Internet Engineering Task Force (IETF)                      L. Fang, Ed.
Request for Comments: 6941                                         Cisco
Category: Informational                            B. Niven-Jenkins, Ed.
ISSN: 2070-1721                                                  Velocix
                                                       S. Mansfield, Ed.
                                                                Ericsson
                                                        R. Graveman, Ed.
                                                            RFG Security
                                                              April 2013
        
Internet Engineering Task Force (IETF)                      L. Fang, Ed.
Request for Comments: 6941                                         Cisco
Category: Informational                            B. Niven-Jenkins, Ed.
ISSN: 2070-1721                                                  Velocix
                                                       S. Mansfield, Ed.
                                                                Ericsson
                                                        R. Graveman, Ed.
                                                            RFG Security
                                                              April 2013
        

MPLS Transport Profile (MPLS-TP) Security Framework

MPLS传输配置文件(MPLS-TP)安全框架

Abstract

摘要

This document provides a security framework for the MPLS Transport Profile (MPLS-TP). MPLS-TP extends MPLS technologies and introduces new Operations, Administration, and Maintenance (OAM) capabilities, a transport-oriented path protection mechanism, and strong emphasis on static provisioning supported by network management systems. This document addresses the security aspects relevant in the context of MPLS-TP specifically. It describes potential security threats as well as mitigation procedures related to MPLS-TP networks and to MPLS-TP interconnection to other MPLS and GMPLS networks. This document is built on RFC 5920 ("Security Framework for MPLS and GMPLS Networks") by providing additional security considerations that are applicable to the MPLS-TP extensions. All the security considerations from RFC 5920 are assumed to apply.

本文档为MPLS传输配置文件(MPLS-TP)提供了一个安全框架。MPLS-TP扩展了MPLS技术,并引入了新的操作、管理和维护(OAM)功能、面向传输的路径保护机制,以及网络管理系统支持的静态资源调配。本文档具体介绍了MPLS-TP上下文中的相关安全方面。它描述了潜在的安全威胁以及与MPLS-TP网络以及与其他MPLS和GMPLS网络的MPLS-TP互连相关的缓解程序。本文档基于RFC 5920(“MPLS和GMPLS网络的安全框架”),提供了适用于MPLS-TP扩展的其他安全注意事项。假设RFC 5920中的所有安全注意事项都适用。

This document is a product of a joint Internet Engineering Task Force (IETF) / International Telecommunication Union Telecommunication Standardization Sector (ITU-T) effort to include an MPLS Transport Profile within the IETF MPLS and Pseudowire Emulation Edge-to-Edge (PWE3) architectures to support the capabilities and functionality of a packet transport network.

本文件是联合互联网工程任务组(IETF)/国际电信联盟电信标准化部门(ITU-T)努力的成果,旨在将MPLS传输配置文件纳入IETF MPLS和伪线仿真边到边(PWE3)中支持分组传输网络的能力和功能的体系结构。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6941.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6941.

Copyright Notice

版权公告

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................3
      1.1. Terminology ................................................3
   2. Security Reference Models .......................................4
      2.1. Security Reference Model 1 .................................5
      2.2. Security Reference Model 2 .................................6
   3. Security Threats ................................................9
   4. Defensive Techniques ...........................................10
   5. Security Considerations ........................................12
   6. Acknowledgements ...............................................13
   7. References .....................................................13
      7.1. Normative References ......................................13
      7.2. Informative References ....................................13
   Contributors ......................................................14
        
   1. Introduction ....................................................3
      1.1. Terminology ................................................3
   2. Security Reference Models .......................................4
      2.1. Security Reference Model 1 .................................5
      2.2. Security Reference Model 2 .................................6
   3. Security Threats ................................................9
   4. Defensive Techniques ...........................................10
   5. Security Considerations ........................................12
   6. Acknowledgements ...............................................13
   7. References .....................................................13
      7.1. Normative References ......................................13
      7.2. Informative References ....................................13
   Contributors ......................................................14
        
1. Introduction
1. 介绍

This document provides a security framework for the MPLS Transport Profile (MPLS-TP).

本文档为MPLS传输配置文件(MPLS-TP)提供了一个安全框架。

As defined in "Requirements of an MPLS Transport Profile" [RFC5654] and "A Framework for MPLS in Transport Networks" [RFC5921], MPLS-TP uses a subset of MPLS features and introduces extensions to reflect the characteristics of the transport technology. The additional functionality includes in-band OAM, transport-oriented path protection and recovery mechanisms, and new OAM capabilities that were developed for MPLS-TP but that also apply to MPLS and GMPLS. There is strong emphasis in MPLS-TP on static provisioning support through Network Management Systems (NMSs) or Operational Support Systems (OSSs).

