1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
|
<pre>Internet Engineering Task Force (IETF) L. Fang, Ed.
Request for Comments: 6941 Cisco
Category: Informational B. Niven-Jenkins, Ed.
ISSN: 2070-1721 Velocix
S. Mansfield, Ed.
Ericsson
R. Graveman, Ed.
RFG Security
April 2013
<span class="h1">MPLS Transport Profile (MPLS-TP) Security Framework</span>
Abstract
This document provides a security framework for the MPLS Transport
Profile (MPLS-TP). MPLS-TP extends MPLS technologies and introduces
new Operations, Administration, and Maintenance (OAM) capabilities, a
transport-oriented path protection mechanism, and strong emphasis on
static provisioning supported by network management systems. This
document addresses the security aspects relevant in the context of
MPLS-TP specifically. It describes potential security threats as
well as mitigation procedures related to MPLS-TP networks and to
MPLS-TP interconnection to other MPLS and GMPLS networks. This
document is built on <a href="./rfc5920">RFC 5920</a> ("Security Framework for MPLS and GMPLS
Networks") by providing additional security considerations that are
applicable to the MPLS-TP extensions. All the security
considerations from <a href="./rfc5920">RFC 5920</a> are assumed to apply.
This document is a product of a joint Internet Engineering Task Force
(IETF) / International Telecommunication Union Telecommunication
Standardization Sector (ITU-T) effort to include an MPLS Transport
Profile within the IETF MPLS and Pseudowire Emulation Edge-to-Edge
(PWE3) architectures to support the capabilities and functionality of
a packet transport network.
<span class="grey">Fang, et al. Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6941">http://www.rfc-editor.org/info/rfc6941</a>.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Terminology ................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Security Reference Models .......................................<a href="#page-4">4</a>
<a href="#section-2.1">2.1</a>. Security Reference Model 1 .................................<a href="#page-5">5</a>
<a href="#section-2.2">2.2</a>. Security Reference Model 2 .................................<a href="#page-6">6</a>
<a href="#section-3">3</a>. Security Threats ................................................<a href="#page-9">9</a>
<a href="#section-4">4</a>. Defensive Techniques ...........................................<a href="#page-10">10</a>
<a href="#section-5">5</a>. Security Considerations ........................................<a href="#page-12">12</a>
<a href="#section-6">6</a>. Acknowledgements ...............................................<a href="#page-13">13</a>
<a href="#section-7">7</a>. References .....................................................<a href="#page-13">13</a>
<a href="#section-7.1">7.1</a>. Normative References ......................................<a href="#page-13">13</a>
<a href="#section-7.2">7.2</a>. Informative References ....................................<a href="#page-13">13</a>
Contributors ......................................................<a href="#page-14">14</a>
<span class="grey">Fang, et al. Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This document provides a security framework for the MPLS Transport
Profile (MPLS-TP).
As defined in "Requirements of an MPLS Transport Profile" [<a href="./rfc5654" title=""Requirements of an MPLS Transport Profile"">RFC5654</a>]
and "A Framework for MPLS in Transport Networks" [<a href="./rfc5921" title=""A Framework for MPLS in Transport Networks"">RFC5921</a>], MPLS-TP
uses a subset of MPLS features and introduces extensions to reflect
the characteristics of the transport technology. The additional
functionality includes in-band OAM, transport-oriented path
protection and recovery mechanisms, and new OAM capabilities that
were developed for MPLS-TP but that also apply to MPLS and GMPLS.
There is strong emphasis in MPLS-TP on static provisioning support
through Network Management Systems (NMSs) or Operational Support
Systems (OSSs).
This document is built on [<a href="./rfc5920" title=""Security Framework for MPLS and GMPLS Networks"">RFC5920</a>] by providing additional security
considerations that are applicable to the MPLS-TP extensions. The
security models, threats, and defense techniques previously defined
in [<a href="./rfc5920" title=""Security Framework for MPLS and GMPLS Networks"">RFC5920</a>] are assumed to apply to general aspects of MPLS-TP.
This document is a product of a joint Internet Engineering Task Force
(IETF) / International Telecommunication Union Telecommunication
Standardization Sector (ITU-T) effort to include an MPLS Transport
Profile within the IETF MPLS and PWE3 architectures to support the
capabilities and functionality of a packet transport network.
