Arab Academy for Banking and Financial Sciences Business Data Communication Dr.Ali Al-Maqousi
Essay Paper Group Section 203
"Multi Protocol Label Switch" MPLS May, 2006 Version 1.1
Prepared by Group Section 203 Team: - Ahmad Al-Musallami - Alaa Darawsheh - Aminah Khaddam - Hannan Mohsen
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Table of Contents • • • • • • • • • • • • • • •
• • •
Table of Contents Executive Summary Introduction Definitions MPLS History MPLS Functions: MPLS Benefits: Original Drivers towards Label Switching: () How MPLS works () Connecting IPv6 Islands with IPv4 MPLS () Comparison of MPLS Vs IP and ATM () MPLS Infrastructure Security of the MPLS Infrastructure Protocol Applications & Integrations Conclusion () Literature review Essay Contacts Document History
203-MPLS BDC v1.1.1.doc
2/20
2 3 3 4 4 5 5 6 7 8 9 11 14 17 18 19 20 20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Executive Summary Some of today's present day networks are delivering IP services through an IP over ATM infrastructure, or any other common infrastructure are facing performance and scalability problems, which impact the ability of these networks to deliver these services. The successful delivery of services can be measured in terms of network complexity and resulting operational costs, as well as the performance that is required to deliver a satisfactory experience to customers. When the well-known limitations of the used models start to impact the operation of any network, a new solution should be examined to overcome those limitations and a new transfer strategy should be taken into consideration. One of the most successful strategies used is the MPLS infrastructure. MPLS is a versatile solution to address the problems facing the present day networks- speed, scalability, quality of service (QoS) management and traffic engineering. It has emerged as an elegant solution to meet the bandwidth management and service requirements for next generation IP based backbone networks. It also can be existed over existing asynchronous transfer mode (ATM) or frame relay networks. (1)
Introduction The Internet has evolves into a ubiquitous networks and inspired the development of a variety of a new applications in business and in consumer markets. These new applications have driven the demand for increased and guaranteed bandwidth requirements in the backbone of the network. In addition to the traditional data services currently provided over the Internet, new voice and multimedia services are being developed and deployed. The Internet has emerged as the network of choice for providing these services. However, the demands placed on the network by these new applications and services, in terms of speed and bandwidth, has strained the resources of the existing Internet infrastructure. This transformation of the network toward a packet and cell based infrastructure has introduced uncertainly into what has traditionally been a fairly deterministic network. Another challenge relates to the transport of bits and bytes over the backbone to provide differentiated classes of services to users. The exponential growth in the numbers of users and the volume of traffic adds another dimension to this problem. Class of service (CoS) and (QoS) issues must be addressed to in order to support the requirements of the wide range of network users. MPLS will play an important role in the routing, switching and forwarding of packets through the next generation network in order to meet the service demands of the network users.
1
Ref#1
203-MPLS BDC v1.1.1.doc
3/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Definitions In general: MPLS is an Internet engineering task force (IETF)- specified framework that provides for the efficient designation, routing, forwarding and switching of traffic flows through the network.(2) In the computer networking and telecommunications, Multi Protocol Label Switching (MPLS) is a data-carrying mechanism which emulates some properties of a circuit-switched network over a packet-switched network. MPLS operates at a OSI Model layer that is generally considered to lie between traditional definitions of Layer 2 (data link layer) and Layer 3 (network layer), and thus is often referred to as a "Layer 2.5" protocol. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic, including IP packets, as well as native ATM, SONET, and Ethernet frames. (3) MPLS stands for Multiprotocol Label Switching. Multiprotocol because it might be applied with any Layer 3 network protocol, although almost all of the interest is in using MPLS with IP traffic. MPLS is the solution to any problem they might conceivably have.(4) MPLS combines the speed and performance of packet-switched networks with the intelligence of circuit-switched networks to provide a best-of-breed solutions for integrating voice, video and data. Like circuit-switched networks, MPLS establishes the end-to-end connection path before transferring information, and paths may be selected based on application requirements such as bandwidth required or maximum latency. Like packet networks, multiple applications and customers can share a single connection, greatly improving link utilization. MPLS implementations can vary widely, from simple "best effort" data delivery to advanced networks which guarantee delivery of information including re-routing to an alternate path within 50 milliseconds.(5)
MPLS History Background (6) A number of different technologies were previously deployed with essentially identical goals, such as frame relay and ATM. MPLS is now replacing these technologies in the marketplace, mostly because it is better aligned with current and future technology and needs. In particular, MPLS dispenses with the cell-switching and signalling-protocol baggage of ATM. MPLS recognizes that small ATM cells are not needed in the core of modern networks, since modern optical networks (as of 2001) are so fast (at 10 Gbit/s and well beyond) that even full-length 1500 byte packets do not incur significant real-time queuing delays (the need to reduce such delays, to support voice traffic, having been the motivation for the cell nature of ATM).