如“MPLS传输配置文件的要求”[RFC5654]和“传输网络中的MPLS框架”[RFC5921]中所定义,MPLS-TP使用MPLS功能的子集,并引入扩展以反映传输技术的特征。附加功能包括带内OAM、面向传输的路径保护和恢复机制,以及为MPLS-TP开发但也适用于MPLS和GMPLS的新OAM功能。MPLS-TP强调通过网络管理系统(NMS)或运营支持系统(OSS)提供静态资源调配支持。

This document is built on [RFC5920] by providing additional security considerations that are applicable to the MPLS-TP extensions. The security models, threats, and defense techniques previously defined in [RFC5920] are assumed to apply to general aspects of MPLS-TP.

本文档以[RFC5920]为基础,提供了适用于MPLS-TP扩展的其他安全注意事项。假设[RFC5920]中先前定义的安全模型、威胁和防御技术适用于MPLS-TP的一般方面。

This document is a product of a joint Internet Engineering Task Force (IETF) / International Telecommunication Union Telecommunication Standardization Sector (ITU-T) effort to include an MPLS Transport Profile within the IETF MPLS and PWE3 architectures to support the capabilities and functionality of a packet transport network.

本文件是联合互联网工程任务组(IETF)/国际电信联盟电信标准化部门(ITU-T)努力的成果,旨在将MPLS传输配置文件纳入IETF MPLS和PWE3体系结构中,以支持分组传输网络的能力和功能。

Readers can refer to [RFC5654] and [RFC5921] for MPLS-TP terminologies and to [RFC5920] for security terminologies that are relevant to MPLS and GMPLS.

读者可以参考[RFC5654]和[RFC5921]了解MPLS-TP术语,并参考[RFC5920]了解与MPLS和GMPLS相关的安全术语。

1.1. Terminology
1.1. 术语
   Term       Definition
   ------     -----------------------------------------------
   AC         Attachment Circuit
   BFD        Bidirectional Forwarding Detection
   CE         Customer Edge
   DoS        Denial of Service
   G-ACh      Generic Associated Channel
   GAL        G-ACh Label
   GMPLS      Generalized Multiprotocol Label Switching
   IP         Internet Protocol
   LDP        Label Distribution Protocol
   LSP        Label Switched Path
   NMS        Network Management System
   MPLS       Multiprotocol Label Switching
   MPLS-TP    MPLS Transport Profile
        
   Term       Definition
   ------     -----------------------------------------------
   AC         Attachment Circuit
   BFD        Bidirectional Forwarding Detection
   CE         Customer Edge
   DoS        Denial of Service
   G-ACh      Generic Associated Channel
   GAL        G-ACh Label
   GMPLS      Generalized Multiprotocol Label Switching
   IP         Internet Protocol
   LDP        Label Distribution Protocol
   LSP        Label Switched Path
   NMS        Network Management System
   MPLS       Multiprotocol Label Switching
   MPLS-TP    MPLS Transport Profile
        

MS-PW Multi-Segment Pseudowire OAM Operations, Administration, and Maintenance PE Provider Edge PSN Packet-Switched Network PW Pseudowire S-PE PW Switching Provider Edge SP Service Provider SS-PW Single-Segment Pseudowire T-PE PW Terminating Provider Edge

MS-PW多段伪线OAM操作、管理和维护PE提供程序边缘PSN分组交换网络PW伪线S-PE PW交换提供程序边缘SP服务提供程序SS-PW单段伪线T-PE PW端接提供程序边缘

2. Security Reference Models
2. 安全参考模型

This section defines reference models for security in MPLS-TP networks.

本节定义了MPLS-TP网络安全的参考模型。

The models are built on the architecture of MPLS-TP, as defined in [RFC5921]. The placement of SP boundaries plays an important role in determining the security models for any particular deployment.

这些模型基于[RFC5921]中定义的MPLS-TP体系结构构建。SP边界的放置在确定任何特定部署的安全模型方面起着重要作用。

This document defines a trusted zone as being where a single SP has total operational control over that part of the network. A primary concern is about security aspects that relate to breaches of security from the "outside" of a trusted zone to the "inside" of this zone.

本文档将受信任区域定义为单个SP对该部分网络拥有完全操作控制权的区域。主要关注的是与从受信任区域的“外部”到该区域的“内部”的安全破坏相关的安全方面。

2.1. Security Reference Model 1
2.1. 安全参考模型1

In reference model 1, a single SP has total control of the "PE/T-PE to PE/T-PE" part of the MPLS-TP network.

在参考模型1中,单个SP完全控制MPLS-TP网络的“PE/T-PE到PE/T-PE”部分。

Security reference model 1(a) shows an MPLS-TP network with Single-Segment Pseudowire (SS-PW) from PE1 to PE2. The trusted zone is PE1 to PE2, as illustrated in Figure 1.

