Fwd: Re: IPSec over MPLS

From: Mark Lewis (mark@mjlnet.com)
Date: Fri Dec 16 2005 - 05:49:10 GMT-3

• Next message: Stuart.Juggins@computacenter.com: "WAY OT: What would you do?"
• Previous message: Marvin Greenlee: "Re: copy run flash in 2501 router falied"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here's an analysis of the security of MPLS L3VPNs that may be useful:

http://ietfreport.isoc.org/idref/draft-behringer-mpls-security/

Hope that helps,

Mark

>From: D R <deep.ratan@gmail.com>
>Reply-To: D R <deep.ratan@gmail.com>
>To: David Hoon <david.hoon.ccie@gmail.com>
>CC: ccielab@groupstudy.com
>Subject: Re: IPSec over MPLS
>Date: Thu, 15 Dec 2005 22:17:04 -0500
>
>David, you wrote "It comes down to the question if we can trust service
>provider or not"
>
>When you're talking to some bank/merchant's representative on the phone and
>give them your credit card number, do you ever think "Should I trust this
>person or not? What if he/she misuses my credit card number?"
>
>All business...around the globe....is inherently based on trust. We draw up
>contracts and documents crammed with legalese to feel secure but trust is
>what counts.
>
>ISPs offer MPLS without IPSec. Heck, to the end user, all details about
>MPLS
>are totally transparent on their routers...yet, MPLS subscription is
>steadily growing and a lot of that is coming from financial institutions.
>I'm sure several think tanks have certified this mode of transport to be
>safe and secure for institutions to pass sensitive information through it.
>
>Sorry if I didn't add any value to this thread.
>
>On 12/15/05, David Hoon <david.hoon.ccie@gmail.com> wrote:
> >
> > Hi Guys,
> >
> > I'm sorry for off-topic again, but hope this can be interesting topic
>for
> > some of you. Is there anyone running IPSec over MPLS in the real
> > production?
> >
> > I knew that MPLS L3VPN provide the same level of security as Frame relay
> > or
> > ATM does. However, MPLS control plan is in layer 3 and is easier to
> > compromise than FR/ATM, at least in my opinion. Without data
> > confidentiality, integrity, source authentication and anti-reply,
> > financial
> > institution sending sensitive information such as credit card or ssn
> > across MPLS can be a big risk. It comes down to the question if we can
> > trust service provider or not. Sorry if some of you may feel offence
> > here.
> > However, have been working in service provider environment myself, i
>knew
> > how easy it is to have network misconfiguration or packet sniffing
>inside
> > SP
> > network.
> >
> > Is there any laws or regulation in USA enforcing sensitive information
> > transported in encrypted fashion? Any idea from MPLS and security gurus
> > are
> > welcome. Thank you.
> >
> > -David Hoon
> > CCIE #14141
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Stuart.Juggins@computacenter.com: "WAY OT: What would you do?"
• Previous message: Marvin Greenlee: "Re: copy run flash in 2501 router falied"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3