA- impacting responsibilities due to
changes in span of control and the need to closely interact with customer in the
event of problems
- additional level of security awareness at the PE router since the CE is no longe r
under their explicit control

1.3 CSC Environments

“Carrier-Serving-Carrier” (CSC) networks can be viewed as a special case of


‘unmanaged VPNs’. In these environments, a hierarchy of service provider operators
are utilized to provision end to end connectivity for a customer where the SP who is
directly interfacing with the end customer may not have facilities in place to meet all
of the customers needs completely. As an example, a smaller SP may have been
selected to provide MPLS/VPN services for a given customer. However, while
this SP may have direct facilities in place to meet the customer’s needs at the end
points of the network, they may not be able to provide, say intercontinental or
transoceanic facilities. As such, the SP may contract with a carrier who has such
networking available thru a CSC type of arrangement. Consequently, the top tier SP
will view the second tier SP as an “unmanaged VPN client” while the second tier SP
may have either an unmanaged or managed arrangement with the end customer.

CSC is usually accomplished by the higher level SP mapping the secondary SP’s
traffic through some form of a VPN/LSP path. As such, one essentially has end
customer traffic mapped into a VPN by the first SP, and then again into another
labeled hierarchy by the second SP.

There is also a variation on this approach, usually referred to as an “inter-as” network


where the interconnection between SP’s is purely a label-switching mechanism and
the end point peering is still accomplished between the CE routers.

Several topology discussions are set forth in chapter 14 of the CiscoPress book
“MPLS and VPN Architectures” (see appendix for ISBN).
CSC network environments present an additional set of interconnection concerns in
that the fo llowing connectivity arrangements will be present:

- connections between customer and provider


- connections between provider and their carrier
- routing and label implementation arrangements between the two SP’s

In this situation, there are SLA and security requirements amongst three entities,
rather than the typical two.

1.4 VPN + Internet

In network environments where both private network and Internet access are provided
by one infrastructure, the security considerations applicable to the VPN world take on
the added significance of the Internet component’s impact or potential impact on the
SP backbone and the customer edge connections. Not only are two corporate entities
involved in the network services provisioning, but the Internet and its millions of
connections and users are now closely coupled with the corporate data networks. This
necessitates stringent adherence to SP security best practices -

(see http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip)

- to ensure that corporate (once private network) data is not adversely impacted by the
vagaries of the Internet data flows. Careful consideration must be given to various
design options. Considerable discussion on the various approaches to this type of
network service are explored in chapter 12 of the CiscoPress book “MPLS and VPN
Architectures” (see appendix for ISBN).

In general, it is recommended that the VPN service network interconnects and the
Internet access be run over separate links and to separate routers (not the VPN-
supporting routers) rather than attempting to homogenize them over a single facility.
That is, the SP should provision separate PE’s for VPN versus Internet access even if
the backbone P routers are convergent. As well, the interconnections between the
VPN and Internet PE’s should be unique and preferably be terminated on separate CE
routers. This allows for the greatest degree of configuration flexibility (thereby policy
control) and will reduce the concern that Internet- launched DoS attacks will have an
immediate impact on the VPN performance.

As well, firewalling should be viewed as a necessary component of any Internet


access, whether accomplished by any of the following means:

- firewall at central site with centralized Internet access

- firewall at each CE site

- firewalling thru an SP service offering


However, it is understood that there may be considerable monetary incentives to both
the SP and the customer to provide a single access facility for both services. If
necessary, strict consideration should be given to the following set of criteria
when establishing such a shared interconnect:

1. Use a high speed interconnect to minimize cross-service load impacts


- considering the traffic loads that an average number of DDoS bots can
generate, a shared link should be in the gigabit bandwidth range(GiG-E)

2. Customer should implement double- firewall design


- try to minimize the risk of intrusion from Internet hackers

3. EBGP or static routing should be used as a PE/CE protocol since this offers the
greatest degree of control over routing paths

4. Strict filtering should be imposed on both ends of the connection

5. CAR/Policing should be used to control Internet-driven traffic load

6. Vrf- lite may be used on the CE, in order to force incoming traffic flows to the
appropriate DMZ (firewall) or trusted network space.

1.5 PE/CE Layer 2 Interconne ct

The notion of a SP edge router interconnecting with a customer’s network at a Layer


2 level is increasingly popular – in particular in metro environments. In this design,
the customer presents a layer 2 based interconnect, possibly one or more vlans to the
PE layer 3 network. In effect the SP PE router is the routing kick off point for layer 3
service for the customer. The customer has no layer 3 routing occurring within their
own network.

