Date post: | 04-Jun-2018 |
Category: |
Documents |
Upload: | akhmad-badaruddin-sakti |
View: | 234 times |
Download: | 0 times |
of 36
8/13/2019 MPLS Over IP Tunnel
1/36
1
MPLS over IP-Tunnels
Mark TownsleyDistinguished Engineer
21 February 2005
8/13/2019 MPLS Over IP Tunnel
2/36
222 Copyright Cisco Systems 2005VPN Services over IP Tunnels
TTLSExpMPLS VPN Label
MPLS Payload (L3VPN, PWE3, etc)
MPLS over IP The Basic Idea
TTLSExpMPLS Tunnel Label
MPLS Tunnel Label transports MPLS-labeled VPNpackets between PEs. It is swapped along the LSP
from one PE to another.MPLS VPN Label remains the same between PEs.It is exchanged via targeted LDP, MP-BGP, etc.
and refers to a VRF, VPLS VSI, or PWE3 VC.
8/13/2019 MPLS Over IP Tunnel
3/36
333 Copyright Cisco Systems 2005VPN Services over IP Tunnels
TTLSExpMPLS VPN Label
MPLS Payload (L3VPN, PWE3, etc)
MPLS over IP The Basic Idea
TTLSExpMPLS Tunnel Label
MPLS Tunnel Label transports MPLS-labeled VPNpackets between PEs. It is swapped along the LSP
from one PE to another.MPLS VPN Label remains the same between PEs.It is exchanged via targeted LDP, MP-BGP, etc.
and refers to a VRF, VPLS VSI, or PWE3 VC.
IP Tunnel
8/13/2019 MPLS Over IP Tunnel
4/36444 Copyright Cisco Systems 2005VPN Services over IP Tunnels
TTLSExpMPLS VPN Label
MPLS Payload (L3VPN, PWE3, etc)
MPLS over IP The Basic Idea
TTLSExpMPLS Tunnel Label IP Tunnel
MPLS Tunnel Label is replaced with an IP Tunnel,which performs the same function of getting the
MPLS VPN label and payload between PEsUnfortunately, we have a few IP tunnels tochoose from each with different pros and cons
8/13/2019 MPLS Over IP Tunnel
5/36555 Copyright Cisco Systems 2005VPN Services over IP Tunnels
A Long Evolution Leading to Many Optoins
Unfortunately, there are a lot of choices to wadethrough when it comes to MPLS over IP MPLS directly over IP
MPLS over Full GRE/IP
MPLS over Simple GRE/IP
MPLS over L2TPv3 w/BGP Tunnel SAFI
Each of the above with IPsec
Point-2-Point vs. Point-2-Multipoint
This presentation will walk through the evolution ofeach of these methods of carrying MPLS over IP,leading us to where we are today
8/13/2019 MPLS Over IP Tunnel
6/36666 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Destination IP address (Egress PE)
Source IP address (Ingress PE)
Header checksumProtocol 0x137TTL
Fragment offsetFlagsIdentification
Total lengthTOSIHLVersion
TTLSExpMPLS VPN Label
Customer Payload
MPLS over IP Tunneling TechnologiesMPLS over IP
Defined in draft-ietf-mpls-over-ip-or-gre-08.txtSmallest and simplest of MPLS over IPencapsulations (just +16 bytes)
Not widely supported today
8/13/2019 MPLS Over IP Tunnel
7/36777 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Destination IP address (Local address on PE router)
Source IP address (Local address on PE router)
Header checksumProtocol 0x47TTL
Fragment offsetFlagsIdentification
Total lengthTOSIHLVersion
TTLSExpMPLS VPN Label
Customer Payload
Offset (Opt)Checksum (Opt)
Key (Opt)
Sequence Number (Opt)
Tunneling TechnologiesMPLS over Full GRE Header
Defined in draft-ietf-mpls-over-ip-or-gre-08.txtAlso not widely supported today
8/13/2019 MPLS Over IP Tunnel
8/36888 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Destination IP address (Local address on PE router)
Source IP address (Local address on PE router)
Header checksumProtocol 0x47TTL
Fragment offsetFlagsIdentification
Total lengthTOSIHLVersion
TTLSExpMPLS VPN Label
Customer Payload
Tunneling TechnologiesMPLS over Simplified GRE Header
Most widely supported, particularly for manuallyconfigured, point to point tunnels
Larger encapsulation than MPLS over IP, but with no
tangible advantage as the GRE Header is simplyreduced to a constant set of bits in each packet
8/13/2019 MPLS Over IP Tunnel
9/36999 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Manually Configured Overlay (GRE)
Manual Point-to-Point GRE Tunnel
Connects disparate MPLS networks.