Readers can refer to [<a href="./rfc5654" title=""Requirements of an MPLS Transport Profile"">RFC5654</a>] and [<a href="./rfc5921" title=""A Framework for MPLS in Transport Networks"">RFC5921</a>] for MPLS-TP
terminologies and to [<a href="./rfc5920" title=""Security Framework for MPLS and GMPLS Networks"">RFC5920</a>] for security terminologies that are
relevant to MPLS and GMPLS.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Terminology</span>
Term Definition
------ -----------------------------------------------
AC Attachment Circuit
BFD Bidirectional Forwarding Detection
CE Customer Edge
DoS Denial of Service
G-ACh Generic Associated Channel
GAL G-ACh Label
GMPLS Generalized Multiprotocol Label Switching
IP Internet Protocol
LDP Label Distribution Protocol
LSP Label Switched Path
NMS Network Management System
MPLS Multiprotocol Label Switching
MPLS-TP MPLS Transport Profile
<span class="grey">Fang, et al. Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
MS-PW Multi-Segment Pseudowire
OAM Operations, Administration, and Maintenance
PE Provider Edge
PSN Packet-Switched Network
PW Pseudowire
S-PE PW Switching Provider Edge
SP Service Provider
SS-PW Single-Segment Pseudowire
T-PE PW Terminating Provider Edge
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Security Reference Models</span>
This section defines reference models for security in MPLS-TP
networks.
The models are built on the architecture of MPLS-TP, as defined in
[<a href="./rfc5921" title=""A Framework for MPLS in Transport Networks"">RFC5921</a>]. The placement of SP boundaries plays an important role in
determining the security models for any particular deployment.
This document defines a trusted zone as being where a single SP has
total operational control over that part of the network. A primary
concern is about security aspects that relate to breaches of security
from the "outside" of a trusted zone to the "inside" of this zone.
<span class="grey">Fang, et al. Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Security Reference Model 1</span>
In reference model 1, a single SP has total control of the "PE/T-PE
to PE/T-PE" part of the MPLS-TP network.
Security reference model 1(a) shows an MPLS-TP network with
Single-Segment Pseudowire (SS-PW) from PE1 to PE2. The trusted zone
is PE1 to PE2, as illustrated in Figure 1.
|<-------------- Emulated Service ---------------->|
| |
| |<------- Pseudowire ------->| |
| | | |
| | |<-- PSN Tunnel -->| | |
| v v v v |
v AC +----+ +----+ AC v
+-----+ | | PE1|==================| PE2| | +-----+
| |----------|............PW1.............|----------| |
| CE1 | | | | | | | | CE2 |
| |----------|............PW2.............|----------| |
+-----+ ^ | | |==================| | | ^ +-----+
^ | +----+ +----+ | | ^
| | Provider Edge 1 Provider Edge 2 | |
| | | |
Customer | |Customer
Edge 1 | |Edge 2
| |
Native service Native service
---Untrusted--- >|<------- Trusted Zone ----->|<---Untrusted----
Figure 1. MPLS-TP Security Model 1(a)
<span class="grey">Fang, et al. Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
Security reference model 1(b) shows an MPLS-TP network with
Multi-Segment Pseudowire (MS-PW) from T-PE1 to T-PE2. The trusted
zone is T-PE1 to T-PE2, as illustrated in Figure 2.
Native |<-------------Pseudowire------------>| Native
Service | | Service
(AC) | |<- PSN ->| |<- PSN ->| | (AC)
| v v v v v v |
| +-----+ +-----+ +-----+ |
+----+ | |T-PE1|=========|S-PE1|=========|T-PE2| | +----+
| |------|......PW.Seg't1.......PW.Seg't3......|-------| |
| CE1| | | | | | | | | |CE2 |
| |------|......PW.Seg't2.......PW.Seg't4......|-------| |
+----+ | | |=========| |=========| | | +----+
^ +-----+ ^ +-----+ ^ +-----+ ^
| | | |
| TP LSP TP LSP |
| |
|<----------------- Emulated Service ---------------->|
-Untrusted->|<---------- Trusted Zone ----------->|<-Untrusted--
Figure 2. MPLS-TP Security Model 1(b)
<span class="grey">Fang, et al. Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Security Reference Model 2</span>
In reference model 2, a single SP does not have the end-to-end
control of the segment from PE/T-PE to PE/T-PE. A given S-PE or T-PE
may be under the control of another SP, that SP's customers, or its
partners. In this case, the MPLS-TP network is not contained within
a single trusted zone.
