datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs)
RFC 4111

Network Working Group                                       L. Fang, Ed.
Request for Comments: 4111                                    AT&T Labs.
Category: Informational                                        July 2005

                        Security Framework for
         Provider-Provisioned Virtual Private Networks (PPVPNs)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document addresses security aspects pertaining to Provider-
   Provisioned Virtual Private Networks (PPVPNs).  First, it describes
   the security threats in the context of PPVPNs and defensive
   techniques to combat those threats.  It considers security issues
   deriving both from malicious behavior of anyone and from negligent or
   incorrect behavior of the providers.  It also describes how these
   security attacks should be detected and reported.  It then discusses
   possible user requirements for security of a PPVPN service.  These
   user requirements translate into corresponding provider requirements.
   In addition, the provider may have additional requirements to make
   its network infrastructure secure to a level that can meet the PPVPN
   customer's expectations.  Finally, this document defines a template
   that may be used to describe and analyze the security characteristics
   of a specific PPVPN technology.

Table of Contents

   1.  Introduction .................................................  2
   2.  Terminology ..................................................  4
   3.  Security Reference Model .....................................  4
   4.  Security Threats .............................................  6
       4.1.  Attacks on the Data Plane ..............................  7
       4.2.  Attacks on the Control Plane ...........................  9
   5.  Defensive Techniques for PPVPN Service Providers ............. 11
       5.1.  Cryptographic Techniques ............................... 12
       5.2.  Authentication ......................................... 20
       5.3.  Access Control Techniques .............................. 22
       5.4.  Use of Isolated Infrastructure ......................... 27

Fang                         Informational                      [Page 1]
RFC 4111                PPVPN Security Framework               July 2005

       5.5.  Use of Aggregated Infrastructure ....................... 27
       5.6.  Service Provider Quality Control Processes ............. 28
       5.7.  Deployment of Testable PPVPN Service ................... 28
   6.  Monitoring, Detection, and Reporting of Security Attacks ..... 28
   7.  User Security Requirements ................................... 29
       7.1.  Isolation .............................................. 30
       7.2.  Protection ............................................. 30
       7.3.  Confidentiality ........................................ 31
       7.4.  CE Authentication ...................................... 31
       7.5.  Integrity .............................................. 31
       7.6.  Anti-replay ............................................ 32
   8.  Provider Security Requirements ............................... 32
       8.1.  Protection within the Core Network ..................... 32
       8.2.  Protection on the User Access Link ..................... 34
       8.3.  General Requirements for PPVPN Providers ............... 36
   9.  Security Evaluation of PPVPN Technologies .................... 37
       9.1.  Evaluating the Template ................................ 37
       9.2.  Template ............................................... 37
   10. Security Considerations ...................................... 40
   11. Contributors ................................................. 41
   12. Acknowledgement .............................................. 42
   13. Normative References ......................................... 42
   14. Informative References ....................................... 43

1.  Introduction

   Security is an integral aspect of Provider-Provisioned Virtual
   Private Network (PPVPN) services.  The motivation and rationale for
   both Provider-Provisioned Layer-2 VPN and Provider-Provisioned
   Layer-3 VPN services are provided by [RFC4110] and [RFC4031].  These
   documents acknowledge that security is an important and integral
   aspect of PPVPN services, for both VPN customers and VPN service
   providers.  Both will benefit from a PPVPN Security Framework
   document that lists the customer and provider security requirements
   related to PPVPN services, and that can be used to assess how much a

[include full document text]