This approach is generally favored by customers who do not wish to operate a Layer
3 network or who feel that they can simply use the SP’s expertise and support staff to
operate the Layer 3 environment on their behalf. This allows the customer to focus
primarily on the pure switching component of networking the ir campuses.

In order to secure this type of connectivity arrangement several different


considerations need to be addressed other than the typical Layer 3 interconnect.

In the case of a LAN-based, Layer 2 interconnect the PE router will need to maintain
arp entries for all of the end system addresses that are reachable beyond that interface.
The number of entries may be considerable depending on the size of the connected
site and can impact router cpu and memory considerably. It is generally viewed that
an excess of 20000 arp entries can lead to issues on the connected router and as such
it may be desirable to segment such a large campus.

As well, since there is no Layer 3 ‘CE’ router in this scenario, there are no reasonable
mechanisms available to ensure that the only accesses into the VPN from this
interface are those authorized to do so. That is, given some large number of hosts on
this Layer 2 domain, it is difficult, if not impossible to create access controls that can
ensure that only the appropriate traffic sources exist – the Layer 2 domain must be a
‘trusted’ network space. This must be an operational consideration of the entity
controlling the Layer 2 network – be it the customer or the SP. Intrusion into the
network at this point will give access to much if not all of the entire VPN (depending
on VLAN arrangements).

As well, since this is a Layer 2 environment, there are no Layer 3 opportunities for
controlling DoS issues beyond the PE edge. If an assault or intrusion reaches the
Layer 2 space it must be dealt with at that level. For example, a broadcast-oriented
attack would have an immediate impact on all nodes within the same Layer 2 domain.

The SP must also determine the degree of interaction that they wish to perform with
respect to L2 operations;

e.g. Spanning tree termination, CDP functions, QOS, trusted ports etc

A more detailed analysis of L2 MPLS/VPN considerations will be undertaken in a


later work.

Detailed Definitions:

2.0 Security Perspectives

From cisco’s Alcazar discussions on security issues:


“Any event that compromises the confidentiality, integrity or availability of
computers, networks or the data and services supported by them”

In any network, security considerations devolve into essentially 2 sets of 2 types of


issues. Compromises are either accidental – through mis-configurations, growth or
unanticipated changes in the network, or deliberate – attacks by some entity bent on
causing havoc. The risk vectors are either external – issues driven by events external
to the network in question, or internal – problems, which are sourced from within the
network itself. Additionally, most security related problems fall into the categories of
denial of service (DOS) or intrusion. DOS events may be intentional or accidental,
while intrusion issues by definition are intentional. It is essential to harden the
network components and the system as a whole to minimize the likelihood of any of
the above scenarios. However, as with all resource-consuming features, a balance
must be struck between maximizing security and offering the performance and
usability that the service is intended to provide. Clearly, a wholly disconnected host
or router has total security – however it’s ability to forward data or provide services is
substantially compromised.

The state of the network from an availability and security viewpoint may also differ
with respect to the perspective of the interested party. That is, the concerns of the
service provider and the customer are an intersecting, but not completely overlapping
set of needs. Indeed, the perspective of the current status of the network may not be
identical for the 2 parties.

2.1 Service Provider Perspective

The service provider’s concerns can be generalized to the following set of issues:

- protection of the backbone infrastructure in terms of availability, accessibility,


load, manageability etc.

- ensuring that committed SLA’s are maintained

- ensuring that billing support functions are uncompromised

- maintaining segregation between different customer domains

- verifying that customers are getting the services that they are entitled to – no
more and no less

2.2 Customer Perspective

The customer has a somewhat differing perspective on the network from the
service provider. The customers concerns include:

- can data/routes pass reliably and unhindered to all appropriate end-


points

- ensuring that data/routes are not leaked to other service provider customers

- ensuring that the service provider is meeting committed SLA’s in terms of


availability and thruput

- can the SP quickly troubleshoot a network problem

- can the customer themselves quickly analyse a problem

- what protections can the customer implement to protect themselves from service
provider errors both initially and as their network grows and as the SP’s
customer base grows

- what mechanisms/policies can the customer use to protect themselves from


deliberate assaults originating from the service provider

Design Considerations:

1.0 Topological and Network Design Considerations

Clearly, the type of physical network selected to interconnect the CE and PE offer
differing levels of resilience to intrusion and redirection. A serial point-to-point facility
is very difficult to subvert and intrusions usually quite noticeable. When a serial
connection of this nature is interrupted, alarms are raised very quickly and the two end
points are difficult to masquerade.