2
Ref#1 Ref#2 4 Ref#3 5 Ref#4 6 Ref#2 3
203-MPLS BDC v1.1.1.doc
4/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
At the same time, it attempts to preserve the traffic engineering and out-of-band control that made frame relay and ATM attractive for deploying large scale networks. MPLS was originally proposed by a group of engineers from Cisco Systems, Inc.; it was called "Tag Switching" when it was a Cisco proprietary proposal, and was renamed "Label Switching" when it was handed over to the IETF for open standardization. One original motivation was to allow the creation of simple high-speed switches, since it was at one point thought to be impossible to forward IP packets entirely in hardware. However, advances in VLSI have made such devices possible. The systemic advantages of MPLS, such as the ability to support multiple service models, do traffic management, etc, remain
MPLS Functions: MPLS performs the following functions: 1. Specifies mechanisms to manage traffic flow of various granularities, such as flows between different hardware, machines or even flows between different applications. 2. Remains independent of the layer 2 and layer 3 protocols. 3. Provides a means to map IP addresses to simple, fixed-length labels used by different packet forwarding and packet switching technology. 4. Interfaces to existing routing protocols such as Resource Reservation Protocol (RSVP) and Open Shortest Path First (OSPF). 5. Support the IP, ATM and Frame Relay layer 2 protocols.(7)
MPLS Benefits: Comparing MPLS with existing IP core and IP/ATM technologies, MPLS has many advantages and benefits: • • • • • • •
7
The performance characteristics of layer 2 networks The connectivity and network services of layer 3 networks Improves the price/performance of network layer routing Improved scalability Improves the possibilities for traffic engineering Supports the delivery of services with QoS guarantees Avoids need for coordination of IP and ATM address allocation and routing information
Ref#1
203-MPLS BDC v1.1.1.doc
5/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Original Drivers towards Label Switching: (8) -
-
8
Designed to make routers faster *ATM switches were faster than routers. * Fixed Length Label lookup faster than longest match used by IP routing. *Allows a device to do the same job as the router with performance of ATM switch. Enabled IP + ATM integration * Mapping of IP to ATM had become very complex, hence simplified by replacing ATM singalling protocols with IP control protocols.
Ref#6
203-MPLS BDC v1.1.1.doc
6/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
How MPLS works (9) MPLS works by prepending packets with an MPLS header, containing one or more 'labels'. This is called a label stack.
Each label stack entry contains four fields: • • • •
a 20-bit label value. a 3-bit experimental field reserved for future use. a 1-bit bottom of stack flag. If this is set, it signifies the current label is the last in the stack. an 8-bit TTL (time to live) field.
These MPLS labeled packets are forwarded (switched is the correct term) after a Label Lookup/Switch instead of a lookup into the IP table. Label Lookup and Label Switching may be faster than usual RIB lookup because it can take place directly into fabric and not CPU. The exit points of an MPLS network are called Label Edge Routers (LER). Routers that are performing routing based only on Label Switching are called Label Switch Routers (LSR). Remember that a LER is not usually the one that is popping the label. For more information see Penultimate Hop Popping. Devices that function as ingress and/or egress routers are often called PE (Provider Edge) routers. Devices that function only as transit routers are similarly called P (Provider) routers. The job of a P router is significantly easier than that of a PE router, so they can be less complex and may be more dependable because of this. When an unlabeled packet enters the ingress router and needs to be passed on to an MPLS tunnel, the router first determines the forwarding equivalence class the packet should be in, and then inserts one (or more) labels in the packet's newly created MPLS header. The packet is then passed on to the next hop router for this tunnel. When a labeled packet is received by an MPLS router, the topmost label is examined. Based on the contents of the label a swap, push or pop operation can be performed on the packet's label stack. Routers can have rebuilt lookup tables that tell them which kind of operation to do based on the topmost label of the incoming packet so they can process the packet very quickly. In a swap operation the label is swapped with a new label, and the packet is forwarded along the path associated with the new label.