Separate MPLS networks act as one, so all services enabled byMPLS are available across both clouds
This was, and still sometimes is, a good thing But
IP/MPLS Network
IP Network
IP/MPLS Network
CE
CE
CE
PE
PE
PE
Manually Configured Tunnel
PE
P
P
8/13/2019 MPLS Over IP Tunnel
10/36101010 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Manually Configured Overlay (GRE)
Number of LSPs are multiplied, setup between all nodeson BOTH networks
IP-only PE Nodes Still Isolated
Traffic may not traverse optimal path between PEs
IP/MPLS Network
IP Network
IP/MPLS Network
CE
CE
CE
PE
PE
PE
Label Switched Paths
PE
P
P
8/13/2019 MPLS Over IP Tunnel
11/36111111 Copyright Cisco Systems 2005VPN Services over IP Tunnels
IP/MPLS Network
IP Network
IP/MPLS Network
CE
CE
CE
PE
PE
PE
PE
P
P
Manually Configured Overlay (GRE)
Each tunnel enlarges the single, flat, MPLS network. MPLSsees no hierarchy or partitioning.At high scale, manual GRE overlay network becomescumbersome to manage and burdensome on number of LSPsand IGPs carrying /32 routes for all PEs
Needed: Dynamic point-2-multipoint tunnels between PEs
P
Manually Configured Tunnel
8/13/2019 MPLS Over IP Tunnel
12/36
121212 Copyright Cisco Systems 2005VPN Services over IP Tunnels
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
Protocol IDEndpoint
172.16.255.5172.16.255.4
172.16.255.3172.16.255.2172.16.255.1
PE1
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
PE2PE3
PE4
PE5
One Multipoint GRETunnel is dynamicallycreated on each PE forreceiving traffic from otherPEs
But.. Mixed tunnelingenvironments are noteasily supported if otherPEs cannot decapsulateMPLS over GRE then VPNtraffic could be blackholed
Still Needed: A method forPEs to advertise if they areable to receive MPLS over
IP traffic, and with whattype of encapsulation
PE6
MPLS over Dynamic Multipoint GRE
8/13/2019 MPLS Over IP Tunnel
13/36
131313 Copyright Cisco Systems 2005VPN Services over IP Tunnels
BGP Tunnel SAFI to The Rescue!
draft-nalawade-kapoor-tunnel-safi-02.txt
Defines a SAFI which binds a tunnel endpoint (PE IPaddress) to a set of tunnel capabilities: Type 1 : L2TPv3 Tunnel information (Session, Cookie)
Type 2 : mGRE Tunnel information (Header Type, Key, etc)
Type 3 : IPSec Tunnel information (Security Association) Type 4 : MPLS Tunnel information (Native MPLS)
With this information being advertised along with theBGP Next Hop, PEs will only receive data for whichthey are able to properly decapsulate
Policies may be defined e.g., encrypt some tunnels,
not others
8/13/2019 MPLS Over IP Tunnel
14/36
8/13/2019 MPLS Over IP Tunnel
15/36
151515 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Quick Review: MPLS VPN Security
VPN A
VPN B
VPN CMPMP --iBGPiBGP
MPLS SPMPLS SPCoreCore
VPN A
VPN B
VPN C
IPLabelX IPLabelIPLabel
IPLabel
XWorking assumption for MPLS VPN Security: Thecore network (PE+P) is secure
MPLS-labeled packets will always be dropped on
core boundaries.
8/13/2019 MPLS Over IP Tunnel
16/36
161616 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Single line of defense:
MPLS over GRE alone relies 100% on L3ACLs to protectVPN from spoofed data
ACLs throughout the network can be operationallycumbersome (SA and DA address lists at each PE andborder routers), could affect performance, subject tomisconfiguration, etc.