安全参考模型1(a)显示了从PE1到PE2具有单段伪线(SS-PW)的MPLS-TP网络。可信区域是PE1到PE2,如图1所示。

           |<-------------- Emulated Service ---------------->|
           |                                                  |
           |          |<------- Pseudowire ------->|          |
           |          |                            |          |
           |          |    |<-- PSN Tunnel -->|    |          |
           |          v    v                  v    v          |
           v    AC    +----+                  +----+     AC   v
     +-----+    |     | PE1|==================| PE2|     |    +-----+
     |     |----------|............PW1.............|----------|     |
     | CE1 |    |     |    |                  |    |     |    | CE2 |
     |     |----------|............PW2.............|----------|     |
     +-----+  ^ |     |    |==================|    |     | ^  +-----+
           ^  |       +----+                  +----+     | |  ^
           |  |   Provider Edge 1         Provider Edge 2  |  |
           |  |                                            |  |
     Customer |                                            |Customer
     Edge 1   |                                            |Edge 2
              |                                            |
        Native service                               Native service
        
           |<-------------- Emulated Service ---------------->|
           |                                                  |
           |          |<------- Pseudowire ------->|          |
           |          |                            |          |
           |          |    |<-- PSN Tunnel -->|    |          |
           |          v    v                  v    v          |
           v    AC    +----+                  +----+     AC   v
     +-----+    |     | PE1|==================| PE2|     |    +-----+
     |     |----------|............PW1.............|----------|     |
     | CE1 |    |     |    |                  |    |     |    | CE2 |
     |     |----------|............PW2.............|----------|     |
     +-----+  ^ |     |    |==================|    |     | ^  +-----+
           ^  |       +----+                  +----+     | |  ^
           |  |   Provider Edge 1         Provider Edge 2  |  |
           |  |                                            |  |
     Customer |                                            |Customer
     Edge 1   |                                            |Edge 2
              |                                            |
        Native service                               Native service
        
     ---Untrusted--- >|<------- Trusted Zone ----->|<---Untrusted----
        
     ---Untrusted--- >|<------- Trusted Zone ----->|<---Untrusted----
        

Figure 1. MPLS-TP Security Model 1(a)

图1。MPLS-TP安全模型1(a)

Security reference model 1(b) shows an MPLS-TP network with Multi-Segment Pseudowire (MS-PW) from T-PE1 to T-PE2. The trusted zone is T-PE1 to T-PE2, as illustrated in Figure 2.

安全参考模型1(b)显示了从T-PE1到T-PE2具有多段伪线(MS-PW)的MPLS-TP网络。可信区域为T-PE1到T-PE2,如图2所示。

         Native  |<-------------Pseudowire------------>|  Native
         Service |                                     |  Service
          (AC)   |     |<- PSN ->|     |<- PSN ->|     |   (AC)
            |    v     v         v     v         v     v     |
            |    +-----+         +-----+         +-----+     |
     +----+ |    |T-PE1|=========|S-PE1|=========|T-PE2|     | +----+
     |    |------|......PW.Seg't1.......PW.Seg't3......|-------|    |
     | CE1| |    |     |         |     |         |     |     | |CE2 |
     |    |------|......PW.Seg't2.......PW.Seg't4......|-------|    |
     +----+ |    |     |=========|     |=========|     |     | +----+
          ^      +-----+    ^    +-----+     ^   +-----+        ^
          |                 |                |                  |
          |               TP LSP            TP LSP              |
          |                                                     |
          |<----------------- Emulated Service ---------------->|
        
         Native  |<-------------Pseudowire------------>|  Native
         Service |                                     |  Service
          (AC)   |     |<- PSN ->|     |<- PSN ->|     |   (AC)
            |    v     v         v     v         v     v     |
            |    +-----+         +-----+         +-----+     |
     +----+ |    |T-PE1|=========|S-PE1|=========|T-PE2|     | +----+
     |    |------|......PW.Seg't1.......PW.Seg't3......|-------|    |
     | CE1| |    |     |         |     |         |     |     | |CE2 |
     |    |------|......PW.Seg't2.......PW.Seg't4......|-------|    |
     +----+ |    |     |=========|     |=========|     |     | +----+
          ^      +-----+    ^    +-----+     ^   +-----+        ^
          |                 |                |                  |
          |               TP LSP            TP LSP              |
          |                                                     |
          |<----------------- Emulated Service ---------------->|
        
     -Untrusted->|<---------- Trusted Zone ----------->|<-Untrusted--
        
     -Untrusted->|<---------- Trusted Zone ----------->|<-Untrusted--
        

Figure 2. MPLS-TP Security Model 1(b)

图2。MPLS-TP安全模型1(b)

2.2. Security Reference Model 2
2.2. 安全参考模型2

In reference model 2, a single SP does not have the end-to-end control of the segment from PE/T-PE to PE/T-PE. A given S-PE or T-PE may be under the control of another SP, that SP's customers, or its partners. In this case, the MPLS-TP network is not contained within a single trusted zone.

