The Research Of Security On The Base Of The MP-BGP/MPLS VPN

The VPN which is set up on the IP technology is wildly concerned in the most parts of the information society for its low price of the remote communication and high security. The aim of the VPN service is to provide appropriate connectivity for users on the share network, and the quality of the VPN is at least equal to the private network, so the kind of the VPN is quickly becoming the basic service of the new generation network, and the provider communications can also get much more profit from it.The structure of the VPN which has its own characteristics and some complementations with each other is gradually being used in all levels of the network, with so many items of the VPN, the technology of the MP-BGP/MPLS,the IPSec and the SSL will be mainly discussed, and their security mechanisms will be deeply analyzed, including their similarities,differences,advantages and shortcomings. The writer suggests that it will be better to merge these kinds of VPN to achieve the different security levels of the communication on the IP network. The technology of MP-BGP/MPLS will be adopted in the core network of the provider communications, then the IPSec technology will be accepted outside of it, at last the SSL technology will be used at the end of the communication. The writer describes it with this goal progressively, and evaluates the solutions of these VPN to instruct the user and the network manager to access and choose the appropriate scheme in accordance with their own will.At first, the way to achieve the security technology of the MPLS VPN is described in this article.it provides quickly data forwording in the core network by means of the LSP which is established by the LDP. To prevent that the router of the PE and P and the MPLS signaling will be attacked,to refuse that the label will be deceited, The identifier and the routing of the MPLS core network is hidden by the technology of the label switching. The user traffics will be restricted by the PE router. To deal with the attack of the DoS, some traffic measures will be taken, for instance, URPF will be adopted by the P router to check the routing, filte conditions will be created and ICMP will be closed. After that, the characteristics of the MP-BGP are introduced. The relationship of the VPN members will be carried between the PE and the peer PE when it merges the MPLS and MP-BGP. The link between the PE and the CE will be individual by using the technology of the VRF to gain the independence of the address and the routing. The DoS attack that comes from a large scale of data packets of the routing or the route changing which is just from CE to PE will be forbidden.Then the security mechanics of the MP-BGP/MPLS VPN will be analyzed, and what kinds of security problem it faced will be put forward, mainly on its protocols. Several security measures will be proposed: The P and PE router will be managed safely by the ACL filter, Routing protocol such as BGP should has some options of authentication. All peer relations must be preserved. The signaling mechanism between CE and PE must be authenticated, that is to say, The BGP between CE and PE must be encrypted such as MD5, The LDP of the PE to P and P to P also should be encrypted to forbid some false router to distribute the label. The integrity of the MP-BGP message can also be supported by TCP authentication algorithm, for BGP using the connectivity feature of the TCP to ensure the security of the routing information and guarantee that it should not be modified in the transmitting process.To attain further security at the two end sides of the MP-BGP/MPLS VPN, The technology of the IPSec will be introduced. It is a good way to merge the MP-BGP/MPLS and the IPSec, and IPSec will be put over the MP-BGP/MPLS VPN to protect data by AH and ESP, preventing hacker to attack the MP-BGP/MPLS VPN from the inside network. IPSec which can also be configed on the CE will be active for the security. Then the benefits and disadvantages will be analyzed, So there has some inconvenience in using the complex IPSec.Then the SSL technology will be introduced. It is a best way to merge the SSL,the IPSec and the MP-BGP/MPLS together. To have data encrypted,server authenticated and message completed for the TCP/IP connectivity, Data security mechanics of all levels will provide between TCP/IP and the programe protocol of the application level such as HTTP. At last, the security model of the SSL and IPSec and MP-BGP/MPLS should be systematically considered according to the real application.