All it takes is one correctly spoofed MPLS label toinfiltrate a customer VPN
MPLS over GRESecurity in an IP network
VPN BSP IP Core
CE or Peering PE
PE
L3 ACL
SpoofedIP Packets
VPN S i IP T l
8/13/2019 MPLS Over IP Tunnel
17/36
171717 Copyright Cisco Systems 2005VPN Services over IP Tunnels
SP Core
Customer VPN
Hacker
Internet1. Attacker sends
encapsulated IPattack packet
3. Egress PE receives an MPLS VPN overGRE packet and -- If the MPLS label iscorrectly chosen routes the packet intothe customer VPN
2. SP Core accepts encapsulatedattack with valid IP source anddestination of PEs
SP SA / SP DA Attack DataHacker SA /Customer DA
4. Host within customerVPN responds to theattacker via theInternet
VPN Services over IP TunnelsBlind Insertion attack for VPN access
MPLS VPNLabelGRE
8/13/2019 MPLS Over IP Tunnel
18/36
181818 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Spoofing MPLS over GRE
Service-Provider IP addresses canbe discovered or easily guessed
GRE Header contains constant,well-known valuesMPLS Label is 20-bits of variantdata that must be guessed byhacker
100 pps attack rate 100 active VPN labels (routes)
on a PE
How quickly can a hacker guess acorrect 20-bit MPLS label?
Answer:
1 minute, 45 seconds
Destination IP address (Local address on PE router)
Source IP address (Local address on PE router)Header checksumProtocol 0x47TTL
Fragment offsetFlagsIdentification
Total lengthTOSIHLVersion
TTLSExpMPLS VPN Label
Customer Payload
0x8847000
8/13/2019 MPLS Over IP Tunnel
19/36
191919 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Tunneling TechnologiesCan we use IPSec?
Of course! But you have to pay for it.
IPsec is a very heavyweight solution, it requires p2pIKE key exchange, crypto acceleration hardware, etc.
A number of MPLS over IPsec proposals were made inthe IETF, in the end MPLS over IPsec is really MPLSover IP, GRE, or L2TPv3 used with IPsec in TransportMode IPsec is not tunneling it is just providingsecurity for another type of tunnel
IPsec can always be bolted on in places it is needed,particularly with the ability to advertise tunnelcapabilities between PEs
8/13/2019 MPLS Over IP Tunnel
20/36
202020 Copyright Cisco Systems 2005VPN Services over IP Tunnels
MPLS VPN over GRE Network Security
Bottom Line: In order to avoid becoming a transitpoint for packets inserted into a customer VPN, IPACLs alone are not a robust solution.
IPsec may be used with any MPLS over IP tunneltype, but is expensive to both opex and capex
Still Needed: An additional layer of protection tomake spoofing far more difficult than it is todaywith GRE, but without the overhead of IPsec
VPN Services over IP Tunnels
8/13/2019 MPLS Over IP Tunnel
21/36
212121 Copyright Cisco Systems 2005VPN Services over IP Tunnels
SP Core
Customer VPN
Hacker
Internet
L2TPv3 provides a simple and efficient method tomake simple packet spoofing attacks impossible.Protection occurs at the most important point, right
before entering the Customer VPN
SP SA / SP DA Attack DataHacker SA /Customer DA
VPN Services over IP TunnelsWhere to apply additional layer of security
MPLS VPNLabelL2TPv3
Tunneling Technologies
8/13/2019 MPLS Over IP Tunnel
22/36
222222 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Destination IP address (Local address on PE router)
Source IP address (Local address on PE router)
Header checksumProtocol 0x115TTL
Fragment offsetFlagsIdentification
Total lengthTOSIHLVersion
TTLSExpMPLS VPN Label
Customer Payload
Cookie Authentication Data (64-bits, Optional)
Session ID (32-bits)
Tunneling TechnologiesMPLS over L2TPv3 w/BGP Tunnel SAFI
draft-ietf-mpls-over-l2tpv3-00.txt & RFC3931
Large scale deployments already exist today
MPLS over L2TPv3
8/13/2019 MPLS Over IP Tunnel
23/36
232323 Copyright Cisco Systems 2005VPN Services over IP Tunnels
On a distributed system the context formultiple services or multiple serviceinstances can be balanced acrossresources