PVC-based networks, such as Frame Relay and ATM, are somewhat less resistant in that
they are generally controlled by software-based virtual circuit switching and can be
readily mis-switched or duplicated. However, even these facilities typically utilize a
serial point-to-point connection between the CE and the telco central office making
intrusion difficult outside of the telco realm.

Ethernet-based facilities are most readily compromised in that it is relatively easy to


insert a promiscuous monitoring device somewhere in the path. Note that the physical
links from the CE to the central office remain directly cabled and consequently intrusion
still generally requires telco access.

Of course, it is possible to insert equipment into these physical plants, but the level of
expertise required to identify the correct facility, access the physical structures and
unobtrusively insert illicit systems is very high and not readily performed by any but a
determined and well- funded attacker.

The more significant issues with shared physical- interface accesses (PVC-based or
VLAN-based) would be managing the offered traffic loads so that one VPN cannot
impact the operational characteristics of other VPN’s being terminated on the same port.
In order to guarantee the performance of the VPN’s per SLA agreements, it is necessary
Design Considerations:

1.0 Topological and Network Design Considerations (cont’d)

to either provision much greater bandwidth on the access port than the expected load or
to manage the bandwidth available using policing and shaping mechanisms. Typically
this is done thru the offering of a limited set of performance options (say 4 or 5 classes)
to the customer when they request the service. Policing controls are then applied to the
interfaces based upon these pre-defined classes of service to meet the expectations of the
customer. In an unmanaged VPN where different entities control the CE and PE, and
consequently neither can be guaranteed to stay within the expected operational
characteristics, these controls would need to be applied to both routers to ensure that
offered loads do not impact the applicable networks.

Further detailed discussions with respect to QOS planning and application may be seen at
the following:

http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac170/about_cisco_packet_techn
ology09186a00801016da.html

http://www.cisco.com/en/US/tech/tk543/tk766/technologies_white_paper09186a00800a3
e2f.shtml

http://www.cisco.com/warp/public/732/Tech/qos/

Control Plane Hardening:

Routing Mechanisms:

In order to manage forwarding information between the PE and CE some sort of L3


routing must be performed. There are, in essence, 2 options – static routing or dynamic
routing. The pros and cons of each are well understood in L3 routing environments and
apply equally to an MPLS/VPN network. However, since an MPLS/VPN PE-CE
connection involves a relationship between separate corporate entities, due consideration
must be given to the security and stability implications of such interconnections. For
example, the concerns of interconnecting two entities may include:

- PE or CE may be subject to floods of routes from its neighbor


- instabilities in the routing protocol processes may adversely affect cpu
utilization
- invalid routes injected into either network space may cause traffic flows
resulting in suboptimal or insecure pathing
Control Plane Hardening:

Routing Mechanisms (cont’d):

These issues are no different than those faced by most ISP’s today although generally
ISP’s do not utilize IGP’s in their interconnection points, relying solely on BGP for this
purpose. MPLS/VPN customers may desire the use of mechanisms other than BGP and
as a result, consideration needs to be given to the requirements that this may impose.

Clearly, static routing provides the most stable and controlled scenario for the PE-CE
interconnect. With static route definitions there are no opportunities for errant routes to
be introduced other than by typing them directly into the configurations. As well, there is
less cpu impact with static routes since there is no dynamic routing process to run (other
than the SP iBGP). In addition, since the CE and PE are both using explicitly configured
routes, the security of the interconnection is improved – monitoring the intervening path
will not provide any information as to what routes are accessible beyond the router.

Alternatively, using a dynamic routing protocol reduces the amount of configuration


effort on both the PE and CE routers. As well, changes within the customer’s network
addressing are readily accommodated and alternate pathing is more easily deployed. If a
dynamic protocol is to be used between the PE and CE routers, then eBGP is the
recommended choice due to its inherent stability, scalability and control features. In any
case, the use of a dynamic protocol mandates the use of an authentication mechanism
between the two routers for security purposes.

