Carrier Ethernet Security Threats
and Mitigation Best Practices
Ralph Santitoro
Director of Carrier Ethernet Market Development
Ralph.Santitoro@us.Fujitsu.com
© Copyright 2011 Fujitsu Network Communications, Inc.
Current Best Practices
MAC Address Denial of Service (DoS) Attacks
 Attack Scenario
• Attacker floods network with many different MAC addresses
• Network Element MAC address table overflows and resets
– causing MAC addresses learning process to occur again
 Attacker Objective: Service Disruption
 Services affected
• Any service using Ethernet bridging
 Popular Best Practices Threat Mitigation
•
•
•
•
Limit number of subscriber MAC addresses
Use router (single MAC address) at customer premises
Use tunneling technology (e.g., PBB) to tunnel MAC addresses
Use 802.1X to authenticate CPE connecting to SP’s network
There is a simpler, alternative© Copyright
approach
to solving this problem
2
2011 Fujitsu Network Communications, Inc.
Santa Clara, CA USA | February 2011
What is Connection-Oriented Ethernet ?
 High performance implementation of Carrier Ethernet
• Used for P2P and P2MP metro and wide area networking
 Disables Ethernet bridging behavior
• No Spanning Tree Protocol
• No MAC address learning/flooding
 Ethernet paths (EVCs) provisioned by Mgmt. System
 Implementations use “label-based” frame forwarding
• Ethernet / VLAN Tag Switching: C-VIDs + S-VIDs
• PBB-TE: BMAC Address + B-VID
• MPLS-TP: Pseudowire / LSP labels
Santa Clara, CA USA | February 2011
© Copyright 2011 Fujitsu Network Communications, Inc.
3
Connection-Oriented Ethernet Security
 No MAC Address Learning / Flooding Vulnerabilities
• Immune to MAC Address spoofing of Network Elements (NE)
• Immune to MAC address table overflow DoS attacks in NEs
 No Spanning Tree Protocol (STP) Vulnerabilities
• Immune to STP Denial of Service (DoS) attacks
 Doesn’t use IP protocols
• Immune to IP protocol vulnerabilities and attacks
 Uses few Layer 2 protocols
• Fewer protocols = Fewer network security vulnerabilities
COE provides security comparable to SONET or OTN networks
Santa Clara, CA USA | February 2011
© Copyright 2011 Fujitsu Network Communications, Inc.
4
Security Vulnerabilities vs. Service Flexibility
COE vs. Connectionless (bridged) Ethernet (CLE)
EVP-LAN
CLE
EVP-Tree
Security
Vulnerabilities
COE EoS
EP-LAN
EP-Tree
EVPL
EPL
Service Flexibility
EoS
COE
CLE
Service Flexibility Ranking
Security Vulnerability Ranking
• Protocol (most flexible)
• Physical Port (least flexible)
• Physical Port (most secure)
• Protocol (least secure)
COE provides security comparable to Layer 1 networks
while supporting the most
popular
services
© Copyright
2011 FujitsuEthernet
Network Communications,
Inc.
5