Agenda
❖ Introduction
❖ MPLS Technology Basics
❖ MPLS Concept
❖ MPLS LDP
❖ MPLS Traffic Engineering
❖ MPLS L3VPN
❖ MPLS L2VPN
Agenda
❖ MPLS in ISP
❖ Introduce MPLS Security
❖ Security Threats
❖ Defensive techniques
❖ MPLS Security Best Practice
What is MPLS ?
Definition
(Planned)
Large Scale
First L3VPNs First L2VPN First Segment
L2VPN
Deployed Deployments Routing
Deployments
Deployments
(Planned)
Large Scale Large Scale
Cisco ships First MPLS TE First LSM First MPLS TP First PBB-
L3VPN MPLS TE
MPLS Deployments Deployments Deployments EVPN
Deployments Deployments
Deployments
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
MPLS Technology Basics
Basics of MPLS Signaling and Forwarding
operations
Transport
MPLS OAM
MPLS Traffic Engineering
IP/MPLS (LDP/RSVP-TE/BGP/OSPF/IS-IS)
MPLS OAM
MPLS Forwarding
MPLS Reference Architecture
PE P P PE
8
MPLS Labels
• MPLS core routers swap labels and forward packets based on simple label lookups.
• MPLS edge routers also perform a routing table lookup, and add or remove labels.
Introducing MPLS Labels and Label Stacks
MPLS Labels
MPLS uses a 32-bit label field that contains the information that follows:
20-bit label (a number)
3-bit experimental field (typically used to carry IP precedence value)
1-bit bottom-of-stack indicator (indicates whether this is the last label before the
IP header)
8-bit TTL (equal to the TTL in the IP header)
MPLS Labels
The outer label is used for switching the packet in the MPLS network (points to the
TE destination).
Inner labels are used to separate packets at egress points (points to egress router
and identifies VPN).
MPLS LDP
Discovering LDP Neighbors
• The label forwarding information base (LFIB) on an LSR does not contain an
incoming interface.
• The same label can be used on any interface and is announced to all adjacent
LSRs.
• The label is announced to adjacent LSRs only once and can be used on any link.
• Per-platform label space is less secure than per-interface
label space.
Negotiating Label Space
LDP relies on loop detection mechanisms built into IGPs that are used to
determine the path.
If, however, a loop is generated (that is, misconfiguration with static routes),
the TTL field in the label header is used to prevent indefinite looping of
packets.
TTL functionality in the label header is equivalent to TTL in the IP headers.
TTL is usually copied from the IP headers to the label headers (TTL
propagation).
Normal TTL Operation
TTL and Loop Detection
Steady-State Operation Description
Link Failure Actions
Routing Protocol Convergence
MPLS Convergence
MPLS Convergence After a Link Failure
IP/MPLS OSPF-TE
Path Calculation (CSPF)*
Path Setup (RSVP-TE)
Forwarding Traffic down Tunnel*
Auto-route (announce / destinations)
Static route
PBR
PBTS / CBTS
Mid-point Tail end Forwarding Adjacency
Pseudowire Tunnel select
TE LSP
TE Tunnel Attributes
Head end
Unidirectional
IP/MPLS Destination – Tail TE RID
Priority / Preemption (Setup and
Hold)
Attributes / Affinity
Bandwidth / Loadshare
Local Protection
Path Options (Explicit / Dynamic)
TE LSP
Link Information Distribution
IP/MPLS
Additional link characteristics
Interface address
Neighbor address
Maximum reservable bandwidth
Unreserved bandwidth
(at eight priorities)
TE metric (administrative weight)
Attribute Flags
IS-IS or OSPF flood link information TE Topology
database
All TE nodes build a TE topology database (TED)
Not required if using off-line path computation
Path Calculation
Find shortest
path to R8
TE nodes can perform constraint-based with 80 Mbps
routing IP/MPLS
R1
Tunnel head end generally responsible for 150 50 200
100
path calculation R8
100
Constraints and topology database used as 100
80
Head end
Traffic enters tunnel at head end
Multiple traffic selection options
IP/MPLS
Auto-route (announce / destination)
Static routes
Policy Based Routing
Forward Adjacency
Pseudowire Tunnel Selection
Policy / Class Based Tunnel Selection
PSTS / SPP
Tunnel path computation independent of
TE LSP routing decision injecting traffic into tunnel
Point-to-Multipoint (P2MP)TE LSP
Unidirectional
Explicitly routed IP/MPLS
TE LSP
P2MP TE LSP Terminology
IP/MPLS
signaling is initiated
Mid-point: Transit node where LSP
Head end
signaling is processed (not a head-
end, not a tail-end)
Mid-point and
Tail-end/Leaf/destination: node
branch point
where LSP signaling ends
IP/MPLS
Branch point: Node where packet
S2L sub-LSP
replication is performed
S2L sub-LSP
Source-to-leaf (S2L) sub-LSP: P2MP
TE LSP segment that runs from source
to one leaf
TE LSP
P2MP TE LSP Path Computation
L=16
RESV
L=18
Input RESV
Out Label,
Label Interface
16 17, 0
18, 1
MPLS TE Use Cases
R1 IP/MPLS R1 IP/MPLS
R8 R8
R2 R2
Bandwidth Optimization
Strategic / Planned Tactical / Reactive
R1 IP/MPLS R1 IP/MPLS
R3
R8
R2
R2
R4
MPLS TE Integration with Network
Services
A TE LSP provides transport for different network services
CE CE
IP/MPLS
PE PE
ATM
CE Ethernet CE
CE
PE
CE CE
PE PE
CE Ethernet Ethernet CE
Primary TE LSP
Backup TE LSP
FRR Link Protection Operation
backup tunnel R3
25
Backup terminates
on Merge Point (MP) where traffic re-joins 16 22
primary
Restoration time expected under ~50 ms R5
LFIB update
Primary TE LSP
Backup TE LSP
FRR Node Protection Operation
IP/MPLS
Requires pre-signalled next-next-
R3
hop (NNHOP) backup tunnel
25
36 36
Point of Local Repair (PLR) swaps
R1 R2 R4 R6 R7 next-hop label and pushes
backup label
16 22 36
Backup terminates on Merge Point
(MP) where traffic re-joins primary
Restoration time depends on failure
R5
detection time / mechanism
Primary TE LSP
Backup TE LSP
Bidirectional Forwarding Detection
Trigger for FRR
IP/MPLS
R1
FRR relies on quick PLR failure
detection
Some failures may not produce loss R8
BFD session
Primary TE LSP
Backup TE LSP
Bandwidth Protection
node-protection flag
Primary TE LSP
Backup TE LSP
AutoTunnel: Primary Tunnels
What’s the Problem?
FRR can protect TE Traffic IP/MPLS
R1
Primary TE LSP
Backup TE LSP
AutoTunnel: Primary Tunnels
What’s the Solution?
Create protected one-hop tunnels on all TE
links
Forward all traffic through a one-hop
protected primary TE tunnel Tunnel interfaces not shown on router
configuration
R1
IP/MPLS Configure desired backup tunnels
(manually or automatically)
R8
R2
Primary TE LSP
AutoTunnel: Backup Tunnels
What’s the Problem?
MPLS FRR requires backup tunnels to
be preconfigured IP/MPLS
R1
Automation of backup tunnels is
desirable R8
R2
Primary TE LSP
Backup TE LSP
AutoTunnel: Backup Tunnels
What’s the Solution?
Create backup tunnels automatically
as needed Detect if a primary tunnel requires
protection and is not protected
IP/MPLS
R1 Verify that a backup tunnel doesn’t already
exist
R8
Compute a backup path to NHOP and
R2 NNHOP excluding the protected facility
Optionally, consider shared risk link groups
during backup path computation
Signal backup tunnels
Primary TE LSP
Backup TE LSP
Shared Risk Link Group (SRLG)
Layer-3 Topology
Some links may share same physical
IP/MPLS resource (e.g. fiber, conduit)
R2 R4
R1 R5
AutoTunnel Backup can force or
prefer exclusion of SRLG
R3
to guarantee diversely routed
backup tunnels
Layer-3 Plus underlying Optical Topology
Backup TE LSP
P2MP TE LSP Traffic Protection
Backup TE LSP
Lab demo
MPLS in ISP
MPLS design in ISP
Large Network, Multi-Area IGP Design with IP/MPLS Access
MPLS design in ISP
Large Network, Inter-AS Design with IP/MPLS Access
MPLS design in ISP
Large Network, Inter-AS Design with IP/MPLS Access
MPLS design in ISP
Small Network, Integrated Core and Aggregation with IP/MPLS Access
MPLS Virtual Private Networks
MPLS Layer-3 Virtual Private Networks
MPLS OAM
IP/MPLS (LDP/RSVP-TE/BGP/OSPF/IS-IS)
MPLS Forwarding
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Is a Virtual Private Network?