Security reference model 2(a) shows an MPLS-TP network with
Multi-Segment Pseudowire (MS-PW) from T-PE1 to T-PE2. The trusted
zone is T-PE1 to S-PE1, as illustrated in Figure 3.
Native |<-------------Pseudowire------------>| Native
Service | | Service
(AC) | |<--PSN-->| |<--PSN-->| | (AC)
| V V V V V V |
| +-----+ +-----+ +-----+ |
+----+ | |T-PE1|=========|S-PE1|=========|T-PE2| | +----+
| |------|......PW.Seg't1.......PW.Seg't3......|------| |
| CE1| | | | | | | | | |CE2 |
| |------|......PW.Seg't2.......PW.Seg't4......|------| |
+----+ | | |=========| |=========| | | +----+
^ +-----+ ^ +-----+ ^ +-----+ ^
| | | |
| TP LSP TP LSP |
| |
|<---------------- Emulated Service --------------->|
Untrusted-->|<-- Trusted Zone---->|<---------Untrusted--------
Figure 3. MPLS-TP Security Model 2(a)
<span class="grey">Fang, et al. Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
Security reference model 2(b) shows an MPLS-TP network with
Multi-Segment Pseudowire (MS-PW) from T-PE1 to T-PE2. The trusted
zone is the S-PE1 only, as illustrated in Figure 4.
Native |<-------------Pseudowire------------>| Native
Service | | Service
(AC) | |<--PSN-->| |<--PSN-->| | (AC)
| V V V V V V |
| +-----+ +-----+ +-----+ |
+----+ | |T-PE1|=========|S-PE1|=========|T-PE2| | +----+
| |------|......PW.Seg't1.......PW.Seg't3......|------| |
| CE1| | | | | | | | | |CE2 |
| |------|......PW.Seg't2.......PW.Seg't4......|------| |
+----+ | | |=========| |=========| | | +----+
^ +-----+ ^ +-----+ ^ +-----+ ^
| | | |
| TP LSP TP LSP |
| |
|<---------------- Emulated Service --------------->|
--------Untrusted---------->|<--->|<-------Untrusted----------
Trusted
Zone
Figure 4. MPLS-TP Security Model 2(b)
Security reference model 2(c) shows an MPLS-TP network with
Multi-Segment Pseudowire (MS-PW) from different SPs with
inter-provider PW connections. The trusted zone is T-PE1 to S-PE3,
as illustrated in Figure 5.
Native |<--------------------- PW15 ------------------>| Native
Layer | | Layer
Service | |<PSN13>| |<PSN3X>| |<PSNXZ>| | Service
(AC1) V V LSP V V LSP V V LSP V V (AC2)
| +-----+ +-+ +-----+ +-----+ +-+ +-----+ |
+---+ | |T-PE1| | | |S-PE3| |S-PEX| | | |T-PEZ| | +---+
| | | | |=======| |=======| |=======| | | | |
|CE1|----|........PW1........|..PW3..|........PW5........|---|CE2|
| | | | |=======| |=======| |=======| | | | |
+---+ | 1 | |2| | 3 | | X | |Y| | Z | +---+
+-----+ +-+ +-----+ +-----+ +-+ +-----+
|<--Subnetwork 123->| |<--Subnetwork XYZ->|
Untrusted>|<-- Trusted Zone-->|<-------------Untrusted-------------
Figure 5. MPLS-TP Security Model 2(c)
<span class="grey">Fang, et al. Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
In general, the boundaries of a trusted zone must be carefully
defined when analyzing the security properties of each individual
network. The security boundaries determine which reference model
should be applied to a given network topology.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Security Threats</span>
This section discusses various network security threats that are
unique to MPLS-TP and may endanger MPLS-TP networks.
Attacks against a GAL or G-ACh may include the following:
- GAL or BFD label manipulation, which includes insertion of false
labels and modification, deletion, or replay of messages.
- DoS attacks through in-band OAM by generating excessive G-ACh/GAL
and BFD messages that consume significant bandwidth and potentially
cause congestion.
These attacks can cause unauthorized protection switchover, inability
to restore one or more LSPs, or loss of network connectivity.
When an NMS is used for LSP setup, attacks on the NMS can cause the
above effects as well. Although this is not unique to MPLS-TP,
MPLS-TP networks can be particularly vulnerable to NMS attacks, due
to the fact that static provisioning through NMSs is a commonly used
model. In the static provisioning model, a compromised NMS can
potentially be comparable to a compromised control plane plus a
compromised management plane in the dynamic controlled network model.
Attacks on NMSs may come from either external attackers or insiders.
Outside attacks are initiated outside of the trusted zone by
unauthorized users of the MPLS-TP NMSs. Insider attacks are
initiated from inside the trusted zone by an entity that has
authorized access to the management systems but that performs
unapproved functions that are harmful to the MPLS-TP networks. These
attacks may directly target the NMS; they may also take place via the
compromised communication channels between the NMS and the network
devices that are being provisioned, or through user access to the
provisioning tools. This type of security threat may include
disclosure of information, generating false OAM messages, taking down
MPLS-TP LSPs, connecting to the wrong MPLS-TP tunnel endpoints, and
DoS attacks on the MPLS-TP networks.
There are other more generic security threats, such as unauthorized
observation of data traffic (including traffic pattern analysis),
modification or deletion of a provider's or user's data, and replay
or insertion of inauthentic data into a provider's or user's data
<span class="grey">Fang, et al. Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
stream. These types of attacks apply to MPLS-TP traffic regardless
of how the LSP or PW is set up, in a way that is similar to how they
apply to MPLS traffic regardless of how the LSP is set up. More
details on the above-mentioned threats are documented in [<a href="./rfc5920" title=""Security Framework for MPLS and GMPLS Networks"">RFC5920</a>].
Such threats may result from malicious behavior or accidental errors:
Example 1: Attacks from users: Users of the MPLS-TP network may
attack the network infrastructure or attack other users.
Example 2: Attacks from insiders: Employees of the operators may
attack the MPLS-TP network, especially through NMSs.
Example 3: Attacks from interconnecting SPs or other partners: Other
SPs may attack the MPLS-TP network, particularly through the
inter-provider connections.
Example 4: Attacks as the result of operational errors: Operations
staff may fail to follow operational procedures or may make
operational mistakes.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Defensive Techniques</span>
The defensive techniques presented in this document and in [<a href="./rfc5920" title=""Security Framework for MPLS and GMPLS Networks"">RFC5920</a>]
are intended to describe methods by which some security threats can
be addressed. They are not intended as requirements for all MPLS-TP
deployments. The specific operational environment determines the
security requirements for any instance of MPLS-TP. Therefore,
protocol designers should provide a full set of security capabilities
that can be selected and used where appropriate. The MPLS-TP
provider should determine the applicability of these techniques to
the provider's specific service offerings, and the end user may wish
to assess the value of these techniques to the user's service
requirements.
Authentication is the primary defense technique to mitigate the risk
of the MPLS-TP security threats discussed in <a href="#section-3">Section 3</a> (GAL or BFD
label manipulation, and DoS attacks through in-band OAM).
Authentication refers to methods to ensure that message sources are
properly identified by the MPLS-TP devices with which they
communicate. Authentication includes the following:
- entity authentication for identity verification
- management system authentication
- peer-to-peer authentication
<span class="grey">Fang, et al. Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
- message integrity and replay detection to ensure the validity of
message streams
- network-based access controls such as packet filtering and
firewalls
- host-based access controls
- isolation
- aggregation
- protection against denial of service
- event logging
<a href="./rfc5920#section-5.2">Section 5.2 of [RFC5920]</a> describes these techniques where they apply
to MPLS and GMPLS in general.
In addition to authentication, the following defense should also be
considered in order to protect MPLS-TP networks:
- Use of isolated infrastructure for MPLS-TP
One way to protect the MPLS-TP infrastructure is to use dedicated
network resources to provide MPLS-TP transport services. For
example, in security model 2 (<a href="#section-2.2">Section 2.2</a>), the potential risk of
attacks on the S-PE1 or T-PE1 in the trusted zone may be reduced by
using non-IP-based communication paths, so that the paths in the
trusted zone cannot be reached from the outside via IP.
- Verification of connectivity
To protect against deliberate or accidental misconnection, mechanisms
can be put in place to verify both end-to-end connectivity and
segment-by-segment resources. These mechanisms can trace the routes
of LSPs in both the control plane and the data plane. Note that the
connectivity verification tools are now developed for general MPLS
networks as well.