9
Ref#12
203-MPLS BDC v1.1.1.doc
7/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
In a push operation a new label is pushed on top of the existing label, effectively "encapsulating" the packet in another layer of MPLS. This allows the hierarchical routing of MPLS packets. Notably, this is used by MPLS VPNs. In a pop operation the label is removed from the packet, which may reveal an inner label below. This process is called "decapsulation". If the popped label was the last on the label stack, the packet "leaves" the MPLS tunnel. This is usually done by the egress router, but see PHP below. During these operations, the contents of the packet below the MPLS Label stack are not examined. Indeed transit routers typically need only to examine the topmost label on the stack. The forwarding of the packet is done based on the contents of the labels, which allows "protocol independent packet forwarding" that does not need to look at a protocol-dependent routing table and avoids the expensive IP longest prefix match at each hop. At the egress router, when the last label has been popped, only the payload remains. This can be an IP packet, or any of a number of other kinds of payload packet. The egress router must therefore have routing information for the packet's payload, since it must forward it without the help of label lookup tables. An MPLS transit router has no such requirement. In some special cases, the last label can also be popped off at the penultimate hop (the hop before the egress router). This is called Penultimate Hop Popping (PHP). This may be interesting in cases where the egress router has lots of packets leaving MPLS tunnels, and thus spends inordinate amounts of CPU time on this. By using PHP, transit routers connected directly to this egress router effectively offload it, by popping the last label themselves. Since the egress router will do a higher-layer routing table lookup anyway, the amount of higher-layer work needed for a previously popped packet remains the same, and the actual label popping need not be done. MPLS can make use of existing ATM network infrastructure, as its labeled flows can be mapped to ATM virtual circuit identifiers, and vice-versa.
Connecting IPv6 Islands with IPv4 MPLS (10) Many service providers are looking for ways to provide new revenue-generating services to their customers. One such service is IPv6. Some enterprise customers are beginning to experiment with this new version of IP, but are reluctant to deploy it broadly. Interconnecting multiple sites that use IPv6 can be challenging. Also, most service providers would prefer to carry this traffic without making major modifications to their core network. A technique available in JUNOS 5.4 allows you to connect IPv6 sites over an IPv4 Multi-protocol Label Switching (MPLS) enabled backbone. Juniper Networks supports the MP-BGP over IPv4 approach detailed in the IETF Internet draft Connecting IPv6 Domains across IPv4 Clouds with BGP. With this technique, IPv6 islands are connected to each other across an IPv4 backbone enabled with MPLS label stacking while Multi-Protocol Border Gateway Protocol (MP-BGP) is used to announce
10
Ref#7
203-MPLS BDC v1.1.1.doc
8/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
the IPv6 routes across these MPLS tunnels. This feature can be implemented with label-switched paths (LSPs) using Label Distribution Protocol (LDP) or Resource Reservation Protocol (RSVP). Pv6 packets are carried over an IPv4 MPLS tunnel. To enable this service, you need to deploy Provider Edge (PE) routers that can run IPv4, MPLS, and BGP toward the core and IPv6 toward the edge. Since only the PE routers need to run a dual stack of IPv4 and IPv6, the other provider (P) core routers do not need to be upgraded. As a result, this MPLS tunneling technique allows for interoperability with routers from other vendors. Because of this flexible method of implementation, it is now more attractive for providers to carry IPv6 traffic over their existing core networks and for customers to roll out IPv6 to more sites.
Comparison of MPLS Vs IP and ATM (11) Comparison of MPLS versus IP MPLS cannot be compared to IP as a separate entity because it works in conjunction with IP and IP's IGP routing protocols. MPLS gives IP networks simple traffic engineering, the ability to transport Layer3 (IP) VPNs with overlapping address spaces, and support for Layer2 pseudo wires (with Any Transport Over Mpls - ATOM - see Martini draft). Routers with programmable CPUs and without TCAM/CAM or another method for fast lookups may also see a limited increase in performance. MPLS relies on IGP routing protocols to construct its label forwarding table, and the scope of any IGP is usually restricted to a single carrier for stability and policy reasons. As there is still no standard for carrier-carrier MPLS it is not possible to have the same MPLS service (Layer2 or Layer3 VPN) covering more than one operator.