在参考模型2中,单个SP不具有从PE/T-PE到PE/T-PE段的端到端控制。给定的S-PE或T-PE可能由另一个SP、该SP的客户或其合作伙伴控制。在这种情况下,MPLS-TP网络不包含在单个受信任区域内。

Security reference model 2(a) shows an MPLS-TP network with Multi-Segment Pseudowire (MS-PW) from T-PE1 to T-PE2. The trusted zone is T-PE1 to S-PE1, as illustrated in Figure 3.

安全参考模型2(a)显示了从T-PE1到T-PE2具有多段伪线(MS-PW)的MPLS-TP网络。受信任区域是T-PE1到S-PE1,如图3所示。

         Native  |<-------------Pseudowire------------>| Native
         Service |                                     | Service
          (AC)   |     |<--PSN-->|     |<--PSN-->|     |  (AC)
            |    V     V         V     V         V     V    |
            |    +-----+         +-----+         +-----+    |
     +----+ |    |T-PE1|=========|S-PE1|=========|T-PE2|    | +----+
     |    |------|......PW.Seg't1.......PW.Seg't3......|------|    |
     | CE1| |    |     |         |     |         |     |    | |CE2 |
     |    |------|......PW.Seg't2.......PW.Seg't4......|------|    |
     +----+ |    |     |=========|     |=========|     |    | +----+
          ^      +-----+    ^    +-----+     ^   +-----+      ^
          |                 |                |                |
          |               TP LSP            TP LSP            |
          |                                                   |
          |<---------------- Emulated Service --------------->|
        
         Native  |<-------------Pseudowire------------>| Native
         Service |                                     | Service
          (AC)   |     |<--PSN-->|     |<--PSN-->|     |  (AC)
            |    V     V         V     V         V     V    |
            |    +-----+         +-----+         +-----+    |
     +----+ |    |T-PE1|=========|S-PE1|=========|T-PE2|    | +----+
     |    |------|......PW.Seg't1.......PW.Seg't3......|------|    |
     | CE1| |    |     |         |     |         |     |    | |CE2 |
     |    |------|......PW.Seg't2.......PW.Seg't4......|------|    |
     +----+ |    |     |=========|     |=========|     |    | +----+
          ^      +-----+    ^    +-----+     ^   +-----+      ^
          |                 |                |                |
          |               TP LSP            TP LSP            |
          |                                                   |
          |<---------------- Emulated Service --------------->|
        
     Untrusted-->|<-- Trusted Zone---->|<---------Untrusted--------
        
     Untrusted-->|<-- Trusted Zone---->|<---------Untrusted--------
        

Figure 3. MPLS-TP Security Model 2(a)

图3。MPLS-TP安全模型2(a)

Security reference model 2(b) shows an MPLS-TP network with Multi-Segment Pseudowire (MS-PW) from T-PE1 to T-PE2. The trusted zone is the S-PE1 only, as illustrated in Figure 4.

安全参考模型2(b)显示了从T-PE1到T-PE2具有多段伪线(MS-PW)的MPLS-TP网络。受信任区域仅为S-PE1,如图4所示。

         Native  |<-------------Pseudowire------------>| Native
         Service |                                     | Service
          (AC)   |     |<--PSN-->|     |<--PSN-->|     |  (AC)
            |    V     V         V     V         V     V    |
            |    +-----+         +-----+         +-----+    |
     +----+ |    |T-PE1|=========|S-PE1|=========|T-PE2|    | +----+
     |    |------|......PW.Seg't1.......PW.Seg't3......|------|    |
     | CE1| |    |     |         |     |         |     |    | |CE2 |
     |    |------|......PW.Seg't2.......PW.Seg't4......|------|    |
     +----+ |    |     |=========|     |=========|     |    | +----+
          ^      +-----+    ^    +-----+     ^   +-----+      ^
          |                 |                |                |
          |               TP LSP            TP LSP            |
          |                                                   |
          |<---------------- Emulated Service --------------->|
        
         Native  |<-------------Pseudowire------------>| Native
         Service |                                     | Service
          (AC)   |     |<--PSN-->|     |<--PSN-->|     |  (AC)
            |    V     V         V     V         V     V    |
            |    +-----+         +-----+         +-----+    |
     +----+ |    |T-PE1|=========|S-PE1|=========|T-PE2|    | +----+
     |    |------|......PW.Seg't1.......PW.Seg't3......|------|    |
     | CE1| |    |     |         |     |         |     |    | |CE2 |
     |    |------|......PW.Seg't2.......PW.Seg't4......|------|    |
     +----+ |    |     |=========|     |=========|     |    | +----+
          ^      +-----+    ^    +-----+     ^   +-----+      ^
          |                 |                |                |
          |               TP LSP            TP LSP            |
          |                                                   |
          |<---------------- Emulated Service --------------->|
        
     --------Untrusted---------->|<--->|<-------Untrusted----------
                                 Trusted
                                  Zone
        
     --------Untrusted---------->|<--->|<-------Untrusted----------
                                 Trusted
                                  Zone
        

Figure 4. MPLS-TP Security Model 2(b)

图4。MPLS-TP安全模型2(b)

Security reference model 2(c) shows an MPLS-TP network with Multi-Segment Pseudowire (MS-PW) from different SPs with inter-provider PW connections. The trusted zone is T-PE1 to S-PE3, as illustrated in Figure 5.

