This Internet-Draft is no longer active. Unofficial copies of old Internet-Drafts can be found here:
http://tools.ietf.org/id/draft-bhargav-l3vpn-inter-provider-optcsec.
Abstract:
In certain models of inter-provider Multi-Protocol-Label-Switching
based Virtual Private Networks (MPLS-VPNs), spoofing attacks against
VPN sites is a key concern. Unidirectional attacks towards VPN sites
can compromise servers at the VPN sites and cause Denial-of-Service
(DoS) situations. Currently, the inner labels associated with VPN
sites are not encrypted during transmission. The Provider Edge (PE)
router at the end to which the VPN customer is attached accepts any
data packet with a valid label. This enables a man-in-the-middle
attacker to spoof a packet to a specific site of a VPN. In this
paper, we propose some secure techniques which provide security
against such label-spoofing. These techniques ensure that an attacker
would not be able to spoof labeled data packets. In order to make the
proposed scheme robust, some additional steps are proposed over and
above the initial steps specified. This makes the attacker to spend
non-linear time to guess the right label for his unidirectional
attacks to succeed. Our proposed technique can be applied to a
specific type of inter-provider Border Gateway Protocol(BGP) based
MPLS VPN and other existing variant where Multi-Protocol exterior-
BGP (MP-eBGP) multi-hop is used. In future, if any other variant is
proposed to use MP-eBGP multi-hop, our scheme can be used to protect
against spoofing attacks.
Authors:
Bhargav Bhikkaji <bhargav_bhikkaji@dell.com>
Balaji Venkataswami <balaji_venkat_venkat@dell.com>
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid)
datatracker.ietf.org