@techreport{bhargav-l3vpn-inter-provider-optcsec-03,
    number =    {draft-bhargav-l3vpn-inter-provider-optcsec-03},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-bhargav-l3vpn-inter-provider-optcsec/03/},
    author =    {Bhargav Bhikkaji and Balaji Venkat Venkataswami},
    title =     {{Preventing spoofing attacks in BGP-MPLS-VPN Inter-Provider Model-C}},
    pagetotal = 15,
    year =      2012,
    month =     mar,
    day =       2,
    abstract =  {In certain models of inter-provider Multi-Protocol-Label-Switching based Virtual Private Networks (MPLS-VPNs), spoofing attacks against VPN sites is a key concern. Unidirectional attacks towards VPN sites can compromise servers at the VPN sites and cause Denial-of-Service (DoS) situations. Currently, the inner labels associated with VPN sites are not encrypted during transmission. The Provider Edge (PE) router at the end to which the VPN customer is attached accepts any data packet with a valid label. This enables a man-in-the-middle attacker to spoof a packet to a specific site of a VPN. In this paper, we propose some secure techniques which provide security against such label-spoofing. These techniques ensure that an attacker would not be able to spoof labeled data packets. In order to make the proposed scheme robust, some additional steps are proposed over and above the initial steps specified. This makes the attacker to spend non-linear time to guess the right label for his unidirectional attacks to succeed. Our proposed technique can be applied to a specific type of inter-provider Border Gateway Protocol(BGP) based MPLS VPN and other existing variant where Multi-Protocol exterior- BGP (MP-eBGP) multi-hop is used. In future, if any other variant is proposed to use MP-eBGP multi-hop, our scheme can be used to protect against spoofing attacks.},
}