RE: MPLS Encryption

["Shawn Jackson" <sjackson () horizonusa com>]

        The MPLS header should be tagged at the PE router and not at the
originating equipment. So if I encrypt (say using windows IPSEC/CA)
traffic from site 1 to site 2 through a MPLS tunnel everything should be
fine. 

----------       ~~~~~~~~~~           ~~~~~~~~~~        ----------
| Site 1 |======>| PE RTR |++++++++++>| PE RTR |=======>| Site 2 |
----------       ~~~~~~~~~~           ~~~~~~~~~~        ----------

= Encrypted IP Traffic
+ MPLS Traffic with Encrypted Payload + IP Header

By the time your MPLS packet reached your router at Site 2 the PE router
has already stripped the MPLS header. In most situations the header will
be unencrypted, (unless it's part of another packets payload). To
encrypt the header all receiving devices will need to decrypt the packet
(Nodes, Routers, Switches, firewalls, etc). Encrypting the IP header
isn't too terribly useful anyways; seaming you can get that information
from your load IP stack anyways. Now how you want to encrypt the data is
all up to you. You can setup a SSL/IPSEC encryption device as a router,
or the network edge, using a custom key you can encrypt the traffic
between sites over the MPLS network and have another device decode at
the other end. I believe they call this 'Pass-Through Encryption', but
I'm no where near trying to keep up on all the marketing buzzwords. If
you have Cisco's at both ends you can setup IPSEC from there. You just
need to have the IPSEC train. Then all you need is a pre-shared key, and
an Encryption/Decryption sequence.

        I worked for an ISP that used MPLS as a 'VPN Alternative' for
customers on our network. We had a customer that encrypted their RDP
traffic from the remote sites to their TS server in the central office.
Because they never saw the MPLS header there was no way for them to
encrypt it. 

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Clive.Madden () barclayscapital com
[mailto:Clive.Madden () barclayscapital com] 
Sent: Monday, December 15, 2003 2:22 AM
To: Shawn Jackson; security-basics () securityfocus com
Subject: RE: MPLS Encryption

Hi Shawn, fully understand your response but maybe I should explain the
environment and what I'm looking for. Dual carrier MPLS cloud with
RFC2547
inter-connects between carriers with branch site connectivity to both
clouds. The objective is to provide full encryption between sites with
minimum complexity. We'd like to leave the original header in the clear
to
leverage some of the carrier management features so only encrypting the
payload is preferred. In addition to this we'd prefer not to have to
worry
about managing SA negotiation between every encryption device. This
would
require thousands based on the number of sites we have. So effectively
we'd
like a product that could only do payload encryption which uses some
central
PKI for key management (same keys of every device) and not have to worry
about the exchange between every encryption device. This way the key to
use
is the same for all destination and the MPLS clouds could then route
based
on the original header. This removes the complexity of having to manage
thousands of tunnels/peers.

Any idea on a product would be gratefully appreciated.

Thanks again for your help.
C.

-----Original Message-----
From: Shawn Jackson [mailto:sjackson () horizonusa com] 
Sent: 12 December 2003 17:09
To: Madden, Clive: IT (LDN); security-basics () securityfocus com
Subject: RE: MPLS Encryption



        MPLS is used on switched networks to aid in routing, or static
paths, of packets. MPLS in it 'true-to-life' form is just an additional
header tagged to the packet at which the network equipment looks at. 

        What you will want is called IPSec ESP (Encrypted Security
Payload).
ESP is used to protect data but keeps the header in tact for
transmission on
a standard network, i.e. PPTP. The technologies are not mutually
exclusive;
you can use IPSec-ESP/AH with MPLS. Most end-nodes never see the MPLS
header, seaming it's striped at the PE router. Any product that has
IPSec
VPN will have ESP and AH (Authentication Header), but it depends on what
your trying to do. Are you trying to secure communications on a LAN? Or
are
you trying to secure data in the Internet/Extranet? If you give the
group
some specifics about your situation, I'm sure someone can help you
better
then me.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Clive.Madden () barclayscapital com
[mailto:Clive.Madden () barclayscapital com] 
Sent: Thursday, December 11, 2003 4:11 AM
To: security-basics () securityfocus com
Subject: MPLS Encryption


Hello, I was wondering if you could help me. I saw an email from an
gentleman called Hussein Ghazy back in June asking about payload
encryption
over MPLS. I was wondering if you could recommend any products that only
do
payload encryption and NOT header. Your help would be gratefully
appreciated.

Thanks!
Clive Madden


------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the

Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------