Security Basics mailing list archives
Re: Network Upgrade
From: "Jon R. Kibler" <Jon.Kibler () aset com>
Date: Fri, 07 Mar 2008 13:35:24 -0500
Mohit Sharma wrote:
Thanks a million Jon, . I read about MPLS and fortunately its available in India infact all over India by a leading and realible ISP. I am planning to speak with them and negotiate a bulk deal. They're also offering Managed service so no intervention and skillful labor would be required from our side. Could you please help me seek more clarity over the security issues MPLS over IPsec could have??? We're ISO 27001 certified and were working in completely isolated VSAT networks, this MPLS would change the entire risk assessment and all. Are their any things I need to keep in mind??
The smartest way to deploy MPLS is to have the ISP install their managed routers at each of your locations. Your router (which should be the same model) then simply has an ethernet connection to the ISP router. The ISP router then handles all the MPLS. All your router has to do is to supply the ISP router with IP packets that have the appropriate DSCP QoS value set so that packets are appropriately prioritized. With properly configured MPLS, you should have a semi-private VPN. The only risk with MPLS is that someone is able to sniff the MPLS traffic at some point in the network. That is where IPSec comes into play. What I usually do is to set up IPSec SAs between each company site router. Typically, the SA is applied to the router interface that connects to the ISP router. Then, assuming that you have properly configured ESP, all the traffic that goes to the MPLS network has IPSec encryption and authentication. Thus, the small risk of having MPLS traffic sniffed is essentially eliminated. The issues I have typically encountered with using MPLS are usually limited to dynamic routing protocols and fragmentation. Fragmentation is especially a problem if you are using MLPPP over MPLS (to do channel bonding). The fragmentation issue is the easiest to fix. I have found that if I set MTU to 1416 and TCP MSS to 1376 on the LAN side of the company's border router (before anything is encrypted, etc.), that virtually eliminates all fragmentation (and associated PMTUD) issues. Dynamic routing is the bigger issue. I am currently having a go-around with a customer's ISP over just this issue. Typically most ISPs do not allow any IGP (such as OSPF) to be propagated over MPLS (if yours does, you are VERY lucky!). So what usually occurs is that the ISP's router at each location redistributes your IGP into BGP and remote BGP back into your IGP (mutual redistribution). The trick on your side is to get the contract written such that the ISP is responsible for the transport of your dynamic routing information, and all 'magic' that must occur to propagate your route tables is the ISP's responsibility. One other issue is router sizing. I have found that if the total WAN bandwidth that a site handles is <= ~3.0Mbps, you will need something about like a Cisco2811. For bandwidths between ~3.0Mbps and 12.0Mbps, you need to look at something like a Cisco2821. For > 12.0Mbps, you will need at least something like a Cisco2831. Also, you will want to have the K9SEC IOS image (for strong crypto) and the maximum amount of RAM the router will support. Also, the ISP should have an equivalent router (same model) on their half of the connection using a similar IOS release level, but the strong crypto would not be an ISP router requirement since all the crypto is between your routers. I hope this helps! Jon Kibler -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 m: 843-224-2494 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Network Upgrade Mohit Sharma (Mar 07)
- Re: Network Upgrade Jon R. Kibler (Mar 07)
- Message not available
- Message not available
- Re: Network Upgrade Jon R. Kibler (Mar 07)
- Re: Network Upgrade James Lee Bell (Mar 10)
- Re: Network Upgrade Jon R. Kibler (Mar 10)
- Message not available
- Re: Network Upgrade Jon R. Kibler (Mar 10)
- Re: Network Upgrade Mohit Sharma (Mar 10)
- Re: Network Upgrade Jon R. Kibler (Mar 10)
- Message not available