Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs)
RFC 4111
| Document | Type | RFC - Informational (July 2005; Errata) | |
|---|---|---|---|
| Author | Luyuan Fang | ||
| Last updated | 2020-01-21 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized with errata bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4111 (Informational) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Thomas Narten | ||
| Send notices to | rcallon@juniper.net, rbonica@juniper.net, rick@rhwilder.net | ||
Network Working Group L. Fang, Ed.
Request for Comments: 4111 AT&T Labs.
Category: Informational July 2005
Security Framework for
Provider-Provisioned Virtual Private Networks (PPVPNs)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document addresses security aspects pertaining to Provider-
Provisioned Virtual Private Networks (PPVPNs). First, it describes
the security threats in the context of PPVPNs and defensive
techniques to combat those threats. It considers security issues
deriving both from malicious behavior of anyone and from negligent or
incorrect behavior of the providers. It also describes how these
security attacks should be detected and reported. It then discusses
possible user requirements for security of a PPVPN service. These
user requirements translate into corresponding provider requirements.
In addition, the provider may have additional requirements to make
its network infrastructure secure to a level that can meet the PPVPN
customer's expectations. Finally, this document defines a template
that may be used to describe and analyze the security characteristics
of a specific PPVPN technology.
Table of Contents
1. Introduction ................................................. 2
2. Terminology .................................................. 4
3. Security Reference Model ..................................... 4
4. Security Threats ............................................. 6
4.1. Attacks on the Data Plane .............................. 7
4.2. Attacks on the Control Plane ........................... 9
5. Defensive Techniques for PPVPN Service Providers ............. 11
5.1. Cryptographic Techniques ............................... 12
5.2. Authentication ......................................... 20
5.3. Access Control Techniques .............................. 22
5.4. Use of Isolated Infrastructure ......................... 27
Fang Informational [Page 1]
RFC 4111 PPVPN Security Framework July 2005
5.5. Use of Aggregated Infrastructure ....................... 27
5.6. Service Provider Quality Control Processes ............. 28
5.7. Deployment of Testable PPVPN Service ................... 28
6. Monitoring, Detection, and Reporting of Security Attacks ..... 28
7. User Security Requirements ................................... 29
7.1. Isolation .............................................. 30
7.2. Protection ............................................. 30
7.3. Confidentiality ........................................ 31
7.4. CE Authentication ...................................... 31
7.5. Integrity .............................................. 31
7.6. Anti-replay ............................................ 32
8. Provider Security Requirements ............................... 32
8.1. Protection within the Core Network ..................... 32
8.2. Protection on the User Access Link ..................... 34
8.3. General Requirements for PPVPN Providers ............... 36
9. Security Evaluation of PPVPN Technologies .................... 37
9.1. Evaluating the Template ................................ 37
9.2. Template ............................................... 37
10. Security Considerations ...................................... 40
11. Contributors ................................................. 41
12. Acknowledgement .............................................. 42
13. Normative References ......................................... 42
14. Informative References ....................................... 43
1. Introduction
Security is an integral aspect of Provider-Provisioned Virtual
Private Network (PPVPN) services. The motivation and rationale for
both Provider-Provisioned Layer-2 VPN and Provider-Provisioned
Layer-3 VPN services are provided by [RFC4110] and [RFC4031]. These
documents acknowledge that security is an important and integral
aspect of PPVPN services, for both VPN customers and VPN service
providers. Both will benefit from a PPVPN Security Framework
document that lists the customer and provider security requirements
related to PPVPN services, and that can be used to assess how much a
particular technology protects against security threats and fulfills
the security requirements.
First, we describe the security threats that are relevant in the
Show full document text