Structure imposed on the the Session-IDbits can quickly vector the L2TPv3 packetto the resource servicing that contextProcessing of tunneled payload is based onthe associated context switch to aninterface, route in a VRF, Bridge in a VSI
Session-ID (32 bits)
Cookie (64 bits)
010001010110100010101011001011011 0 1
MPLS over L2TPv3L2TPv3 Distributed Session Processing
MPLS over L2TPv3
8/13/2019 MPLS Over IP Tunnel
24/36
242424 Copyright Cisco Systems 2005VPN Services over IP Tunnels
64-bit value must match for each packet
Not a 64-bit lookup! Just a very fast compare based on the
Session ID lookupNo encryption hardware needed
Rather than checking an IP SA or DA, L2TPv3 seeds eachpacket with an unguessable value selected at random by eachPE, and advertised to other PEs in the VPN via the BGP TunnelSAFI
Somewhat like an ACL, but simple to manage and virtually
impossible for a hacker to guess
Session-ID (32 bits)
Cookie = 0xA83F2C32h
Session ID
MPLS over L2TPv3L2TPv3 Packet Authentication Check w/Cookie
8/13/2019 MPLS Over IP Tunnel
25/36
252525 Copyright Cisco Systems 2005VPN Services over IP Tunnels
We assume that the L2TPv3Session-ID may be known, as it
could be predictable or evenhard-coded to a constant forsome services in order tooptimize forwarding
Spoofing VPNs over L2TPv3 Tunnels
10 Mpps attack rate ANY VPN labels is
considered valid
How quickly can a hacker guessa correct 64-bit L2TPv3 cookie?
Answer: 60 000 Years!
Tunneling Technologies
8/13/2019 MPLS Over IP Tunnel
26/36
262626 Copyright Cisco Systems 2005VPN Services over IP Tunnels
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
CookieSession IdEndpoint
A1216440F2E9ABA11025172.16.255.5F12B644012E9B7C01025172.16.255.4
172B644AF2E9BB311025172.16.255.3172B644AF2E9BB311025172.16.255.2172B644AF2E9BB311025172.16.255.1
PE1
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
CookieSessionIdEndpoint
A1216440F2E9ABA11025172.16.255.5
F12B644012E9B7C01025172.16.255.4
032B6440F1E9B80A1025172.16.255.3
BAB6440F209F02011025172.16.255.2
172B644AF2E9BB311025172.16.255.1
PE2
PE3
PE4
PE5
One L2TPv3 Multipointsession is dynamicallycreated on each PE for
receiving traffic fromother PEs (point topoint L2TPv3 signalingis not used)
BGP advertises tunnelcapabilities via TunnelSAFI - MPLS overL2TPv3 traffic only sentto PEs which know howto handle it
Tunnel SAFI alsoincludes per-PE SessionID and Cookie pair
PE6
Tunneling TechnologiesL2TPv3 w/BGP Tunnel SAFI
VPN Services over IP Tunnels
8/13/2019 MPLS Over IP Tunnel
27/36
272727 Copyright Cisco Systems 2005VPN Services over IP Tunnels
VPN Services over IP TunnelsReview of capabilities
Yes?Yes?Tested in a large active
deployment
YesNoNoNoSimple, scalable, anti-spoofingprotection built-in
YesYesNoNoAvoids full mesh via scalable,dynamic, p2mp tunnels
YesYesYesYesEncapsulates MPLS over IP
L2TPv3w/SAFI
DynamicMulti-pointGRE
StaticGRE
overlayStatic IP
YesNoNoNoEncapsulation facilitateshighspeed lookup anddistributed processing assist
YesNoNoNoAvoids blackholes by advertisingtunnel capabilities
8/13/2019 MPLS Over IP Tunnel
28/36
282828 Copyright Cisco Systems 2005VPN Services over IP Tunnels
MPLS over IP Tunneling Solutions
282828
Extending the Reach of MPLS
8/13/2019 MPLS Over IP Tunnel
29/36
292929 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Extending the Reach of MPLSMPLS over IP Tunnels
CE-1CE-2
CE-3
CE-4
IP Tunnels
CE-5
VPLS L2VPN
MPLS Layer-3 VPN (RFC2547)
IP-Only NetworkMPLS Cloud BMPLS Cloud A
IPIP/MPLSIP/MPLSPE-1
PE-2PE-3
VPWS L2VPN (Pseudowires)
Multiple MPLS or IP networks, seamless global MPLSservice presented to customers
8/13/2019 MPLS Over IP Tunnel
30/36
303030 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Step-by-Step Migration to MPLS
Native MPLS/MPLS is used when possible,MPLS/L2TPv3, MPLS/GRE or MPLS over IPsec wherenecessary, etc.