Comparison of MPLS versus ATM MPLS cannot be compared directly to ATM as they are totally different technologies with different goals. MPLS allows a very smooth migration for IP only services on ATM networks, without the need to support of complex signalling and routing protocols like PNNI. As a large proportion of the data transported over ATM networks in the late 1990s was IP, it was cheaper to upgrade some switches to support MPLS instead of PNNI. MPLS packets can be much larger than ATM cells (with the difference that they have variable length, ATM cells have fixed size of 53 bytes). Today's networks usually must be able to transport packets at least 1500 bytes long (because this is the ubiquitous maximum size for Ethernet) but any MPLS payload size (being the size of the encapsulated payload plus the size required for all the labels) that the network interfaces in use will allow, can be transported. (Note that this requires the use of "baby jumbo packets" if Ethernet is used as the transport for MPLS). This compares well with the 48-byte cell of ATM, and reduces encapsulation overheads, particularly in the case of small packets: for example, it allows a minimum-length TCP packet to reside in a single MPLS packet, rather than two cells as in ATM.
11
Ref#2
203-MPLS BDC v1.1.1.doc
9/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
The 16 bits of VCI and 8 bits of VPI in the ATM cell are replaced by a single label field of 20 bits, packed into a 32 bit label header. The 32 bit MPLS label field also contains an 8 bit time-to-live field, a "top of stack" bit, and three spare bits for expansion. Although fewer bits are available for the label, labels can be stacked to create arbitrarily complex MPLS label stacks. This makes addressing and trucking in MPLS vastly more flexible than in ATM, as there is no need to impose an arbitrary boundary between VP and VC switching (12)
12
Ref#5
203-MPLS BDC v1.1.1.doc
10/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
MPLS Infrastructure - MPLS Network Model (13) Internet
LER IP
LER
LSR LSR IP
LSR
MPLS
LSR LER
IP
LSR = Label Switched Router LER = Label Edge Router
- Components of MPLS architecture (14) -
MPLS Label The 32-bit MPLS label is located after the Layer 2 header and before the IP header. The MPLS label contains the following fields: • • • •
13 14
The label field (20-bits) carries the actual value of the MPLS label. The CoS field (3-bits) can affect the queuing and discard algorithms applied to the packet as it is transmitted through the network. The Stack (S) field (1-bit) supports a hierarchical label stack. The TTL (time-to-live) field (8-bits) provides conventional IP TTL functionality. This is also called a "Shim" header.
-
LSP - Label Switch Path
-
LDP - Label Distribution Protocol
An LSP is a specific path traffic path through an MPLS network. An LSP is provisioned using Label Distribution Protocols (LDPs) such as RSVP-TE or CR-LDP. Either of these protocols will establish a path through an MPLS network and will reserve necessary resources to meet pre-defined service requirements for the data path.
Ref#8 Ref#9
203-MPLS BDC v1.1.1.doc
11/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
A label distribution protocol (LDP) is a specification which lets a label switch router (LSR) distribute labels to its LDP peers.
- CR-LDP and RSVP-TE CR-LDP and RSVP-TE are both signaling mechanisms used to support Traffic Engineering across an MPLS backbone. RSVP is a QoS signaling protocol that is an IETF standard and has existed for quite some time. RSVP-TE extends RSVP to support label distribution and explicit routing while CR-LDP proposed to extend LDP (designed for hop-by-hop label distribution to support QoS signaling and explicit routing).
