MPLS security book


I've been reading through Cisco press MPLS VPN Security book, too many
assumtions about spoofing labels, getting access to core, PE, another

in security nothing should be taken for granted, but has there been
any real world incidents where such scenarios have been really
occuring ?


I'm not sure this is on-topic for NANOG, but I'll have a go. This is a great
book. It doesn't make any assumptions about spoofing or access to P and PE
routers - it analyzes what will happen if that occurs.

Security is about risk management. In order to manage risks, you have to
know what they are. The authors of this book obviously put a lot of thought
into exactly what security means, how it applies to networks, and how it
applies to MPLS.

The network operations community has no idea if any of the scenarios
discussed in the book have happened. More importantly, who cares? Security
comes in two forms - reactive and proactive. Just because an attack has
occurred in the past is not a reasonable indicator of future threat on its
own. Similarly, the absence of a particular attack does not mean a threat
doesn't exist. In any event, we do not have any idea of what attacks have
really occurred, so we must act without that knowledge.

This is a great book for two audiences: enterprise network engineers who are
getting asked if their new MPLS VPN is secure (for some definition of
secure) and carrier network engineers trying to answer that question.

- Daniel Golding