VPN policies
Configured on PE routers (manual operation) PE-CE BGP Route Reflector PE-CE
Link Link
VPN signaling
PE VPN PE
Between PEs CE
Signaling
CE
VPN VPN
Exchange of VPN policies Policy Policy
VPN VPN
VPN traffic forwarding CE Policy Policy CE
PE-CE link
Connects customer network to MPLS network;
either layer-2 or layer-3
MPLS VPN Models
MPLS VPN Models
MPLS OAM
Business VPN services
Network segmentation IP/MPLS (LDP/RSVP-TE/BGP/OSPF/IS-IS)
#CLUS BRKMPL-1100 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
MPLS Layer-3 VPN Overview
VPN policies
Separation of customer routing via virtual VPN routing table (VRF)
In PE router, customer interfaces are connected to VRFs
VPN signaling
Between PE routers: customer routes exchanged via BGP (MP-BGP)
VPN traffic forwarding
Separation of customer VPN traffic via additional VPN label
VPN label used by receiving PE to identify VPN routing table
PE-CE link
Can be any type of layer-2 connection (e.g., FR, Ethernet)
CE configured to route IP traffic to/from adjacent PE router
Variety of routing options; static routes, eBGP, OSPF, IS-IS
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Routing and Forwarding Instance
Virtual routing and forwarding table
On PE router
Separate instance of routing (RIB) and CE
VPN 1 VRF
forwarding table Green
PE
Typically, VRF created for each customer VPN
MPLS Backbone
Separates customer traffic CE
VRF associated with one or more customer VPN 2 VRF
interfaces Blue
VRF has its own routing instance for PE-CE
configured routing protocols
E.g., eBGP
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Routing and Forwarding Instance - VRF
Logical routing context within the same PE device
Unique to a VPN
Allows for customer overlapping IP addresses
Deployment use cases
Business VPN services
Network segmentation
Data Center access
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Route Distribution
Exchange of VPN Policies Among PE Routers
Full mesh of BGP sessions among all PE routers
Or BGP Route Reflector (common)
Multi-Protocol BGP extensions (MP-iBGP) to carry
VPN policies
BGP Route Reflector
PE-CE PE-CE
PE-CE routing options Link Link
Static routes
PE PE
CE CE
eBGP
OSPF Blue VRF Blue VRF
Red VRF
IS-IS CE
Red VRF
CE
EIGRP
PE PE
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Control Plane Processing
Make customer routes unique:
Route Distinguisher (RD):
8-byte field, VRF parameters; unique value to make VPN IP routes unique
VPNv4 address: RD + VPN IP prefix
Selective distribute VPN routes:
Route Target (RT):
8-byte field, VRF parameter, unique value to define the import/export rules for
VPNv4 routes
MP-iBGP: advertises VPNv4 prefixes + labels
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why an RD and VPNv4 Address?
VPNv4 iBGP Relationship
VRF A P1 P2 VRF A
PE1 PE2
Cust B Site 1 VRF B VRF B Cust B Site 2
10.1.1.0/24 P3 P4 10.2.1.0/24
CE1 OSPF Area 0222:1:10.1.1.0/24 CE2
10.1.1.0/24 10.2.1.0/24
222:1:10.2.1.0/24
VPNv4 prefixes are the combination of a 64-bit RD and a 32-bit IPv4 prefix. VPNv4 prefixes are 96-bits in length
Why are Route Targets Important?
VPNv4 iBGP Relationship
VRF A
VRF B
Cust A Site 1 Import 222:1 Cust A Site 2
Import 333:1 Import 111:1
10.1.1.0/24 Export 222:1 10.1.2.0/24
CE1 Import 444:1 CE1
Export 111:1
VRF A P1 P2 VRF B
PE1 PE2
Cust A Site 3 VRF C VRF D Cust A Site 4
10.1.3.0/24 VRF C P3 P4 10.1.4.0/24
CE1 VRF D
Import 111:1 OSPF Area 0 CE1
Import 111:1
Export 333:1
Export 444:1
1. Route Targets dictate which VRF will receive what routes
BRKMPL-1100 123
Route Targets are a 64-bit value and are carried in BGP as an extended community
VPN Control Plane Processing
Interactions Between VRF and BGP VPN Signaling
BGP advertisement:
CE1 redistribute IPv4 route to PE1 via VPN-IPv4 Addr = 1:100:16.1.0.0
eBGP BGP Next-Hop = PE1
PE1 allocates VPN label for prefix Route Target = 100:1