- FEC - Forwarding Equivalency Class Forwarding Equivalency Class (FEC) is a set of packets which will be forwarded in the same manner (e.g., over the same path with the same forwarding treatment). Typically packets belonging to the same FEC will follow the same path in the MPLS domain. Example: is a set of unicast packets whose destination addresses match a particular IP address prefix and whose Type of Service bits are the same
- MPLS Protocol Stack Architecture (15) Network layer (IP) routing protocols Edge of network layer forwarding Core network label-based switching Label schematics and granularity Signaling protocol for label distribution Traffic engineering Compatibility with various Layer-2 forwarding paradigms (ATM, frame relay, PPP)
15
Ref#1
203-MPLS BDC v1.1.1.doc
12/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
- Hierarchical Routing in MPLS (16)
•External Routers A,B,C,D,E,F - Talk BGP •Internal Routers 1,2,3,4,5,6 - Talk OSPF Domain #2
C
D 1
6 2
3
4
5
B A Domain #1
F E Domain #3
Note: Internal routers in domains 1 and 3 not
Steps: • When IP packet traverses domain #2, it will contain two labels, encoded as a “label stack” • Higher level label used between routers C and D, which is encapsulated inside a lower level label used within Domain #2 • Operation at C – C needs to swap BGP label to put label that D expects – C also needs to add an OSPF label that 1 expects – C therefore pushes down the BGP label and adds a lower level label
16
Ref#8
203-MPLS BDC v1.1.1.doc
13/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Security of the MPLS Infrastructure MPLS infrastructure is secure through the following Terms: Address Space and Routing Separation Figure 1 Format of a VPN IPv4 Address 64 Bits
32 Bits
Route Distinguisher
IPv4 Address
VPN IPv4 Address
MPLS allows distinct VPNs to use the same address space, which can also be private address space [RFC1918]. This is achieved by adding a 64-bit route distinguisher (RD) to each IPv4 route, making VPN-unique addresses also unique in the MPLS core. This “extended” address is also called a “VPNIPv4 address” and is shown in Figure 1. Thus, customers of an MPLS service do not need to change current addressing in their networks. Routing separation between the VPNs can also be achieved. Every PE router maintains a separate Virtual Routing and Forwarding instance (VRF) for each connected VPN. Each VRF on the PE router is populated with routes from one VPN, through statically configured routes or through routing protocols that run between the PE and the CE router. Because every VPN results in a separate VRF, there will be no interferences between the VPNs on the PE router. Across the MPLS core to the other PE routers, this separation is maintained by adding unique VPN identifiers in multiprotocol BGP (MP BGP), such as the route distinguisher. VPN routes are exclusively exchanged by MP-BGP across the core, and this BGP information is not redistributed to the core network; it is redistributed only to the other PE routers, where the information is kept again in VPN-specific VRFs. Thus, routing across an MPLS network is separate per VPN. Hiding of the MPLS Core Structure
The internal structure of the MPLS core network (provider edge (PE) and provider (P) elements) should not be visible to outside networks (Internet or any connected VPN). This makes attacks more difficult. If an attacker does not know the target, he/she can only guess the IP addresses to attack or try to find out about addressing through a form of intelligence. Because most DoS attacks do not provide direct feedback to the attacker, a network attack is difficult. MPLS does not reveal unnecessary information to the outside, not even to customer VPNs. Core addressing can be conducted with private addresses [RFC1918] or public addresses. Because the interface to the VPNs—and potentially the Internet—is BGP, there is no need to reveal any internal information. The only information required in the case of a routing protocol between PE and CE is the address of the PE router. If this is not desired, static routing can be configured between the PE and CE. With this measure, the MPLS core can be kept completely hidden. Customer VPNs will have to advertise their routes as a minimum to the MPLS core, to ensure reachability across the MPLS cloud. Although this could be seen as too “open,” the following must be noted: First, the information known to the MPLS core is not about specific hosts, but networks (routes); this offers some degree of abstraction. Second, in a VPN-only MPLS network (such as one with no shared Internet access), this is equal to existing Layer 2 models in which the customer must
203-MPLS BDC v1.1.1.doc
14/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
trust an SP to some degree. Also, in a FR or ATM network, routing information about the VPNs can be seen on the core network. Resistance to Attacks
The MPLS core can be attacked in two basic ways: • By attacking the PE routers directly • By attacking the signaling mechanisms of MPLS (mostly routing) To attack an element of an MPLS network, it is first necessary to know its address. As discussed in Section 3.2, it is possible to hide the addressing structure of the MPLS core to the outside world. Thus, an attacker does not know the IP address of any router in the core that he/she wants to attack. The attacker could now guess addresses and send packets to these addresses. However, because of the address separation of MPLS, each incoming packet will be treated as belonging to the address space of the customer. Thus it is impossible to reach an internal router, even through IP address guessing. This rule has only one exception, which is the peer interface of the PE router. The routing between the VPN and the MPLS core can be configured two ways: 1. Static—In this case the PE routers are configured with static routes to the networks behind each CE, and the CEs are configured to statically point to the PE router for any network in other parts of the VPN (mostly a default route). There are now two subcases: The static route can point to the IP address of the PE router, or to an interface of the CE router (for example, serial0). 