Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs)
RFC 4111
Document | Type | RFC - Informational (July 2005; Errata) | |
---|---|---|---|
Author | Luyuan Fang | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4111 (Informational) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Thomas Narten | ||
Send notices to | rcallon@juniper.net, rbonica@juniper.net, rick@rhwilder.net |
Network Working Group L. Fang, Ed. Request for Comments: 4111 AT&T Labs. Category: Informational July 2005 Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs) Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document addresses security aspects pertaining to Provider- Provisioned Virtual Private Networks (PPVPNs). First, it describes the security threats in the context of PPVPNs and defensive techniques to combat those threats. It considers security issues deriving both from malicious behavior of anyone and from negligent or incorrect behavior of the providers. It also describes how these security attacks should be detected and reported. It then discusses possible user requirements for security of a PPVPN service. These user requirements translate into corresponding provider requirements. In addition, the provider may have additional requirements to make its network infrastructure secure to a level that can meet the PPVPN customer's expectations. Finally, this document defines a template that may be used to describe and analyze the security characteristics of a specific PPVPN technology. Table of Contents 1. Introduction ................................................. 2 2. Terminology .................................................. 4 3. Security Reference Model ..................................... 4 4. Security Threats ............................................. 6 4.1. Attacks on the Data Plane .............................. 7 4.2. Attacks on the Control Plane ........................... 9 5. Defensive Techniques for PPVPN Service Providers ............. 11 5.1. Cryptographic Techniques ............................... 12 5.2. Authentication ......................................... 20 5.3. Access Control Techniques .............................. 22 5.4. Use of Isolated Infrastructure ......................... 27 Fang Informational [Page 1] RFC 4111 PPVPN Security Framework July 2005 5.5. Use of Aggregated Infrastructure ....................... 27 5.6. Service Provider Quality Control Processes ............. 28 5.7. Deployment of Testable PPVPN Service ................... 28 6. Monitoring, Detection, and Reporting of Security Attacks ..... 28 7. User Security Requirements ................................... 29 7.1. Isolation .............................................. 30 7.2. Protection ............................................. 30 7.3. Confidentiality ........................................ 31 7.4. CE Authentication ...................................... 31 7.5. Integrity .............................................. 31 7.6. Anti-replay ............................................ 32 8. Provider Security Requirements ............................... 32 8.1. Protection within the Core Network ..................... 32 8.2. Protection on the User Access Link ..................... 34 8.3. General Requirements for PPVPN Providers ............... 36 9. Security Evaluation of PPVPN Technologies .................... 37 9.1. Evaluating the Template ................................ 37 9.2. Template ............................................... 37 10. Security Considerations ...................................... 40 11. Contributors ................................................. 41 12. Acknowledgement .............................................. 42 13. Normative References ......................................... 42 14. Informative References ....................................... 43 1. Introduction Security is an integral aspect of Provider-Provisioned Virtual Private Network (PPVPN) services. The motivation and rationale for both Provider-Provisioned Layer-2 VPN and Provider-Provisioned Layer-3 VPN services are provided by [RFC4110] and [RFC4031]. These documents acknowledge that security is an important and integral aspect of PPVPN services, for both VPN customers and VPN service providers. Both will benefit from a PPVPN Security Framework document that lists the customer and provider security requirements related to PPVPN services, and that can be used to assess how much a particular technology protects against security threats and fulfills the security requirements. First, we describe the security threats that are relevant in theShow full document text