nanog mailing list archives
Re: attacks on MPLS?
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 9 Apr 2009 14:18:42 -0400
On Thu, Apr 9, 2009 at 1:31 PM, Wayne E. Bouchard <web () typo org> wrote:
Meh... Sure, it rehashes what we pretty well already know, "If a bad guy can get access to your network or your management tools, you're boned."
actually... what it says is that 'hey, your "VPN' isn't really 'private' like an IPSEC tunnel was". Save some really high-end crypto-cracking-gear if you ipsec your transport it doesn't matter where in the world it goes, it's "secure" from end to end. (secure from snooping, which seems to be the majority of their point in the article). Folks I saw at former-employer were moving from 'frame' or 'atm' private networks and to 'mpls vpn' because it was: 1) less complex for the customer 2) cheaper for the customer 3) the 'new shiny thing!!' There was little understanding initially that this might be: 1) run over the same IP core as the 'internetz' 2) not very 'private' if you count 'can not sniff' in your 'is private' bailiwick 3) less/more/equally as 'secure' as what they had previously. Noting to customers that MPLS-vpn was essentially as 'secure' as Frame/ATM was sort of an eye-opener. Some of the customers even said: "Why would I do this over internet-based IPSEC vpn?" or "Oh, so I'll still have the IPSEC management pain?" The thrust of the article (aside from the scare-mongering and press for the 'researchers' of course) is that: "Hey, just because it says: 'VPN' in the name doesn't mean its really 'private'", and that ip or application level security is still important for anything that leaves your physical perimeter AND has some level of importance to you or your business. -Chris
Current thread:
- attacks on MPLS? Steven M. Bellovin (Apr 09)
- Re: attacks on MPLS? Christopher Morrow (Apr 09)
- Re: attacks on MPLS? Florian Weimer (Apr 10)
- Re: attacks on MPLS? Charles Wyble (Apr 09)
- Re: attacks on MPLS? Wayne E. Bouchard (Apr 09)
- Re: attacks on MPLS? Charles Wyble (Apr 09)
- Re: attacks on MPLS? Christopher Morrow (Apr 09)
- Re: attacks on MPLS? Micheal Patterson (Apr 09)
- Re: attacks on MPLS? Wayne E. Bouchard (Apr 09)
- Re: attacks on MPLS? Hector Herrera (Apr 09)
- Re: attacks on MPLS? Christian Koch (Apr 09)
- Re: attacks on MPLS? Christian Koch (Apr 09)
- Re: attacks on MPLS? Truman Boyes (Apr 10)
- Re: attacks on MPLS? Christian Koch (Apr 09)
- Re: attacks on MPLS? Nicolas FISCHBACH (Apr 10)
- Re: attacks on MPLS? Christopher Morrow (Apr 09)