In the last newsletter, we discussed the inconvenience of router misconfiguration and the percentage of problems it causes for outages in IP-based networks.  In order to look at the security impact of this misconfiguration, let's start with a quick overview of MPLS-based VPNs.

In most MPLS implementations, traffic passes from a customer edge (CE) router to a provider edge (PE) router.  Then it traverses the internal network of the service provider.

All the traffic leaving a particular customer premise from a CE router belongs to that particular customer.  However, the PE router is a shared resource that handles information from many customers.  And, in the words of the bard, there's the rub.

As stressed in a recent briefing by route-analytics company Packet Design, a routing misconfiguration in the PE router can have serious impact in at least three areas:

1) Since the PE routers are the network interface, the routing prefixes must be distributed to each PE router to which the CE routers are connected. 

2) The prefixes must be distributed according to the proper policy. 

3) The PE routers must be configured in a fashion that precludes routing prefixes from one customer's CE routers being shared with another customer's CE routers.

Addressing these three problems was the focus of a recent announcement by Packet Design.  The company expanded the capabilities of its Route Explorer appliance, which is designed primarily for detecting and diagnosing routing problems in enterprise IP networks, to include detecting and diagnosing problems in service providers' MPLS VPN networks. 

In particular, the focus is on making sure that the PE routers in the networks are properly maintaining the integrity of each individual network.

Steve Taylor is president of Distributed Networking Associates and publisher/editor-in-chief of Webtorials. Jim Metzler is vice president of Ashton, Metzler & Associates.