Dynamic Routing Authentication:

In order to provide a degree of security in a dynamically routed PE-CE environment, with


respect to the peer relationships across the PE-CE links, MD5 authentication (Message
Digest 5 Hashed Message Authentication Code or HMAC) should be enabled between
the peers. This mechanism utilizes a highly resistant hash algorithm in the handshake
between the peers to provide some assurance that the peer is in fact the intended
neighbor. The use of a pre-shared secret on the PE and CE routers provides support for
the one-way encrypted hash message used to authenticate the peers. As such, co-
ordination is required between the PE and CE management entities if they are separately
controlled.

MD5 should be used as opposed to the other, less resilient hashing mechanis ms available.

This mechanism is available for all of the PE-CE routing protocols currently supported
including;
Control Plane Hardening:

Dynamic Routing Authentication (cont’d):

EBGP PE-CE Routing;

With BGP, authentication is defined on a per neighbor basis. Also, BGP does not
currently support the use of key chains.

router bgp 13
address- family ipv4 vrf Peabody1
neighbor 1.1.1.1 remote-as 14
neighbor 1.1.1.1 update-source loopback 0
neighbor 1.1.1.1 password 5 1Sherman2
# establishes use of MD5 password “1Sherman2” for this neighbor

address- family ipv4 vrf Dudley1


neighbor 2.2.2.2 remote-as 15
neighbor 2.2.2.2 update-source loopback 0
neighbor 2.2.2.2 password 5 77doright2
# establishes use of MD5 password “77doright2” for this neighbor

NOTE: With BGP, ensure that MD5 authentication is enabled at both ends of the
router pair – a router without MD5 auth definitions will still accept routes
from a peer who is sending MD5

EIGRP PE-CE Routing;

EIGRP authentication is defined in an interface-specific manner and can be


instantiated using either cleartext or MD5 passwords. As previously stated, MD5
is the recommended usage. Authentication must be enabled for the autonomous
system (AS) in question.

router eigrp 13
address- family ipv4 vrf Bullwinkle1
autonomous-system 14
network 1.0.0.0
# define the vpn known as “Bullwinkle1” as operating under the
eigrp autonomous system 14
address- family ipv4 vrf Rocky1
autonomous–system 15
network 1.0.0.0
# define the vpn known as “Rocky1” as operating under the
eigrp autonomous system 15

interface Ethernet0/0
ip vrf forwarding Bullwinkle1
ip address 1.1.1.1 255.0.0.0
no ip directed-broadcast
ip authentication mode eigrp 14 md5
# defines authentication mode for eigrp AS 14
# to be MD5
ip authentication key-chain eigrp 14 eigrp14
# sets the key chain name for eigrp AS 14 to the
# string “eigrp14”

interface Ethernet0/1
ip vrf forwarding Rocky1
ip address 1.1.1.1 255.0.0.0
no ip directed-broadcast
ip authentication mode eigrp 15 md5
# defines authentication mode for eigrp AS 15
# to be MD5
ip authentication key-chain eigrp 15 eigrp15
# sets the key chain name for eigrp AS 15 to the
# string “eigrp15”

key chain eigrp14


key 1
key-string 5 1natashafatale3
# creates a ‘chain’ known as “eigrp14” of 1 key, with the
# MD5 password set to “1natashafatale3”
key chain eigrp15
key 1
key-string 5 3Borisbadenov1
# creates a ‘chain’ known as “eigrp15” of 1 key, with the
# MD5 password set to “3Borisbadenov1”

The key chain software feature allows the user to define a set of keys bound into a
chain that can then be applied to an authentication operation. The ability to define
a set of keys, rather than just one, allows for easier key migration on the basis of
some predetermined interval. Note the key number in this command construct is
just an index rather than the ‘key’ variable used in an MD5 context. Additional
information with respect to key management and configuration is available in the
following documentation:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/
ipcprt2/1cfindep.htm#1001635
Control Plane Hardening:

Dynamic Routing Authentication (cont ’d):

OSPF PE-CE Routing;

OSPF also establishes authentication requirements on a per interface basis.


Additionally, authentication must be enabled for the area within the AS where
authentication will be performed. As with BGP, OSPF does not currently use the
key chain methodology.

router ospf 52 vrf Donald


area 52 authentication message-digest
# enables use of authentication within this ospf area for
# ospf process 52

interface Ethernet0/0
ip vrf forwarding Donald
ip address 10.1.1.2 255.255.255.0
no ip directed-broadcast
ip ospf authentication message-digest
# establishes authentication for the neighbor across this
interface
ip ospf message-digest-key 13 md5 5 1Daisy3
# defines “1Daisy3” as the MD5 password to be used on this link

router ospf 42 vrf Mickey


area 42 authentication message-digest
# enables use of authentication within this ospf area for
# ospf process 42

interface Ethernet0/1
ip vrf forwarding Mickey
ip address 10.1.1.2 255.255.255.0
no ip directed-broadcast
ip ospf authentication message-digest
# establishes authentication for the neighbor across this
interface
ip ospf message-digest-key 13 md5 5 2minn1e7
# defines “2minn1e7 ” as the MD5 password to be used on this link
Control Plane Hardening:

Dynamic Routing Authentication (cont’d):

RIPV2;

interface Ethernet0/0
ip vrf forwarding Daffy1
ip address 1.1.1.1 255.0.0.0
no ip directed-broadcast
ip rip authentication mode md5
#enables MD5 authentication over this rip interface
ip rip authentication key-chain Daffy1
#sets “Daffy1” as the key chain to be used for this
link

key chain Daffy1


key 1
key-string 5 13Sylvester1
# creates a ‘chain’ known as “Daffy1” of 1 key, with the
# MD5 password set to “13Sylvester1”

Control Plane Hardening:

Routing Control:

Within an MPLS/VPN environment, it is conceivable that through deliberate action or


accidental mis-configuration an excessive number of routes may be propagated from one
routing peer to another. This behavior could readily impact the recipient router cpu and if
great enough could lead to memory consumption sufficient to cause the router to disable
CEF (and thereby all MPLS forwarding) or reload. This exposure exists for both the CE
router and the PE router and as such should be controlled on both to the extent possible.

At this time, only BGP supports the concept of a maximum number of permitted prefixes.
Within BGP, the “maximum-prefix” construct allows a user to define a maximum
number of routes to be accepted from this peer. Once this maximum has been reached
the router can be configured to either issue a warning message or to restart the offending
peer, with the interval to restart being configurable. In addition, a threshold may be
defined where warning messages are issued prior to reaching the maximum.
Control Plane Hardening:

Routing Control (cont’d):

The configuration of BGP prefix limits is illustrated below:

router bgp 13
no synchronization
bgp log-neighbor-changes
no auto-summary

address-family ipv4 vrf VPN_20499


neighbor 140.0.250.2 remote-as 500
neighbor 140.0.250.2 activate
neighbor 140.0.250.2 maximum-prefix 45 80 restart 2
#defines a 45 prefix maximum for routes delivered from this
neighbor, with a warning message issued at 80% of 45, and
the BGP session restarted on exceeding 45, with a 2 minute
interval for retry
no auto-summary
no synchronization
exit-address-family

The following reflects the console logging that occurs as the number of routes from a
BGP peer reaches the threshold set for warning messages, and further the peer restart
once the actual maximum has been reached.

6d22h: %BGP-4-MAXPFX: No. of prefix received from 140.0.250.2 (afi 2)


reaches 37, max 45

6d22h: %BGP-3-MAXPFXEXCEED: No. of prefix received from 140.0.250.2


(afi 2): 46 exceed limit 45

6d22h: %BGP-5-ADJCHANGE: neighbor 140.0.250.2 vpn vrf VPN_20499 Down


BGP Notification sent
6d22h: %BGP-3-NOTIFICATION: sent to neighbor 140.0.250.2 3/1 (update
malformed)
0 bytes FFFF FFFF FF

Once the maximum number of routes on the connection have been exceeded, the status of
the BGP peer will indicate that it has been idled due to prefix count limit having been
overrun:

ESR3#sh ip bgp v a s | i 140.0.250.2


140.0.250.2 4 500 149 130 0 0 0 00:01:01 Idle (PfxCt)
Control Plane Hardening:

Routing Peers:

In the PE-CE dynamic routing space, the interconnections may be across multi- access
media or may be mis-connected in such a way that erroneous peers may be introduced. In
order to prevent routes being accepted from non- loved neighbors it is recommended that
MD5 authentication be used between PE’s and CE’s, which utilize dynamic protocols. If
however, this is not acceptable in a given environment there is still a need to control the
peering associations. Within BGP, this is inherently accomplished through the “neighbor”
construct. When EIGRP or RIP are in use, this functionality is not yet available for PE-
CE interfaces. Without MD5, the only protection against unwanted routes would be the
autonomous system numbers – a very weak mechanism from a protection perspective. In
this environment, the “distance” command may be used to control acceptable route
sources.

