[c-nsp] MPLS to Customer (Option B) / Multiple VRFs on CPEs

Waris Sagheer (waris) waris at cisco.com
Wed Aug 27 00:10:43 EDT 2014


James,
ASR9K has mpls urpf support. We are planning to support the same on ASR920 and ASR903 RSP2.
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/mpls/configuration/guide/b_mpls_cg43xasr9k/b_mpls_cg43asr9k_chapter_011.html#task_19C44FE6D33F4F8BADAF64614C1DB339

MPLS uRPF and proper control plane authentication should be able to address your concerns. I think Autonomic Networking will also help since it builds secure channel  infrastructure.

Best Regards,

[http://www.cisco.com/web/europe/images/email/signature/horizontal06.jpg]

Waris Sagheer
Technical Marketing Manager
Service Provider Access Group (SPAG)
waris at cisco.com<mailto:waris at cisco.com>
Phone: +1 408 853 6682
Mobile: +1 408 835 1389

CCIE - 19901


<http://www.cisco.com/>



This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

For corporate legal information go to:http://www.cisco.com/web/about/doing_business/legal/cri/index.html



From: James Bensley <jwbensley at gmail.com<mailto:jwbensley at gmail.com>>
Date: Tuesday, August 26, 2014 at 1:56 AM
To: "cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>" <cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>>
Subject: [c-nsp] MPLS to Customer (Option B) / Multiple VRFs on CPEs

Hi All,

I know this has been discussed before (more on the NANOG list) but
what are people doing regarding MPLS down to the CPE?

Even though we own our CPEs and customers typically don't have access
to them (or perhaps restricted show commands) it is a security concern
that customers can send labelled packets back into the network if we
enable MPLS on the CE facing interface on our PE. There is also the
concern of route injection but I believe that risk can be removed by
enabling MD5 on BGP and LDP sessions between CE and PE.

(i) My first idea was uRPF, on the 12000 routers it seems that uRFP
can inspect MPLS;

>From : http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/srpf_gsr.html
"All Layer 2 encapsulation and transport types are supported,
including ATM AAL5, ATM cell relay, Ethernet (VLAN and port modes),
Frame Relay, HDLC, and PPP over MPLS; for more information, refer to
Any Transport over MPLS."
...
"Although the Unicast RPF in Strict Mode feature filters only IPv4
packets in IP or MPLS traffic, you can configure IOS software features
that manage other traffic on the same interface, such as IP
forwarding, MPLS features, Frame Relay switching, ATM switching, and
Any Transport over ATM (AToM) connections. However, Unicast RPF
filtering is only applied to incoming traffic on IP routing interfaces
and not on packets processed by Frame Relay or ATM switching or
transmitted over AToM pseudowire commendations."

We aren't using 12000 though; At the access layer we're using
ME3600/ME3800/6500/7600/ASR1K and we're looking at 6880-X to remove
the smaller access layer 6504/6505/7604/7607 type chassis. I can't
find any indication that any of those can support MPLS in uRPF so I
think that idea is useless unless someone else can show me some
contradictory information?

(ii) My second idea was label value range restrictions

Since the average CPE may have 3-5 VRFs on it with say 10 routes in
each we could perhaps fiddle with the label allocation rules by
setting 1000-1999 to be the usable range at PoP A, and 2000-2999 at
PoP B and so on. We can restrict the routes that enter the LFIB at the
PEs and which ones get labels allocated to them. Techniques like this
reduce the surface area of potential attack and make it difficult to
send in packets with a valid label (or label stack) but they seem more
like security through obscurity to me.

(iii) Additional options...

I'm all ears! Is anyone running MPLS to the customer rather than
multiple option A perings to each CPE? When we do large roll outs of
1000 CPEs with each CPE having a minimum of 3 and maximum of ~10 VRFs
we end up having thousands of peerings. MPLS to the customer really
would be a lot simpler for config generation, automation, monitoring
etc (also when we want PWE3/AToM) between two CPEs at different
sites).

Cheers,
James.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list