Anti-spoofing support for MPLS labels in BGP/MPLS IP VPNs (Inter-AS Option B)
Service providers have traditionally adopted Option A VPN deployment scenarios instead of Option B because Option B is unable to ensure that the provider network is protected in the event of incorrect route distinguisher (RD) advertisements or spoofed MPLS labels.
Inter-AS Option B, however, can provide VPN services that are built using BGP based L3VPN. It is more scalable than the Option A alternative because Inter-autonomous system (AS) VPN routes are stored only in the BGP RIBs, as opposed to Option A which results in AS boundary routers (ASBRs) creating multiple VRF tables, each of which includes all IP routes.
Inter-AS Option B is also known as RFC 4364, BGP/MPLS IP Virtual Private Networks.
Junos OS Release 16.1 and later address the security shortcomings attributed to Option B. New features provide policy-based RD filtering (protection against MPLS label spoofing) to ensure that only RDs generated within the service provider domain are accepted. At the same time, the filtering can be used to filter loopback VPN-IPv4 addresses generated by PIM Rosen implementations from Cisco PEs, which can cause routing issues and traffic loss if imported into customer Virtual Routing and Forwarding (VRF) tables. These features are supported on M, MX, and T Series routers when using MPC1, MPC2, and MPC3D MPCs.
Inter-AS Option B uses BGP to signal VPN labels between ASBRs. The base MPLS tunnels are local to each AS, and stacked tunnels run from end-to-end between PE routers on the different AS VPN routes. The Junos OS anti-spoofing support for Option B implementations works by creating distinct MPLS forwarding table contexts. A separate mpls.0 table is created for each set of VPN ASBR peers. As such, each MPLS forwarding table contains only the relevant labels advertised to the group of inter AS-Option B peers. Packets received with a different MPLS label are dropped. Option B peers are reachable through local interfaces that have been configured as part of the MFI (a new type of routing instance created for inter-AS BGP neighbors that require MPLS spoof-protection), so MPLS packets arriving from the Option B peers are resolved in the instance-specific MPLS forwarding table.
To enable anti-spoofing support for MPLS labels, configure separate instances of the
new routing instance type, mpls-forwarding
, on all MPLS-enabled Inter-AS links
(which must be running a supported MPC). Then configure each Option B peer to use this routing
instance as its forwarding-context
under BGP. This forms the transport session
with the peers and performs forwarding functions for traffic from peers. Spoof checking occurs
between any peers with different mpls-forwarding
MFIs. For peers with the same forwarding-context
, spoof-checking is not necessary because peers share the same MFI.mpls.0
table.
Note that anti-spoofing support for MPLS labels is also supported on mixed networks,
that is, those that include Juniper network devices that are not running a supported MPC,
as long as the MPLS-enabled Inter-AS link is on a supported MPC. Any existing label-switched
interface (LSI) features in the network, such as vrf-table-label
, will continue
to work as usual.
Inter-AS Option B supports graceful RE switchover (GRES), nonstop active routing (NSR), and in service software upgrades (unified ISSU).