The primary security model for an MPLS VPN infrastructure is traffic separation. Each CE-facing interface can only be associated to one VRF; that alone is the fundamental framework for traffic separation. Once a packet from the connecting CE reaches the PE router, a forwarding decision is made based on the forwarding table belonging to the VRF. The next hop will always point to another PE. As the packet traverses the label-switched path (LSP) between the two PE routers, it is encapsulated with a VPN header - the inner MPLS label mapping to the associated VPN.
The provider must guarantee the customer that data plane and control plane traffic from one VPN does not leak into another VPN or into the core, and that core traffic must not leak into any VPN. There is, however, the possibility of providing customer interconnections as well as the construction of an extranet to provide customers the ability to share common resources. Nevertheless, assuming correct operation and configuration of the MPLS core, the principles of separation prevail: VPNs are fully separated from each other so that intrusion from other VPNs or the core cannot occur. However, it is obvious that the greatest threat to the security model is human engineering; that is, misconfiguration of PE routers. For example, a customer-facing interface could be associated with the wrong VRF, prohibiting that site access to its proper VPN while providing access to another and vice versa. |