For example:
router eigrp 666
address-family ipv4 vrf VPN_20399
redistribute bgp 65000 metric 1000 100 100 1 1500
network 140.0.0.0
distance 90 140.0.200.2 0.0.0.0
#defines an administrative distance of 90 (default)
for eigrp routes received from address 140.0.200.2
distance 255 0.0.0.0 255.255.255.255
#sets all other sources of routing to a value of
unknown/untrusted
autonomous-system 1
exit-address-family

#NOTE: EIGRP requires that acceptable sources must


precede the “255” source as shown above

router rip
version 2

address-family ipv4 vrf VPN_20399


version 2
redistribute bgp 65000
network 140.0.0.0
distance 255
#sets all sources of routing info to a value of 255 –
unknown/untrusted
distance 120 140.0.200.2 0.0.0.0
#sets an administrative distance of 120 (default) for
rip routes received from 140.0.200.2
no auto-summary
exit-address-family

More information is available at the following url:


http://www.cisco.com/warp/customer/105/admin_distance.html
Control Plane Hardening:

PE-CE Link Addressing:

The physical facility between the PE and CE remains an exposure with respect to access
to the networks, data flows and attack points. This link should be secured to the extent
feasible while supporting application requirements and maintenance efforts.

The use of un-numbered links is frequently seen as a means to enhance the security of the
PE, and to some extent the CE since there is no exposed L3 address to attack. If such an
approach is desired, consideration must be given to the implications on the routing
protocol being used between the PE and CE. For example, if eBGP is the protocol in use,
peering will need to be linked to loopback addresses (or other) and ‘multi- hop’ must be
enabled for the eBGP session. This control allows eBGP sessions to maintained over a
number of hops by setting the TTL appropriately. Unfortunately, the use of this modifier
allows for remote eBGP connection attempts from any number of hops – not necessarily
just as defined in the sourcing configuration.

One of the most used troubleshooting tools in the IP network space is the ICMP Echo
(ping) test. The use of un-numbered links removes the ability of the network operator to
ping the directly connected interface as a fault analysis methodology. This may be seen
as sufficient cause to support numbered interfaces in itself.

Further protection may also be had by encrypting the traffic flowing over the link using
either payload encryption mechanisms or full link encryptors. If the data being passed
over the network is considered at extreme risk then such protection may be appropriate.

Router Accessibility:

Access requirements to a given PE may include:

- pingability by SP personnel
- pingability by customer personnel
- telnet access by SP personnel
- SNMP read/write access by SP personnel
- SNMP read access by customer personnel
- privileged mode operation by SP personnel

Similarly, the customer may wish to provide some degree of access to the CE router in
order to enhance the SP’s ability to troubleshoot a network problem. In the case of a
managed-CPE, the same set of questions would be applicable. Generally speaking, one
should not permit access to a given router beyond the minimally required set for good
network operations and maintenance. Access to the router should be secured using
Control Plane Hardening:

Router Accessibility (cont’d):

access- lists controlling the connections to the router vty’s and access to the physical
console and auxiliary ports need to be protected. Ideally, all remote access to the routers
should be under the auspices of an AAA server. See below for example AAA access
control using CiscoSecure:

http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a008
0107cfd.shtml

SNMP access to the router should be limited to read-only for any personnel/systems other
than those under direct control of the owner of the router. All SNMP access and
messaging should be explicitly controlled through configuration. Telnet access to a router
should only be permitted via specific access control lists and mechanisms such as SSH
are preferable (requires DES-supporting image load). Since the PE is generally a device
supporting multiple customers’ connections, and since there is no ‘per-vrf’ segmentation
of resource views, access to router statistics should be limited to SP personnel only. In
general, with respect to PE-CE link operation, the benefits gained by allowing ICMP
echo mechanisms outweigh the risks associated therein.

For details regarding current best practices recommended to ISP’s in the area of router
security (as well as general ISP usage) please refer to the following:

http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

Note that within an MPLS/VPN environment, the configuration constructs for telnet
access have been altered in order to apply them to vrf instances. For example, if applying
an access class to a set of vty’s the parameter “vrf-also” is required. Failure to include
this modifier will cause all telnet attempts from a CE to be refused. As such, application
of a simple access list to the vty ports will prevent access to the router, as recommended
above, and with the “log” keyword included in the explicit deny, inappropriate attempts
will be logged.