安全参考模型2(c)显示了一个MPLS-TP网络,该网络具有来自不同SP的多段伪线(MS-PW),具有提供商间PW连接。可信区域为T-PE1到S-PE3,如图5所示。

     Native  |<--------------------- PW15 ------------------>| Native
      Layer  |                                               | Layer
    Service  |     |<PSN13>|     |<PSN3X>|     |<PSNXZ>|     | Service
      (AC1)  V     V  LSP  V     V  LSP  V     V  LSP  V     V (AC2)
          |  +-----+  +-+  +-----+       +-----+  +-+  +-----+ |
    +---+ |  |T-PE1|  | |  |S-PE3|       |S-PEX|  | |  |T-PEZ| | +---+
    |   | |  |     |=======|     |=======|     |=======|     | | |   |
    |CE1|----|........PW1........|..PW3..|........PW5........|---|CE2|
    |   | |  |     |=======|     |=======|     |=======|     | | |   |
    +---+    |  1  |  |2|  |  3  |       |  X  |  |Y|  |  Z  |   +---+
             +-----+  +-+  +-----+       +-----+  +-+  +-----+
             |<--Subnetwork 123->|       |<--Subnetwork XYZ->|
        
     Native  |<--------------------- PW15 ------------------>| Native
      Layer  |                                               | Layer
    Service  |     |<PSN13>|     |<PSN3X>|     |<PSNXZ>|     | Service
      (AC1)  V     V  LSP  V     V  LSP  V     V  LSP  V     V (AC2)
          |  +-----+  +-+  +-----+       +-----+  +-+  +-----+ |
    +---+ |  |T-PE1|  | |  |S-PE3|       |S-PEX|  | |  |T-PEZ| | +---+
    |   | |  |     |=======|     |=======|     |=======|     | | |   |
    |CE1|----|........PW1........|..PW3..|........PW5........|---|CE2|
    |   | |  |     |=======|     |=======|     |=======|     | | |   |
    +---+    |  1  |  |2|  |  3  |       |  X  |  |Y|  |  Z  |   +---+
             +-----+  +-+  +-----+       +-----+  +-+  +-----+
             |<--Subnetwork 123->|       |<--Subnetwork XYZ->|
        
   Untrusted>|<-- Trusted Zone-->|<-------------Untrusted-------------
        
   Untrusted>|<-- Trusted Zone-->|<-------------Untrusted-------------
        

Figure 5. MPLS-TP Security Model 2(c)

图5。MPLS-TP安全模型2(c)

In general, the boundaries of a trusted zone must be carefully defined when analyzing the security properties of each individual network. The security boundaries determine which reference model should be applied to a given network topology.

通常,在分析每个网络的安全属性时,必须仔细定义受信任区域的边界。安全边界决定应将哪个参考模型应用于给定的网络拓扑。

3. Security Threats
3. 安全威胁

This section discusses various network security threats that are unique to MPLS-TP and may endanger MPLS-TP networks.

本节讨论MPLS-TP特有的各种网络安全威胁,这些威胁可能危及MPLS-TP网络。

Attacks against a GAL or G-ACh may include the following:

针对GAL或G-ACh的攻击可能包括以下内容:

- GAL or BFD label manipulation, which includes insertion of false labels and modification, deletion, or replay of messages.

- GAL或BFD标签操作,包括插入假标签和修改、删除或重播消息。

- DoS attacks through in-band OAM by generating excessive G-ACh/GAL and BFD messages that consume significant bandwidth and potentially cause congestion.

- DoS攻击通过带内OAM生成过多的G-ACh/GAL和BFD消息,这些消息消耗大量带宽并可能导致拥塞。

These attacks can cause unauthorized protection switchover, inability to restore one or more LSPs, or loss of network connectivity.

这些攻击可能导致未经授权的保护切换、无法恢复一个或多个LSP或网络连接丢失。

When an NMS is used for LSP setup, attacks on the NMS can cause the above effects as well. Although this is not unique to MPLS-TP, MPLS-TP networks can be particularly vulnerable to NMS attacks, due to the fact that static provisioning through NMSs is a commonly used model. In the static provisioning model, a compromised NMS can potentially be comparable to a compromised control plane plus a compromised management plane in the dynamic controlled network model.