Requires BGP Tunnel SAFI to advertise PEcapabilities
IP/MPLS Network
IP Network
IP/MPLS Network
CE
CE
CE
PE
PE
MPLS/MPLS
MPLS/IP
8/13/2019 MPLS Over IP Tunnel
31/36
313131 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Operational Flexibility
There are many benefits to an MPLS core network,including Traffic Engineering, Fast Re-route, etc.
However, IP networks without MPLS end-to-end canstill be engineered well enough to deploy EdgeMPLS-based services such as L2VPN and L3VPN
Deploying Edge MPLS services may be decoupledfrom deploying MPLS Core features, allowingseparate operational teams to migrate at their ownpace
Scaling MPLS VPNS
8/13/2019 MPLS Over IP Tunnel
32/36
323232 Copyright Cisco Systems 2005VPN Services over IP Tunnels
gNative MPLS VPNs (w/o IP Tunnels)
Each PE must signal its own Tunnel LSP (i.e., LDP) and carry a /32route within the IGP.
To support 3000 PEs in one VPN, IGP must support 3000 /32 PEroutes
There are examples of this size Native MPLS VPN today
Large MPLSLarge MPLSVPN NetworkVPN Network(2(2 --3000 PEs)3000 PEs)
PE
PE
PE
PEPE PE
PE
PE
PEPE
PEPEPEPE
PEPE
PE
PE
PE
PEPE
PE
8/13/2019 MPLS Over IP Tunnel
33/36
8/13/2019 MPLS Over IP Tunnel
34/36
MPLS over IP Tunnels
8/13/2019 MPLS Over IP Tunnel
35/36
353535 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Summary of what you can do with this technology
Extending the Reach of MPLS MPLS services (such as RFC 2547 VPNs) based on IP Tunnels can
cross multiple providers (Inter-provider) or administrative domains(Inter-AS) to reach customers anywhere IP reaches
Migration to MPLS MPLS/MPLS where available, MPLS/IP where not
Operational Flexibilty Some service providers do not yet have (or do not yet want) MPLS in
their core networks, but still want to offer their customers MPLS-basedservices
Scaling MPLS VPN deployments IP route aggregation allows for scaling MPLS VPNs across a very large
number of PEs without increasing the number of PE-PE LSPs andassociated /32 routes advertised in an IGP.
MPLS over IP Tunnels
8/13/2019 MPLS Over IP Tunnel
36/36
363636 Copyright Cisco Systems 2005VPN Services over IP Tunnels
Summary of Available Tunneling Technologies
Static MPLS over GRE may be used to connect a small number of isolatednodes or disparate MPLS networks, but is not recommended for high scaledeployments
Dynamic Multipoint Tunneling available with GRE or L2TPv3 solves themanual provisioning problem with static GRE tunnels, but still can allowblackholesThe BGP Tunnel SAFI prevents blackholes to routers which cannot
decapsulate a given type of IP tunnel, allowing staged migration to MPLSIPsec can provide strong security, but is expensive from an opex andcapex perspective.L2TPv3 includes lightweight yet strong anti-spoofing protection, with zero
additional opex complexity over mGRE, an no reliance on ACLsConclusion: MPLS over L2TPv3 w/BGP Tunnel SAFI is the most featurerich and proven MPLS over IP Tunnel offering among the choices available