Example 1 - Denying CE Telnet access:

Line vty 0 4
login
password moose
access-class dog in
#applies access- list dog to inbound telnet requests

ip access-list standard dog


permit 1.13.13.2
deny any log
#creates a named ACL “dog” which permits access from
host 1.13.13.2 and denys and logs all other attempts
Control Plane Hardening:

Router Accessibility (cont’d):

Example 2 - Pemitting CE Telnet access:


Line vty 0 4
login
password moose
access-class 13 in vrf-also
#applies access- list 13 to inbound telnet requests including those
entering from vrf’d interfaces

Note that the operations of other access service functions such as rsh, rcp, and tftp are not
changed when used within an MPLS/VPN environment. That is, access control remains
as it has been prior to MPLS/VPN’s – and such controls should be applied using the
appropriate ACL’s and authentication mechanisms. Note that these services would not
normally be enabled on a PE or CE router – the security implications are unacceptable
and the management requirements for these functions are minimal.

An abbreviated sample configuration illustrating the above points follows:

hostname top
access-list 13 permit 1.13.13.2
access-list 13 deny any log
#establishes access-list 13, permitting packets from ip address
1.13.13.2 and denying/logging all others
ip rcmd rsh-enable
#enables rsh services
ip rcmd remote-host top 13 bot
#permits rsh commands to this router “top” from a host permitted by access-list
13 with a name of “bot”

tftp-server flash:safe_bot.cfg 13
#enables tftp-server services for flash file “safe_bot.cfg” restricted by
access list 13

ip access-list 14 permit 1.1.1.1


ip access-list 14 permit 1.1.1.13
ip access-list 14 deny any log
#creates an access list “14” permitting access from hosts
1.1.1.1 and 1.1.1.13 and denying and logging other attempts

snmp-server engineID local 000000090200005073266701


snmp-server community cow RO
#establishes the SNMP read-only community string as “cow”

snmp-server community bull RW 14


#establishes “bull” as the read-write snmp community string
and limits access to those hosts as defined by access list 14
Control Plane Hardening:

Router Accessibility (cont’d):

no snmp-server ifindex persist


snmp-server trap-authentication
snmp-server tftp-server-list 14
#limits tftp related snmp operations per access list 14

line con 0
exec-timeout 5 0
#applies 5 minute timeout to inactive sessions
line aux 0
line vty 0 4
access-class 13 in
#limits telnet access to vty ports per access list 13
password cisco
login

In addition, the C12000 supports a receive access-list mechanism that allows the line
cards to filter traffic destined for the router itself based upon a configured access- list.
Since this control is executed in the hardware of the line cards, it can prevent undesired
high traffic loads from disrupting main cpu operations.

More details on this command are available at:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guid
e09186a00800a8531.html
DATA PLANE HARDENING:

Unicast RPF:

Unicast Reverse Path Forwarding (uRPF) lookup feature should be enabled on each
interface of the PE routers’ CE-facing interfaces and on the CE routers’ PE- facing
interfaces. RPF attempts to verify that the source of an incoming packet is accessible via
the interface from which it was received (by checking the CEF tables) prior to switching
the packet through.

uRPF is currently available in two general operating modes:

Loose;
In this mode, if the incoming packet’s source address is reachable thru any
interface in the router, the packet is forwarded.

Strict;
In strict mode, the packet must enter via the exact interface that the source
address would be reached prior to forwarding.

Generally speaking the two modes are intended for operation at different points of the
network. Loose mode is primarily applicable in network cores while strict mode is
intended for use at the edges of a given network.

Since PE and CE routers implement the network edge in an MPLS/VPN context, strict
mode would be the appropriate choice.

For more details see:

New syntax:

ip verify unicast reverse-path Reverse path validation of source


address (old command format)

ip verify unicast source Validation of source address

Old syntax:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t
cr/122tsr/fothercr/sftrpf.pdf
DATA PLANE HARDENING:

Unicast RPF (cont’d):

The following illustrates the configuration of uRPF on a PE router:

interface Ethernet0/0
ip vrf forwarding Daffy1
ip address 1.1.1.1 255.0.0.0
no ip directed-broadcast
ip verify unicast source reachable-via rx
# enables strict RPF checking on incoming packets

CAR/QOS:

Various QOS mechanisms can be utilized to protect the PE and CE router interfaces from
undue traffic volumes. A higher than expected traffic flow may be due to a deliberate
DOS assault or may simply be the result of a mis-configured device somewhere within
the network. However, as these mechanisms are inserted directly into the forwarding path
they do have an impact on packet forwarding rates especially on software-based
platforms. As such, these features should be applied with care and due consideration
given to the environment where they are to be applied.