Label=42
learnt from CE1 to create unique eBGP: eBGP:
VPNv4 route 16.1.0.0/16 16.1.0.0/16
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Forwarding Plane Processing
Forwarding of Layer-3 MPLS VPN Packets
CE2 forwards IPv4 packet to PE2
PE2 imposes pre-allocated VPN label to IPv4
packet received from CE2
Learned via MP-IBGP IPv4 IGP
Label C
VPNv4
Label
IPv4 IGP
Label B
VPNv4
Label
IPv4 IGP
Label A
VPNv4
Label
IPv4 IPv4
IPv4
PE2 imposes outer IGP label A (learned via IPv4
Packet Packet
LDP) and forwards labeled packet to next-hop
PE1 P1 P2 PE2
P-router P2 CE1 CE2
P-routers P1 and P2 swap outer IGP label and
forward label packet to PE1
A->B (P2) and B->C (P1)
Router PE1 strips VPN label and IGP labels and
forwards IPv4 packet to CE1
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Provider Deployment Scenario
Deployment Use Case Managed VPN Service
Delivery of IP VPN services to business Unmanaged VPN Service
customers
Edge Core Core Edge
Benefits CPE VPN CPE
Leverage same network for multiple services
and customers (CAPEX)
Highly scalable
Network Segment CPE Edge Core
Service enablement only requires edge node
configuration (OPEX) MPLS Node CE PE P
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise Deployment Scenario
Deployment Use Case
MPLS VPNs for L3 Network Segmentation
Segmentation of enterprise network to provide
selective connectivity for specific user groups
and organizations Edge Core Core Edge
Access VPN Access
Benefits
Network segmentation only requires edge node
configuration
Flexible routing; different IP connectivity can Network Segment Access Edge Core
be easily configured; e.g., full/partial mesh
MPLS Node CE PE P
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center Deployment Scenario
MPLS VPNs terminating on DC aggregation
Deployment Use Case
MPLS VPNs
Segmented WAN Layer-3 at Data Center edge at DC edge
Layer-3 segmentation in Data Center
Access
Distribution Core Core Edge
Benefits Top Of Rack
MPLS Node CE or PE P or CE PE
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS Layer-2 Virtual Private
Networks
MPLS Layer-2 Virtual Private Networks
Topics
L2VPN technology options
P2P services (VPWS) Service (Clients) Management
MPLS OAM
MP2MP services (VPLS / xEVPN)
Overview & Technology Basics IP/MPLS (LDP/RSVP-TE/BGP/OSPF/IS-IS)
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS Layer-2 Virtual Private Networks
Technology Options
VPWS services
MPLS Layer-2 VPNs
Point-to-point
Referred to as Pseudowires (PWs)
Point-to-Point Multipoint-to-Multipoint
VPLS services Layer-2 VPNs (VPWS) Layer-2 VPNs
Multipoint
EVPN
EVPN
Multipoint with BGP-based MAC learning VPLS
PBB-EVPN
Combines scale tools from PBB (aka PBB-EVPN
MAC-in-MAC) with BGP-based MAC
learning from EVPN
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Private Wire Services (VPWS)
Overview of Pseudowire (PW) Architecture
Based on IETF’s Pseudo-Wire (PW) Reference
Attachment Attachment
Model Circuit (AC) Circuit (AC)
Pseudo-Wire 1
Enables transport of any Layer-2 traffic over MPLS PE1 PE2
CE CE
PE-CE link is referred to as Attachment Circuit Layer-2 Layer-2
(AC)
CE CE
Provides a p2p service
Layer-2 Layer-2
Pseudo-Wire 2
Discovery: manual (config) PE3 PE4
Signaling: LDP
Emulated Layer-2 Service
Learning: none
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPWS Control Plane Processing
Signaling of a New Pseudo-Wire
(1) New Virtual Circuit (VC) cross-connect connects
customer L2 interface (AC) to new PW via VC ID
and remote PE ID
3 Label Mapping Messages
(2) New targeted LDP session between PE1 and PE2 4 4
2 LDP session
is established, in case one
CE1 PE1 PE2
does not already exist CE2
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPWS Forwarding Plane Processing
Forwarding of Layer-2 Traffic Over PWs
CE2 forwards L2 packet to PE2.
