Enhanced Security Strategies for MPLS Signaling

In an increasingly hostile environment, the need for security in network infrastructure is stronger than ever, especially for Multi-Protocol Label Switching (MPLS), widely used to provide most of the new-generation network infrastructure-level services in the Internet. Unfortunately, the MPLS control plane lacks scalable verification for the authenticity and legitimacy of signaling messages and communication between peer routers is subject to active and passive forgery, hijacking and wiretapping activities. In this paper, we propose a robust framework for MPLS-based network survivability against security threats. The security of MPLS control plane protocols can be greatly enhanced by requiring digital signature of all the signaling messages, in accordance with a common security paradigm valid for all the protocols. Our design goals include integrity safeguarding, protection against replay attacks, and gradual deployment, with routers not supporting authentication breaking the trust chain but operating undisturbed under any other respect.

[1]  Eric C. Rosen,et al.  Multiprotocol Label Switching Architecture , 2001, RFC.

[2]  Sandra L. Murphy,et al.  Digital signature protection of the OSPF routing protocol , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[3]  Vijay Srinivasan,et al.  RSVP-TE: Extensions to RSVP for LSP Tunnels , 2001, RFC.

[4]  Oliver Paridaens Secure MPLS - Encryption and Authentication of MPLS payloads , 2002 .

[5]  Vlastimil Klíma Finding MD5 Collisions - a Toy For a Notebook , 2005, IACR Cryptol. ePrint Arch..

[6]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[7]  Fred Baker,et al.  RSVP Cryptographic Authentication , 2000, RFC.

[8]  Radia Perlman Interconnections: Bridges and Routers , 1992 .

[9]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[10]  Andy Heffernan,et al.  Protection of BGP Sessions via the TCP MD5 Signature Option , 1998, RFC.

[11]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[12]  M. Behringer Analysis of the Security of the MPLS Architecture , 2001 .

[13]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[14]  Ram Dantu,et al.  Constraint-Based LSP Setup using LDP , 2002, RFC.

[15]  Kay Eager Zebra , 2001, Journal of pastoral care.

[16]  Tim Howes,et al.  Lightweight Directory Access Protocol (v3) , 1997, RFC.

[17]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .