Apr152017 by sysadminNo Comments

RFC 2547 – BGP/MPLS VPN Fundamentals

Research, RFC, Technology
*** Obsoleted by: 4364 **** RFC 2547bis: BGP/MPLS VPN Fundamentals BGP/MPLS VPN Overview RFC 2547bis defines a mechanism that allows service providers to use their IP backbone to provide VPN services to their customers. RFC 2547bis VPNs are also known as BGP/MPLS VPNs because BGP is used to distribute VPN routing information across the provider's backbone and because MPLS is used to forward VPN traffic from one VPN site to another. The primary objectives of this approach are as follows.  Make the service very simple for customers to use even if they lack experience in IP routing. Make the service very scalable and flexible to facilitate large-scale deployment. Allow the policies that are used to create a VPN to be implemented by the service provider alone, or by the…
Read More
Apr152017 by sysadminNo Comments

Hardened Security

General, Technology
One of the often-repeated maxims of network communication security is that one should never place so much trust in a single security component that its failure causes a catastrophic security breach. We use several mechanisms to add additional security layers to hedge against such an outcome. The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against: DoS attacks or port flooding on the OpenVPN UDP port. Port scanning to determine which server UDP ports are in a listening state. Buffer overflow vulnerabilities in the SSL/TLS implementation. SSL/TLS handshake…
Read More