2. Dynamic—Here a routing protocol (for example, Routing Information Protocol [RIP], Open Shortest Path First [OSPF], BGP) is used to exchange the routing information between the CE and the PE at each peering point. In the case of a static route from the CE router to the PE router, which points to an interface, the CE router does not need to know any IP address of the core network, not even of the PE router. This has the disadvantage of a more extensive (static) configuration, but from a security point of view is preferable to the other cases. In all other cases, each CE router needs to know at least the router ID (RID; peer IP address) of the PE router in the MPLS core, and thus has a potential destination for an attack. One could imagine various attacks on various services running on a router. In practice, access to the PE router over the CE/PE interface can be limited to the required routing protocol by using ACLs (access control lists). This limits the point of attack to one routing protocol, for example BGP. A potential attack could be to send an extensive number of routes, or to flood the PE router with routing updates. Both could lead to a DoS, however, not to unauthorized access. To restrict this risk, it is necessary to configure the routing protocol on the PE router as securely as possible. This can be done in various ways: • By ACL, allow the routing protocol only from the CE router, not from anywhere else—Furthermore, no access other than that should be allowed to the PE router in the inbound ACL on each CE interface. • Where available, configure Message Digest 5 (MD5) authentication for routing protocols—This is available for BGP [RFC2385], OSPF [RFC2154], and RIP2 [RFC2082], for example. It prevents packets from being spoofed from parts of the customer network other than the CE router. Note that this requires that the SP and customer agree on a shared secret between all CE and PE routers. The problem here is that it is necessary to do this for all VPN customers—it is not sufficient to do this for the customer with the highest security requirements.
203-MPLS BDC v1.1.1.doc
15/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
• Configure, where available, parameters of the routing protocol, in order to further secure this communication—In BGP, for example, it is possible to configure dampening, which limits the number of routing interactions. Also, a maximum number of routes accepted per VRF should be configured where possible. It should be noted that although in the static case the CE router does not know any IP address of the PE router, it is still attached to the PE router via some method; therefore, it could guess the address of the PE router and try to attack it with this address. In summary, it is not possible to intrude from one VPN into other VPNs, or the core. However, it is theoretically possible to exploit the routing protocol to execute a DoS attack against the PE router. This in turn might have a negative impact on other VPNs. Therefore, PE routers must be extremely well secured, especially on their interfaces to the CE routers. ACLs must be configured to limit access only to the port(s) of the routing protocol, and only from the CE router. MD5 authentication in routing protocols should be used on all PE/CE peering. It is easily possible to track the source of such a potential DoS attack. Impossibility of Label Spoofing
Within the MPLS, network packets are not forwarded based on the IP destination address, but based on labels that are pretended by the PE routers. Similar to IP spoofing attacks, where an attacker replaces the source or destination IP address of a packet, it is also theoretically possible to spoof the label of an MPLS packet. In the first section, the assumption was made that the core network is secured by the SP. (If this assumption cannot be made, IPSec must be run over the MPLS cloud.) Thus in this section the emphasis is on whether it is possible to insert packets with (wrong) labels into the MPLS network from the outside, that is, from a VPN (CE router) or from the Internet. Principally, the interface between any CE router and its peering PE router is an IP interface (that is, without labels). The CE router is unaware of the MPLS core, and thinks it is sending IP packets to a simple router. The “intelligence” is done in the PE device, where based on the configuration, the label is chosen and pretended to the packet. This is the case for all PE routers, toward CE routers as well as the upstream SP. All interfaces into the MPLS cloud require only IP packets, without labels. For security reasons, a PE router should never accept a packet with a label from a CE router. In Cisco routers, the Implementation is such that packets that arrive on a CE interface with a label will be dropped. Thus it is not possible to insert fake labels, because no labels at all are accepted. There remains the possibility to spoof the IP address of a packet that is being sent to the MPLS core. However, because there is strict addressing separation within the PE router, and each VPN has its own VRF, this can harm only the VPN that the spoofed packet originated from; in other words, a VPN customer can attack himself/herself. MPLS does not add any security risk here.
203-MPLS BDC v1.1.1.doc
16/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Protocol Applications & Integrations -
Other protocols MPLS support besides IP? (17) By definition, Multiprotocol Label Switching supports multiple protocols. At the Network Layer MPLS supports IPv6, IPv4, IPX and AppleTalk. At the Link Layer MPLS supports Ethernet, Token Ring, FDDI, ATM, Frame Relay, and Point-to-Point Links. It can essentially work with any control protocol other than IP and layer on top of any link layer protocol.