当NMS用于LSP设置时,对NMS的攻击也会造成上述影响。尽管这不是MPLS-TP所独有的,但MPLS-TP网络可能特别容易受到NMS攻击,因为通过NMS进行静态资源调配是一种常用的模型。在静态供应模型中,受损的NMS可能与动态受控网络模型中受损的控制平面加上受损的管理平面相当。

Attacks on NMSs may come from either external attackers or insiders. Outside attacks are initiated outside of the trusted zone by unauthorized users of the MPLS-TP NMSs. Insider attacks are initiated from inside the trusted zone by an entity that has authorized access to the management systems but that performs unapproved functions that are harmful to the MPLS-TP networks. These attacks may directly target the NMS; they may also take place via the compromised communication channels between the NMS and the network devices that are being provisioned, or through user access to the provisioning tools. This type of security threat may include disclosure of information, generating false OAM messages, taking down MPLS-TP LSPs, connecting to the wrong MPLS-TP tunnel endpoints, and DoS attacks on the MPLS-TP networks.

对NMS的攻击可能来自外部攻击者或内部人员。外部攻击由MPLS-TP NMS的未经授权用户在受信任区域之外发起。内部攻击由具有管理系统授权访问权限但执行对MPLS-TP网络有害的未经批准功能的实体从受信任区域内发起。这些攻击可能直接针对NMS;它们也可以通过NMS和正在供应的网络设备之间的受损通信信道,或者通过用户访问供应工具来进行。这种类型的安全威胁可能包括信息泄露、生成错误的OAM消息、关闭MPLS-TP LSP、连接到错误的MPLS-TP隧道端点以及对MPLS-TP网络的DoS攻击。

There are other more generic security threats, such as unauthorized observation of data traffic (including traffic pattern analysis), modification or deletion of a provider's or user's data, and replay or insertion of inauthentic data into a provider's or user's data

还有其他更普遍的安全威胁,例如未经授权的数据流量观察(包括流量模式分析)、修改或删除提供商或用户的数据,以及将不真实的数据重播或插入提供商或用户的数据中

stream. These types of attacks apply to MPLS-TP traffic regardless of how the LSP or PW is set up, in a way that is similar to how they apply to MPLS traffic regardless of how the LSP is set up. More details on the above-mentioned threats are documented in [RFC5920].

流动无论LSP或PW如何设置,这些类型的攻击都适用于MPLS-TP流量,其方式类似于无论LSP如何设置,它们如何应用于MPLS流量。[RFC5920]中记录了有关上述威胁的更多详细信息。

Such threats may result from malicious behavior or accidental errors:

此类威胁可能由恶意行为或意外错误造成:

Example 1: Attacks from users: Users of the MPLS-TP network may attack the network infrastructure or attack other users.

示例1:来自用户的攻击:MPLS-TP网络的用户可能会攻击网络基础设施或攻击其他用户。

Example 2: Attacks from insiders: Employees of the operators may attack the MPLS-TP network, especially through NMSs.

示例2:来自内部人员的攻击:运营商的员工可能会攻击MPLS-TP网络,尤其是通过NMS。

Example 3: Attacks from interconnecting SPs or other partners: Other SPs may attack the MPLS-TP network, particularly through the inter-provider connections.

示例3:来自互连SP或其他合作伙伴的攻击:其他SP可能攻击MPLS-TP网络,特别是通过提供商间连接。

Example 4: Attacks as the result of operational errors: Operations staff may fail to follow operational procedures or may make operational mistakes.

示例4:操作错误导致的攻击:操作人员可能无法遵守操作程序或可能犯操作错误。

4. Defensive Techniques
4. 防守技术

The defensive techniques presented in this document and in [RFC5920] are intended to describe methods by which some security threats can be addressed. They are not intended as requirements for all MPLS-TP deployments. The specific operational environment determines the security requirements for any instance of MPLS-TP. Therefore, protocol designers should provide a full set of security capabilities that can be selected and used where appropriate. The MPLS-TP provider should determine the applicability of these techniques to the provider's specific service offerings, and the end user may wish to assess the value of these techniques to the user's service requirements.

本文件和[RFC5920]中介绍的防御技术旨在描述解决某些安全威胁的方法。它们不是所有MPLS-TP部署的要求。特定的操作环境决定了MPLS-TP任何实例的安全要求。因此,协议设计者应该提供一整套安全功能,这些功能可以在适当的情况下选择和使用。MPLS-TP提供商应确定这些技术对提供商的特定服务产品的适用性,最终用户可能希望评估这些技术对用户服务需求的价值。

Authentication is the primary defense technique to mitigate the risk of the MPLS-TP security threats discussed in Section 3 (GAL or BFD label manipulation, and DoS attacks through in-band OAM). Authentication refers to methods to ensure that message sources are properly identified by the MPLS-TP devices with which they communicate. Authentication includes the following:

认证是缓解第3节(GAL或BFD标签操纵以及通过带内OAM的DoS攻击)中讨论的MPLS-TP安全威胁风险的主要防御技术。认证指的是确保消息源由与其通信的MPLS-TP设备正确标识的方法。身份验证包括以下内容:

- entity authentication for identity verification

- 用于身份验证的实体身份验证

- management system authentication

- 管理系统认证

- peer-to-peer authentication

- 对等认证

- message integrity and replay detection to ensure the validity of message streams

- 消息完整性和重播检测,确保消息流的有效性

- network-based access controls such as packet filtering and firewalls

- 基于网络的访问控制,如包过滤和防火墙

- host-based access controls

- 基于主机的访问控制

- isolation

- 隔离

- aggregation

- 聚集

- protection against denial of service

- 防止拒绝服务

- event logging

- 事件记录

Section 5.2 of [RFC5920] describes these techniques where they apply to MPLS and GMPLS in general.

[RFC5920]的第5.2节描述了这些技术通常适用于MPLS和GMPLS。

In addition to authentication, the following defense should also be considered in order to protect MPLS-TP networks:

除认证外,还应考虑以下防御措施,以保护MPLS-TP网络:

- Use of isolated infrastructure for MPLS-TP

- MPLS-TP中隔离基础设施的使用

One way to protect the MPLS-TP infrastructure is to use dedicated network resources to provide MPLS-TP transport services. For example, in security model 2 (Section 2.2), the potential risk of attacks on the S-PE1 or T-PE1 in the trusted zone may be reduced by using non-IP-based communication paths, so that the paths in the trusted zone cannot be reached from the outside via IP.

保护MPLS-TP基础设施的一种方法是使用专用网络资源来提供MPLS-TP传输服务。例如,在安全模型2中(第2.2节),可通过使用非基于IP的通信路径来降低对受信任区域中的S-PE1或T-PE1的攻击的潜在风险,从而无法通过IP从外部到达受信任区域中的路径。

- Verification of connectivity

- 连通性验证

To protect against deliberate or accidental misconnection, mechanisms can be put in place to verify both end-to-end connectivity and segment-by-segment resources. These mechanisms can trace the routes of LSPs in both the control plane and the data plane. Note that the connectivity verification tools are now developed for general MPLS networks as well.

为了防止故意或意外的错误连接,可以建立机制来验证端到端连接和逐段资源。这些机制可以在控制平面和数据平面上跟踪LSP的路由。请注意,连接验证工具现在也为通用MPLS网络开发。

The defense techniques that apply generally to MPLS/GMPLS are not detailed here; see [RFC5920] for details regarding these techniques. For example:

通常适用于MPLS/GMPLS的防御技术在此不作详细说明;有关这些技术的详细信息,请参见[RFC5920]。例如:

1) Authentication, including management system authentication, peer-to-peer authentication, and cryptographic techniques for authenticating identity

1) 身份验证,包括管理系统身份验证、对等身份验证和用于身份验证的加密技术

2) Access control techniques

2) 访问控制技术

3) Use of aggregated infrastructure

3) 使用聚合基础设施

4) Mitigation of denial-of-service attacks

4) 缓解拒绝服务攻击

5) Monitoring, detection, and reporting of security attacks

5) 监控、检测和报告安全攻击

It is important to point out the following security defense techniques, as they are particularly critical for NMSs, due to the strong emphasis on static provisioning supported by NMSs in MPLS-TP deployments. These techniques include the following:

重要的是要指出以下安全防御技术,因为它们对于NMS特别重要,因为MPLS-TP部署中非常强调NMS支持的静态资源调配。这些技术包括:

- entity authentication for identity verification

- 用于身份验证的实体身份验证

- encryption for confidentiality

- 保密加密

- message integrity and replay detection to ensure the validity of message streams

- 消息完整性和重播检测,确保消息流的有效性

- user access control and event logging, which must be applied for NMSs and provisioning applications

- 用户访问控制和事件日志记录,必须应用于NMS和资源调配应用程序

5. Security Considerations
5. 安全考虑

Security considerations constitute the sole subject of this document and hence are discussed throughout.

安全考虑是本文件的唯一主题,因此将在本文件中进行讨论。

This document evaluates security risks specific to MPLS-TP, as well as mitigation mechanisms that may be used to counter potential threats. All of the techniques presented here involve mature and widely implemented technologies that are practical to implement. It is meant to assist equipment vendors and service providers who must ultimately decide what threats to protect against in any given configuration or service offering, from a customer's perspective as well as from a service provider's perspective.

