Multi Protocol Label Switching (MPLS) is becoming a more widespread technology. Medium and Large Organizations, whose offices are spread across various geographical locations are now switching to MPLS from the traditional Frame Relay or ATM (Layer 2 VPN).
Today MPLS mainly achieves the following purposes:
- Simplifies Networking Architecture
- Provide VPN services like MPLS-VPN
- Better QoS (Quality of Service)
- Optimizes Network Architecture by improving latency and routing
However with the advancement of technologies security has always been a major area of concern for organizations. Here I will discuss about the MPLS security in respect to the organizations, considering that the core network of MPLS is secure. I also assume that I need not discuss the common security issues like security misconfiguration.
MPLS Architecture provides security in the following way:
1. Address Space and Routing Separation
Address Space of two VPNs are independent. MPLS network is generally a shared environment, where many organizations and their VPN exist. So an ideal network architecture should allow both the VPN to use their own address space without any conflict. So the basic requirement for routing is that each end system in a VPN has a unique address. So MPLS ensures:
- VPS are able to use address space independent of the other VPS present in the MPLS core and also the addresses used inside the MPLS core.
- Routing of traffic in the VPNs are independent of each other.
So for security MPLS must ensure that a packet of a VPN does not end up in another VPN.
MPLS ensures that all packets have an unique address. MPLS adds a Route Distinguisher (RD) (64 bit) value to the IPv4 address (32 bit). For every VPN the RD value is different, thus making all addresses in a MPLS independent of the other VPNs as well as the MPLS core addresses.
However there still exist a section where there are chances of address conflict. A conflict can occur when the Provider Edge (PE) router and the Customer Edge router communication depends on dynamic routing. In these situations the PE router must have an address which is unique from the CE router. But it is in the best interest to have static routing.
A Virtual Routing and Forwarding Instance (VRF) for each connection exists in the PE routers. The VRF are populated with routes of a VPN. The routes can be static or dynamic by the protocols existing between the PE and CE routers. Each VPN has a unique VRF, hence there is never any data leakage to other VPNs from the PE routers.
This separation continues across the MPLS. VPN identifiers are added in MP-BGP (Multi Ptotocol BGP). These routes are exchanged between the PE routers only. These information is again stored in VPN specific VRF. This ensures that routing of VPNs inside the VPN is unique.
Thus MPLS provides security, when it comes to VPN conflict. Hence we can assume that one cannot intrude into a VPN from another VPN using the same MPLS network.
In the next posts I will discuss further on MPLS Security based on the following:
- MPLS core security & Unwanted Information Disclosure
- Other possible attacks