Click here to load reader

VPN на основе технологии MPLS

  • View
    111

  • Download
    0

Embed Size (px)

DESCRIPTION

VPN на основе технологии MPLS. Технология BGP / MPLS VPN (RFC 2547 ). Хорошее приближение предлагаемых сервисов к свойствам сервисов частной сети: Безопасность на уровне сетей с виртуальными каналами Пропускная способность может быть гарантирована на основе QoS - PowerPoint PPT Presentation

Text of VPN на основе технологии MPLS

  • VPN MPLS

  • BGP/MPLS VPN (RFC 2547) : QoS IP-

  • MPLS VPN, : ? ? ? DoS ?

  • MPLS VPNCE APE (LER) MPLSPE (LER)CE BCE BCE AP (LSR)Site 1 Site 3 Site 2 Site 3 BSite 4 B

    Site 1 B

    Site 2 B

  • CE (Customer Edge) router , VPNPE (Provider Edge) router , CE PE = edge LSR, LERP router , VPN P = LSR P BGP , VPN

  • , VPN VPN PE/CE VPN

  • MPLS P, PE VPN PE VPN PE , P

  • MPLS VPNPPE6 1 VPNB 1 VPNA 1 VPNCCE 2 VPNA 2 VPNB 3 VPNB 3 VPNA 4 VPNA 2 VPNCPE1PE2PE3PE5PE4CECECECECECECECEPPPPPPPP -

  • . VPN IP- : - - .

  • BGPBGPBGPBGPIGPIGP

  • MPLS VPN

    BGP MPLS PE VRF (VPN Routing and Forwarding)

  • VPN_AVPN_AVPN_B10.3.0.010.1.0.011.5.0.0PPPPPEPECECECEiBGP sessionsPE MP-BGPP PE IGP

  • PE - IGP

    IGP

    IGP

    PPP A BCECEPE VRF AVRF B BGP

  • , VPN PE VRF

  • , PE CE , VRF. VRF MP-BGP VPN, PE IGP , VRFVRF MPLS

  • PEVPN Backbone IGPiBGP sessionPEPPPP

  • VPN (private) (RFC 1819) : VPN , TCP/IP?

  • : VPN, VPN

  • 3 VPN CE Router10.2.2.2CE Router10.2.2.3CE Router10.2.2.4CE Router 10.2.2.2CE Router3.3.3.3 VRF VPN

  • BGP IPv4: VRF . - IPv4 VPN-IPv4

  • VPN-IPv4 IPv4 64- (route distinguisher, RD), MPLS VPN-IPv4 MP-BGP

    64 RD32 IPv4

  • Type = 0 - Administrator IP- (4 )Type=1 - Administrator NAS (2 ) Assigned number (AN) Type RD

  • CE2CE1PE1BGPBGPPE2 1 VPNABGPPE3CE4CE3CE5 2 VPNA 3 VPNAVRF1VRF1VRF2VRF3 MP-BGPIP=123.45.67.89 1 VPNB 2 VPNBVRF2 IPv4=10.1.0.0 BGPRD=123.45.67.89:2Int7IP=123.45. 7.5RD=123.45.67.89:1Export = GREENImport = GREEN

    RD=123.43.15.3:1Export = GREENImport = GREEN

    IP=123.43.15.3RD=123.43.15.3:2Export = REDImport = RED

    RD=123.43.25.3:1Export = GREENImport = GREEN

  • VPN-IPv4 MP-BGP

    VRF IPv4

    RFC 2547bis , VPN RD , RD VPN .

  • MP-BGP VPN-IPv4

    (BGP next hop). (label VPN) PE

    (Extended community attributes

  • (Extended community attributes),-Route-target, RT , VPN, PE . route-target export target policy, VRF route-target RD, VPN.

  • PEVPN Backbone IGPiBGP sessionPEPPPP . :

  • BGPVPN-IPV4 address= RD (64) IPv4 address(32)

    RD VRF

  • BGPNext Hop VPN-IPV4, RD =0

  • BGP

    VPN: (exterior label), BGP VPN - PE VPN , Next-Hop (Downstream Unsolicited)

  • BGP

    Extended Community attribute (64)Site of Origin (SOO): - Route-target (RT): , ( VPN)

  • VRF :Net = 10.1.0.0, Next-Hop=CE1 PE :VPN-IPv4: 123.45.67.89:1:10.1.0.0 Next-hop=123.45.7.5 Lvpn=7 RT=Green

  • CE2CE1PE1BGPBGPPE2 1 VPNABGPPE3CE4CE3CE5 2 VPNA 3 VPNAVRF1VRF1VRF2VRF3 MP-BGPIP=123.45.67.89 1 VPNB 2 VPNBVRF2 IPv4=10.1.0.0 BGPRD=123.45.67.89:2Int7IP=123.45. 7.5RD=123.45.67.89:1Export = GREENImport = GREEN

    RD=123.43.15.3:1Export = GREENImport = GREEN

    IP=123.43.15.3RD=123.43.15.3:2Export = REDImport = RED

    RD=123.43.25.3:1Export = GREENImport = GREEN

  • (1) PE IPv4 EBGP, RIPv2, Static PE-1VPN Backbone IGPPE-2PPPPBGP,OSPF,RIPv2 update Net1,Next-Hop=CE-1CE-1CE-2 MPLS