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Private LAN Services
VPLS network acts like a virtual switch that
emulates conventional L2 bridge Attachment Attachment
Circuit (AC) Circuit (AC)
Fully meshed or Hub-Spoke topologies supported
Pseudo-Wire
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
EVPN BGP advertisement:
L2VPN/EVPN Addr = CE1.MAC
BGP Next-Hop = PE1
Ethernet VPN Route Target = 100:1
Label=42
Provides a multipoint ethernet service
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
PBB-EVPN BGP advertisement:
L2VPN/EVPN Addr = PE1.B-MAC
BGP Next-Hop = PE1
Combines Provider Backbone Bridging (MAC-in-MAC)
Route Target = 100:1
with EVPN Label=42
Scales better than EVPN (CE-CE MAC addresses learned in the data plane)
Removes the need to advertise Customer MAC addresses in
BGP RR
BGP
CE1 B-MAC PE 1 PE 3 B-MAC CE3
Provides multipoint ethernet service
Virtual
“Private”
Network
Service isolation
SOX
Highly scalable
#CLUS BRKMPL-1100 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Data Center Deployment Scenario
VPLS for Layer-2 Data Center Interconnect (DCI) Services
Deployment Use Case Data Center
#CLUS BRKMPL-1100 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Lab Demo
Why is MPLS Security Important
Security
Implementation
Architecture
/Algorithm
Operation
Break One, and All Security is Gone
Correct Security Analysis
Other users whose services are provided by the same MPLS/GMPLS core
The MPLS/GMPLS SP or persons working for it.
Other persons who obtain physical access to an MPLS/GMPLS SP’s site
Other persons who use social engineering methods to influence the behavior
of an SP's personnel.
Users of the MPLS/GMPLS network itself, e.g., intra-VPN threats.
Others, e.g., attackers from the Internet at large.
Other SPs in the case of MPLS/GMPLS inter-provider connection.
Those who create, deliver, install, and maintain software for network
equipment
Attack on the Control Plane
SP’s
DoS Equipment
LSP attack
Routing
protocol MPLS/VPN
Cross connect of
Traffic between
MPLS
LSP attack
Spoofing Impersonation
and Replay MPLS/VPN
Unauthorized
Observation/Modi
fication/Deletion
Insertion of Non-Authentic Data Traffic:
Spoofing and Replay
Spoofing: insertion into the VPN of packets that do not
belong there
Replay: copies of once-legitimate packets that have bean
recorded and replayed
Denial of Service Attacks on the MPLS/VPN
Cryptographic techniques
Authentication
Access Control techniques
Use of Isolated Infrastructure
Use of Aggregated Infrastructure
Service Provider Quality Control Processes
Deployment of Testable MPLS/VPN Service
Defense Philosophy
Privacy
traffic separation
encryption
Authentication
Integrality
Drawback
Computational burden
Complexity of the device configuration
Incremental labor cost
Packet lengths are typically increased
traffic load
fragmentation
Other Devices
Authentication
Prevent
Denial -of-Service attacks
Malicious misconfiguration
Cryptographic techniques
shared secret keys
one-time keys generated by accessory devices or software
user-ID and password pairs
public-private key systems
do not protect against some types of denial of service
attacks
Authentication
PE to PE (can’t be employed )
PE to CE - weaker links (pass the Internet)
CE-to-CE (only use tunnel mode)
Service Level Agreement (SLA) rather than analyzing the specific encryption
techniques
Encryption for device configuration and
management
Secure Shell (SSH) offers protection for TELNET [STD-8] or terminal-like
connections to allow device configuration
SNMP v3 [STD62] also provides encrypted and authenticated protection for
SNMP-managed devices
Transport Layer Security (TLS) (also known as Secure Sockets Layer or SSL)
[RFC-2246]
Security Considerations for MPLS
Pseudowires
List of PW-specific threats
Unauthorized setup of a PW (e.g., to gain access to a customer network)
Unauthorized teardown of a PW (thus causing denial of service)
Malicious reroute of a PW
Unauthorized observation of PW packets
Traffic analysis of PW connectivity
Unauthorized insertion of PW packets
Unauthorized modification of PW packets
Unauthorized deletion of PW packets replay of PW packets
Denial of service or significant impact on PW service quality
Access Control techniques
packet-by-packet
packet-flow-by-packet-flow
Filtering
Firewalls
Filtering
Separation: +++
DoS resistance: +++
Cost: $$$ (Two lines and two PEs: Expensive!)
Separate Access Lines + CEs, one PE
Separation: +++
DoS resistance: ++(DoS might impact VPN on PE)
Cost: $$$ (Two lines, but only one PE !)
Using a Single Access Line
A backbone router does not accept labeled packets over a particular data
link, unless it is known that that data link attaches only to trusted systems,
or unless it is known that such packets will leave the backbone before the IP
header or any labels lower in the stack will be inspected, and …
Inter-AS should only be provisioned over
secure, private peerings
Specifically NOT: Internet Exchange Points
(anyone could send labelled packets!! No
filtering possible!!)
Control Plane Protection
Security depends on SP
Employee can make mistake, or malicious misconfiguration
Potential Security hole:
If PE compromised, VPNs might be insecure
Cannot *prevent* all misconfigs
Need to operationally control this
Operational Security