- MPLS brings the traffic engineering capabilities of ATM to packet-based network. (18) - MPLS was not designed to replace ATM but, the practical reality of the dominance of IP-based -
-
protocols coupled with MPLS's inherent flexibility has led many service providers to migrate their ATM networks to one based on MPLS. (19) MPLS can co-exist with ATM switches and eliminate complexity by mapping IP addressing and routing information directly into ATM switching tables. (20) The followings classes may be more appropriate for the initial deployment of MPLS QoS: i. High-priority, low-latency "Premium" class (Gold Service) ii. Guaranteed-delivery "Mission-Critical" class (Silver Service) iii. Low-priority "Best-Effort" class (Bronze Service) Cisco 7600 Series routers (21)
17
Ref#9 Ref#9 19 Ref#9 20 Ref#9 21 Ref#11 18
203-MPLS BDC v1.1.1.doc
17/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Conclusion (22) -
22
MPLS solution is spreading all over the world, and have a great potentials to dominate because of its benefits to leverage the endless demands of switching speed and QoS. MPLS has not yet been implemented at Jordan, or at least we were not able to find any organization that adopted it, and following are some of the reasons for that: i. Lack of expertise in the technology that is still considered relatively new, even though it is supported by one leader vendor of Routing technology all over the world (Cisco Systems, Inc.). ii. Resistance for change because of getting used to the existing technology. iii. Lack or limited actual need for such a solution. iv. Immaturity of the telecommunications infrastructure to create the added value of the solution.
Ref#10
203-MPLS BDC v1.1.1.doc
18/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Literature review Ref#1 – MPLS, The International Engineering Consortium, http://www.iec.org, AMusallami Ref#2 – http://en.wikipedia.org/wiki/MPLS, Hanan Mohsen Ref#3 – http://www.netcraftsmen.net/welcher/papers/mplsintro.html, Hanan Mohsen Ref#4 – http://www.nortel.com/solutions/providers/enabling_tech/mpls/technology.html, Hanan Mohsen Ref#5 – http://www.mier.com/reports/cisco/MPLS-VPNs.pdf, Hanan Mohsen Ref#6 – http://www.ripe.net/ripe/meetings/ripe-39/presentations/mpls-arch/sld003.html, Hanan Mohsen Ref#7 – http://www.juniper.net/techpubs/software/junos/junos56/feature-guide-56/html/fg-ipv6-overmpls.html, Hanan Mohsen Ref#8 – MPLS Archtecture, (Aminah & Hanan) Ref#9 – Irwin Lazar. Requirements for Traffic Engineering Over MPLS, http://www.ietf.org/rfc/rfc2702.txt, http://www.mplsrc.com/contact.shtml - Alaa Darawsheh Ref#10 – Gorup Section 203 Ref#11 – http://www.cisco.com/go/routing, 2006-05-06 Amusallami
203-MPLS BDC v1.1.1.doc
19/20
8/21/2006-2:48:48 PM
Business Data Communications
MPLS
Essay Paper – Group Sec 203
Essay Contacts Contact
Email
Telephone +962-788-519272
Alaa Darawsheh
[email protected] [email protected] [email protected]
Aminah Khaddam
[email protected]
+962-796-382005
Hanan Mohsen
[email protected]
+962-795-601424
Ahmad Al-Musallami
+962-795-023399
Document History -
Ver 0.0 2006/03/26 AMusallami, create the document skeleton. Ver 0.1 29/4/2006 H. Mohsen , (Executive Summary, Introduction, Definitions, MPLS History, How MPLS works, Connecting IPv6 Islands with IPv4 MPLS, Comparison of MPLS vs IP and ATM). Ver 0.5 30/04/2006 Aminah provide with documents about MPLS Architecture. Ver 1.0 03/05/2006 Alaa Darawseh add the Security part. Ver 1.1 06/05/2006 AMusallami, Add the (Literature review), Add MPLS Infrastructure, Add References, Add Conclusion, Add Protocol Applications & Integrations, Add Table of contents .
*** *** ***
203-MPLS BDC v1.1.1.doc
20/20
8/21/2006-2:48:48 PM