For example, the following configuration sample illustrates an approach to controlling the
icmp traffic, which is permitted to enter the interface in question:

class-map match-any doggit


match protocol icmp
#defines a class map reference of “doggit” which matches
icmp packets

policy-map doggit
class doggit
police cir 80000
exceed-action drop
#creates a policy which polices traffic selected by the
class “doggit” to a level of 80Kbps; traffic beyond this
level is dropped

interface Ethernet1/0
ip vrf forwarding cow
ip address 1.13.13.2 255.0.0.0
ip verify unicast source reachable-via rx
service-policy input doggit
#applies the policy “doggit” to the input packet stream on interface
Ethernet 1/0
DATA PLANE HARDENING:

CAR/QOS (cont’d):

For more details on configuring routers to control traffic lo ads see the following url:

http://www.cisco.com/en/US/tech/tk543/tech_topology_and_network_serv_and_protocol
_suite_home.html

IDS and FIREWALLING:

Considerable documentation is available on Intrusion Detection and Firewalling


mechanisms for IP networks. Over the past years, the need for such mechanisms in any
given IP network have become increasingly apparent. This requirement is not obvia ted by
the use of an MPLS/VPN as a transport network and should be implemented in such a
way as to protect corporate assets.

The architecture and implementation of IDS systems and Firewalls is quite involved and
will not be detailed herein. The following locations provide information on these topics:

http://www.cisco.com/go/safe

http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns292/networking_solutions_pac
kage.html

http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns118/networking_solutio ns_pac
kage.html

http://www.robertgraham.com/pubs/network- intrusion-detection.html
DATA PLANE HARDENING:

IPSec:

MPLS/VPN’s forward user information over the network in the same format as it is
received from the CE – as with any other data-transparent transport network (ATM,
FrameRelay, HDLC). As such, it is possible, though perhaps requiring considerable effort
and access, to monitor traffic as it passes through the network. This may not be
acceptable for highly sensitive information such as financial data or confidential
materials. If inherent protection of the data from monitoring is desired, it is necessary to
use some sort of encryption technique.

Various data encryption mechanisms have been available for some time including
software-based encryptors, hardware-based encryption and the most typically used within
the IP world – IPSec. Full link encryptors may be used as long as they are inserted in the
lines between the routers such that the original data stream, in particular the header
information, is available for the routers to perform their forwarding decisions. As such,
information is ‘in the clear’ on the cables between the encryptor/decryptor and the
attached router. However, a more typical approach in an IP environment is to use the
IPSec mechanisms, which encrypt the data and still produce an output IP packet that can
be switched by the routers. In addition, IPSec also can provide support for verification of
the end-points of the data flow thus providing a high degree of certainty that the
information is actually being received by the intended party.

Considerable information is publicly available on IPSec and its related standards. Further
details may be readily found including:

http://www.cisco.com/en/US/tech/tk583/tk372/tech_protocol_family_home.html

http://www.ietf.org/html.charters/ipsec-charter.html

http://ietf.org/ids.by.wg/ipsec.html

RFC-2401 Security Architecture for the Internet Protocol


RFC-2406 IP Encapsulating Security Payload (ESP)
RFC-2407 The Internet IP Security Domain of Interpretation for ISAKMP
RFC-2408 Internet Security Association and Key Management Protocol
RFC-2409 The Internet Key Exchange

Cisco Secure Virtual Private Networks ISBN1-58705-033-1


REFERENCES:

RFC2082 – RIP-2 MD5 Authentication


RFC2154 – OSPF with Digital Signatures
RFC2385 – Protection of BGP Sessions via the TCP MD5 Signature Option
RFC3013 – Recommended Internet Service Provider Security Services and Procedures
RFC2196 – Site Security Handbook

Cisco ISP Essentials – ISBN 1-58705-041-2

http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

General Information on Securing Cisco Routers

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080120f4
8.shtml

Cisco Secure Virtual Private Networks - ISBN 1-58705-033-1