datatracker.ietf.org
Sign in
Version 5.6.2.p5, 2014-08-04
Report a bug

Preventing spoofing attacks in BGP-MPLS-VPN Inter-Provider Model-C
draft-bhargav-l3vpn-inter-provider-optcsec-03

Document type: Expired Internet-Draft (individual)
Document stream: No stream defined
Last updated: 2012-09-03 (latest revision 2012-03-02)
Intended RFC status: Unknown
Other versions: (expired, archived): plain text, pdf, html

Stream State:No stream defined
Document shepherd: No shepherd assigned

IESG State: Expired
Responsible AD: (None)
Send notices to: No addresses provided

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found here:
http://www.ietf.org/archive/id/draft-bhargav-l3vpn-inter-provider-optcsec-03.txt

Abstract

In certain models of inter-provider Multi-Protocol-Label-Switching based Virtual Private Networks (MPLS-VPNs), spoofing attacks against VPN sites is a key concern. Unidirectional attacks towards VPN sites can compromise servers at the VPN sites and cause Denial-of-Service (DoS) situations. Currently, the inner labels associated with VPN sites are not encrypted during transmission. The Provider Edge (PE) router at the end to which the VPN customer is attached accepts any data packet with a valid label. This enables a man-in-the-middle attacker to spoof a packet to a specific site of a VPN. In this paper, we propose some secure techniques which provide security against such label-spoofing. These techniques ensure that an attacker would not be able to spoof labeled data packets. In order to make the proposed scheme robust, some additional steps are proposed over and above the initial steps specified. This makes the attacker to spend non-linear time to guess the right label for his unidirectional attacks to succeed. Our proposed technique can be applied to a specific type of inter-provider Border Gateway Protocol(BGP) based MPLS VPN and other existing variant where Multi-Protocol exterior- BGP (MP-eBGP) multi-hop is used. In future, if any other variant is proposed to use MP-eBGP multi-hop, our scheme can be used to protect against spoofing attacks.

Authors

Bhargav Bhikkaji <bhargav_bhikkaji@dell.com>
Balaji Venkataswami <balaji_venkat_venkat@dell.com>

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid)