MPLS and Next-Generation Networks: Foundations for NGN and Enterprise Virtualization

The following guidelines summarize best practices for MPLS VPN security:

• For the core (PE+P), secure it with infrastructure access lists (ACLs) on all interfaces.

• Use PE-CE routing where possible to hide topological information or prevent leakage from trusted domains.

• If static routing is not feasible, use BGP or an IGP with an authentication mechanism, such as Message Digest 5 (MD5).

• Enforce separation of CE-PE links where possible and between the Internet and customer VPN.

• Implement Label Distribution Protocol (LDP) with authentication (MD5).

• For VRF, define the maximum number of routes to proactively monitor traffic patterns within a VPN.

• Use BGP maximum prefix constructs to set limitations on BGP routing traffic to control and monitor where an exceeded limit results in a notification to the NOC.

For Inter-AS implementations, start with a back-to-back VRF implementation (static VPN connections) because this is an easy way to begin. Perhaps at some point (with the deployment of multiple Inter-AS customers), you can migrate to the second option to benefit from the ease of provisioning associated with the second option. For the third option, deploy it only when both ASes are under the same administrative and trust zones.

Note

For both CsC and Inter-AS deployments, implement them only on private peerings due to the vulnerabilities under the LAN subsection.

For Inter-AS and CsC (when labelled packets are exchanged), do NOT use a shared VLAN.

Best recommendation: Dedicated connection

Second best recommendation: Dedicated VLAN

Figures 7-6 and 7-7 summarize best practice security recommendations for the deployment of MPLS.