<span class="grey">Fang, et al. Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
The defense techniques that apply generally to MPLS/GMPLS are not
detailed here; see [<a href="./rfc5920" title=""Security Framework for MPLS and GMPLS Networks"">RFC5920</a>] for details regarding these techniques.
For example:
1) Authentication, including management system authentication,
peer-to-peer authentication, and cryptographic techniques for
authenticating identity
2) Access control techniques
3) Use of aggregated infrastructure
4) Mitigation of denial-of-service attacks
5) Monitoring, detection, and reporting of security attacks
It is important to point out the following security defense
techniques, as they are particularly critical for NMSs, due to the
strong emphasis on static provisioning supported by NMSs in MPLS-TP
deployments. These techniques include the following:
- entity authentication for identity verification
- encryption for confidentiality
- message integrity and replay detection to ensure the validity of
message streams
- user access control and event logging, which must be applied for
NMSs and provisioning applications
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
Security considerations constitute the sole subject of this document
and hence are discussed throughout.
This document evaluates security risks specific to MPLS-TP, as well
as mitigation mechanisms that may be used to counter potential
threats. All of the techniques presented here involve mature and
widely implemented technologies that are practical to implement. It
is meant to assist equipment vendors and service providers who must
ultimately decide what threats to protect against in any given
configuration or service offering, from a customer's perspective as
well as from a service provider's perspective.
<span class="grey">Fang, et al. Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Acknowledgements</span>
The authors wish to thank the following people: Joel Halpern and
Gregory Mirsky for their review comments and contributions to this
document, Mach Chen for his review and suggestions, Adrian Farrel for
his Routing Area Director review and detailed comments, Loa Andersson
for his continued support and guidance as the MPLS WG co-chair, and
Dan Romascanu and Barry Leiba for their helpful comments during IESG
review.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. References</span>
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Normative References</span>
[<a id="ref-RFC5654">RFC5654</a>] Niven-Jenkins, B., Ed., Brungard, D., Ed., Betts, M., Ed.,
Sprecher, N., and S. Ueno, "Requirements of an MPLS
Transport Profile", <a href="./rfc5654">RFC 5654</a>, September 2009.
[<a id="ref-RFC5920">RFC5920</a>] Fang, L., Ed., "Security Framework for MPLS and GMPLS
Networks", <a href="./rfc5920">RFC 5920</a>, July 2010.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Informative References</span>
[<a id="ref-RFC5921">RFC5921</a>] Bocci, M., Ed., Bryant, S., Ed., Frost, D., Ed., Levrau,
L., and L. Berger, "A Framework for MPLS in Transport
Networks", <a href="./rfc5921">RFC 5921</a>, July 2010.
<span class="grey">Fang, et al. Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
Contributors
Raymond Zhang
Alcatel-Lucent
750D Chai Chee Road
Singapore 469004
EMail: raymond.zhang@alcatel-lucent.com
Nabil Bitar
Verizon
40 Sylvan Road
Waltham, MA 02145
US
EMail: nabil.bitar@verizon.com
Masahiro Daikoku
KDDI Corporation
3-11-11 Iidabashi, Chiyodaku, Tokyo
Japan
EMail: ms-daikoku@kddi.com
Lei Wang
Lime Networks
Strandveien 30, 1366 Lysaker
Norway
EMail: lei.wang@limenetworks.no
Henry Yu
TW Telecom
10475 Park Meadow Drive
Littleton, CO 80124
US
EMail: henry.yu@twtelecom.com
<span class="grey">Fang, et al. Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6941">RFC 6941</a> MPLS-TP Security Framework April 2013</span>
Authors' Addresses
Luyuan Fang (editor)
Cisco Systems
111 Wood Ave. South
Iselin, NJ 08830
US
EMail: lufang@cisco.com
Ben Niven-Jenkins (editor)
Velocix
326 Cambridge Science Park
Milton Road
Cambridge CB4 0WG
UK
EMail: ben@niven-jenkins.co.uk
Scott Mansfield (editor)
Ericsson
300 Holger Way
San Jose, CA 95134
US
EMail: scott.mansfield@ericsson.com
Richard F. Graveman (editor)
RFG Security, LLC
15 Park Avenue
Morristown, NJ 07960
US
EMail: rfg@acm.org
Fang, et al. Informational [Page 15]
</pre>
|