  • (2) PE VPN-IPv4, RD SOO RT Next-Hop , VRF MP-iBGP PE-1VPN Backbone IGPPE-2PPPPBGP,OSPF,RIPv2 update Net1,Next-Hop=CE-1VPN-IPv4 update: RD:Net1, SOO=Site1, RT=Green, Next-hop=PE-1 Label=(intCE1)CE-1CE-2

  • PE-1VPN Backbone IGPPE-2PPPPBGP,RIPv2 update Net1, Next-Hop=CE-1VPN-IPv4 update: RD:Net1, Next-hop=PE-1 SOO=Site1, RT=Green, Label=(intCE1)CE-1IPv4 update Net1CE-2(3) PE- MP-BGP-: - IPv4 - VRF, , RT

  • BGP PE ( ) VRF Extended Community. , MPLS , VRF , MPLS .

  • PEVPN Backbone IGPiBGP sessionPEPPPP

  • VRF site-1N1,NH=CE1 N2,NH=PE2 N3,NH=PE3PE1PE3PE2 N1N2 VPN-IPv4 PE RD:N1, NH=PE1,Label=IntCE1, RT=Blue RD:N2, NH=PE2,Label=IntCE2, RT=Blue RD:N3, NH=PE3,Label=IntCE3, RT=BlueIntCE1IntCE3N1 NH=CE1Routing Table CE1N1, Local N2, PE1 N3, PE1EBGP/RIP/StaticVRF site-3N1,NH=PE1 N2,NH=PE2 N3,NH=CE3Routing Table CE3N1, PE3 N2, PE3 N3, LocalN3 NH=CE3EBGP/RIP/StaticSite-2IntCE2Routing Table CE2N1,NH=PE2 N2,Local N3,NH=PE2VRF site-2N1,NH=PE1 N2,NH=CE2 N3,NH=PE3 VPN

  • PE2PE1CE1CE2P1P2IGP Label(PE2) VPN LabelIPpacketPE1 IP- VRF BGP c (VPN label) VRF Next-Hop (PE2) PE1 PE2 (IGP label).CE3

  • MPLS VPN VPN BGP, CE PE , traceroute

  • MPLS VPN?CE Router ALERMPLS-LERCE Router BCE Router BCE RouterCustomer A CE PE , VPN

  • MPLS VPN - IP- (WAN link) VPN VPN. VPN, PE

  • A CE A CE BCE BCE LERLERLSR VPNCE PE

  • MPLS VPN MPLS VPN PE MPLS ( LSR)

  • PEDoS- PE. PE

    ISP. .

  • PE PE access-list , PE telnet CE. access-list , VRF , BGP

  • MPLS VPN LDP/RSVP ( IP-)?

  • MPLS CE PE IP , PE router CE PE LDP MD-5

  • MPLS

    Weve seen how Frame-Relay and ATM handle security, now what about MPLS VPNsThis was the purpose of the Meircom test

    Youve seen diagrams like this throughout the daySimple MPLS network, multiple customers connected to the same PEScalability and Functionality has been covered. Now we will talk about the security of a MPLS VPN.The question arises Are MPLS-VPNs as secure as Frame-Relay and ATM?

    Every VRF has its own routing table on the PE. The routing tables are separate.The Cores routes are kept separate from the customers.Interface to VPNs is BGP(from the cores perspective) Need to either route statically to an interface or have a dynamic routing protocol running.When you have a dynamic routing protocol running, the customer will see and address that is on the PE.Can turn traceroute off in the core so it doesnt show up as a hop.CEs can see all interfaces in its VRF. (including WAN connections)If routing properly setup.No cross VPN visibilityNo visibility into anything not specifically place in its VRF.Two ways to get address to attack on the PEWAN link numberedDynamic routing protocol (neighbor or peer id)If you dont want to have an address, must do static routing to an unnumbered interface!Cant stop an attack from inside a VPN from hurting itself, same thing applies to Frame-Relay and ATMDiagram shows what can and cant be attacked in an MPLS VPN networkCant attack other VPNs, have traffic isolationCant attack the core using the cores address space. (no route address separation)Possibility to attack the PE, with an address in the VRF. If access to the PE, access to other VPNs. Kill the PE, other VPNs hurt.Attack the PE router and try to deny other VPNs resources (PE shares resources such as memory, processor amongst all VPNs that are attached to it)Attack the PE router to gain access to other VPNsAttack MPLS signaling to try and spoof a label.

    Following kinds of attacksIntrusion attacks (unauthorized access)DoS attacks (routing updates)

    MPLS handles Intrusion attacks the same as an ISP handles them. Deny telnet access from the CEAnother DoS attack would be to flood the PE with routing updates using up system resources to process these updates. This could affect other VPNs by using up processing and memory resources.VRF route limits limit the total number of routes that will be accepted into a VRF. Remaining routes are dropped.BGP-route dampening prevents route-flapping on a BGP learned routePrefix-limits limit the number of routes that will be accepted from a BGP peer before bringing down the session.

    The other way to attack an MPLS VPN, attack the signaling.TDP (cisco) LDP standardTDP and LDP establish neighbor relationships before they exchange labelsLabel switching must be enabled on that interface for relationship to come up.Any way to spoof labels?

Search related