本文档评估MPLS-TP特有的安全风险,以及可用于应对潜在威胁的缓解机制。这里介绍的所有技术都涉及成熟且广泛实现的技术,这些技术都很实用。它旨在帮助设备供应商和服务提供商,这些供应商和服务提供商必须从客户和服务提供商的角度最终决定在任何给定配置或服务提供中要防范哪些威胁。

6. Acknowledgements
6. 致谢

The authors wish to thank the following people: Joel Halpern and Gregory Mirsky for their review comments and contributions to this document, Mach Chen for his review and suggestions, Adrian Farrel for his Routing Area Director review and detailed comments, Loa Andersson for his continued support and guidance as the MPLS WG co-chair, and Dan Romascanu and Barry Leiba for their helpful comments during IESG review.

作者希望感谢以下人员:Joel Halpern和Gregory Mirsky对本文件的审查意见和贡献,Mach Chen的审查和建议,Adrian Farrel的路由区域主任审查和详细意见,Loa Andersson作为MPLS工作组联合主席的持续支持和指导,以及Dan Romascanu和Barry Leiba在IESG审查期间的有益评论。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[RFC5654] Niven-Jenkins, B., Ed., Brungard, D., Ed., Betts, M., Ed., Sprecher, N., and S. Ueno, "Requirements of an MPLS Transport Profile", RFC 5654, September 2009.

[RFC5654]Niven Jenkins,B.,Ed.,Brungard,D.,Ed.,Betts,M.,Ed.,Sprecher,N.,和S.Ueno,“MPLS传输配置文件的要求”,RFC 56542009年9月。

[RFC5920] Fang, L., Ed., "Security Framework for MPLS and GMPLS Networks", RFC 5920, July 2010.

[RFC5920]方,L.,编辑,“MPLS和GMPLS网络的安全框架”,RFC 5920,2010年7月。

7.2. Informative References
7.2. 资料性引用

[RFC5921] Bocci, M., Ed., Bryant, S., Ed., Frost, D., Ed., Levrau, L., and L. Berger, "A Framework for MPLS in Transport Networks", RFC 5921, July 2010.

[RFC5921]Bocci,M.,Ed.,Bryant,S.,Ed.,Frost,D.,Ed.,Levrau,L.,和L.Berger,“传输网络中MPLS的框架”,RFC 59212010年7月。

Contributors

贡献者

Raymond Zhang Alcatel-Lucent 750D Chai Chee Road Singapore 469004

新加坡柴子路750D雷蒙德张阿尔卡特朗讯469004

   EMail: raymond.zhang@alcatel-lucent.com
        
   EMail: raymond.zhang@alcatel-lucent.com
        

Nabil Bitar Verizon 40 Sylvan Road Waltham, MA 02145 US

美国马萨诸塞州沃尔瑟姆Sylvan路40号Nabil Bitar Verizon 02145

   EMail: nabil.bitar@verizon.com
        
   EMail: nabil.bitar@verizon.com
        

Masahiro Daikoku KDDI Corporation 3-11-11 Iidabashi, Chiyodaku, Tokyo Japan

日本东京Chiyodaku Iidabashi,Masahiro Daikoku KDDI Corporation 3-11-11

   EMail: ms-daikoku@kddi.com
        
   EMail: ms-daikoku@kddi.com
        

Lei Wang Lime Networks Strandveien 30, 1366 Lysaker Norway

雷旺石灰网络有限公司挪威莱赛克1366年斯特拉德维恩30号

   EMail: lei.wang@limenetworks.no
        
   EMail: lei.wang@limenetworks.no
        

Henry Yu TW Telecom 10475 Park Meadow Drive Littleton, CO 80124 US

Henry Yu TW Telecom 10475美国科罗拉多州利特尔顿公园草地大道80124号

   EMail: henry.yu@twtelecom.com
        
   EMail: henry.yu@twtelecom.com
        

Authors' Addresses

作者地址

Luyuan Fang (editor) Cisco Systems 111 Wood Ave. South Iselin, NJ 08830 US

方卢元(编辑)美国新泽西州伊塞林南伍德大道111号思科系统公司08830

   EMail: lufang@cisco.com
        
   EMail: lufang@cisco.com
        

Ben Niven-Jenkins (editor) Velocix 326 Cambridge Science Park Milton Road Cambridge CB4 0WG UK

Ben Niven Jenkins(编辑)Velocix 326剑桥科技园弥尔顿路剑桥CB4 0WG英国

   EMail: ben@niven-jenkins.co.uk
        
   EMail: ben@niven-jenkins.co.uk
        

Scott Mansfield (editor) Ericsson 300 Holger Way San Jose, CA 95134 US

斯科特·曼斯菲尔德(编辑)爱立信加利福尼亚州圣何塞霍尔格路300号,美国95134

   EMail: scott.mansfield@ericsson.com
        
   EMail: scott.mansfield@ericsson.com
        

Richard F. Graveman (editor) RFG Security, LLC 15 Park Avenue Morristown, NJ 07960 US

Richard F.Graveman(编辑)美国新泽西州莫里斯镇公园大道15号RFG安全有限责任公司07960

   EMail: rfg@acm.org
        
   EMail: rfg@acm.org