3. Common Service
A provider may want to offer a common service to all his clients. This may
vary from Internet access to a website where they can find their billing information.
The common service could also be used to give partners or vustomers access to
your own network.
We've seen that the provider defines the separation of customers on the PE routers.
The provider can also provide a common services network. If such a service is provided,
the provider must be sure that there are no conflicts between IP addresses. Also, there may
be other requirements on the common service; it should not be possible to use the common
service as a stepping stone to other clients.
3.1. Our common service network
Our common service is a simple web server. On my xenial5 machine, I have a webserver
running.
We'll connect xenial5 directly to the PE router; no CE router is used.
3.2. Routing
On PE3, a single VRF is created.
ip vrf services rd 65000:99 route-target both 65000:99 route-target import 65000:1 route-target import 65000:2
We only import the routes from 65000:1 and 65000:2 but we do not export them.
All PE routers need to be neighbors (here for PE3):
! router bgp 65000 no synchronization bgp log-neighbor-changes neighbor 10.128.128.3 remote-as 65000 neighbor 10.128.128.3 update-source Loopback0 neighbor 10.128.128.4 remote-as 65000 neighbor 10.128.128.4 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.128.128.3 activate neighbor 10.128.128.3 send-community extended neighbor 10.128.128.4 activate neighbor 10.128.128.4 send-community extended exit-address-family ! address-family ipv4 vrf services redistribute connected exit-address-family !
The following table might make it more clear what we're doing
router
|
vrf
|
1
|
2
|
99
|
PE1
|
cust_a
|
both
|
-
|
import
|
PE1
|
cust_b
|
-
|
both
|
import
|
PE2
|
cust_a
|
both
|
-
|
import
|
PE2
|
cust_b
|
-
|
both
|
import
|
PE3
|
serv.
|
import
|
import
|
both
|
The PE3 therefore does not export the routes for customer A and B.
It is important to realize that all this is done on the PE routers and therefore under
the control of the MPLS provider. The customers A and B have no control over the routing
through the MPLS cloud.
3.3. The result.
The result is that both A and B can see the common service, but they cannot see eachother.
See, for example xenial1:
ljm$ vagrant ssh xenial1 -c 'ping -c2 10.128.192.101' PING 10.128.192.101 (10.128.192.101) 56(84) bytes of data. 64 bytes from 10.128.192.101: icmp_req=1 ttl=60 time=103 ms 64 bytes from 10.128.192.101: icmp_req=2 ttl=60 time=80.1 ms --- 10.128.192.101 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 80.147/91.986/103.825/11.839 ms Connection to 127.0.0.1 closed. ljm$ vagrant ssh xenial1 -c 'ping -c2 10.128.93.101' PING 10.128.93.101 (10.128.93.101) 56(84) bytes of data. From 10.128.65.1 icmp_seq=1 Destination Host Unreachable From 10.128.65.1 icmp_seq=2 Destination Host Unreachable --- 10.128.93.101 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms Connection to 127.0.0.1 closed.
On xenial5, every other system can be seen:
ljm$ vagrant ssh xenial5 -c 'ping -c1 10.128.66.101' PING 10.128.66.101 (10.128.66.101) 56(84) bytes of data. 64 bytes from 10.128.66.101: icmp_req=1 ttl=60 time=81.9 ms --- 10.128.66.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 81.989/81.989/81.989/0.000 ms Connection to 127.0.0.1 closed. ljm$ vagrant ssh xenial5 -c 'ping -c1 10.128.94.101' PING 10.128.94.101 (10.128.94.101) 56(84) bytes of data. 64 bytes from 10.128.94.101: icmp_req=1 ttl=60 time=84.8 ms --- 10.128.94.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 84.820/84.820/84.820/0.000 ms Connection to 127.0.0.1 closed.
On xenial1:
ljm$ vagrant ssh xenial1 -c 'wget -O- 10.128.192.101' --2018-06-06 11:32:38-- http://10.128.192.101/ Connecting to 10.128.192.101:80... connected. HTTP request sent, awaiting response... 200 OK Length: 177 text/html Saving to: `STDOUT' <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html> 2018-06-06 11:32:38 (9.63 MB/s) - written to stdout 177/177 Connection to 127.0.0.1 closed.
This means that it all works according to plan.
3.4. Trouble in paradise
We want our networks separated. Look then at this:
ljm$ vagrant ssh xenial1 Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ New release '14.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Welcome to your Vagrant-built virtual machine. Last login: Wed Jun 6 11:32:38 2018 from 10.0.2.2 vagrant@xenial64:~$ ssh 10.128.192.101 The authenticity of host '10.128.192.101 (10.128.192.101)' can't be established. ECDSA key fingerprint is 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.128.192.101' (ECDSA) to the list of known hosts. vagrant@10.128.192.101's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ New release '14.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Welcome to your Vagrant-built virtual machine. Last login: Wed Jun 6 11:29:42 2018 from 10.0.2.2 vagrant@xenial64:~$ ssh 10.128.93.101 The authenticity of host '10.128.93.101 (10.128.93.101)' can't be established. ECDSA key fingerprint is 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.128.93.101' (ECDSA) to the list of known hosts. vagrant@10.128.93.101's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ New release '14.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Welcome to your Vagrant-built virtual machine. Last login: Fri Sep 14 06:23:18 2012 from 10.0.2.2 vagrant@xenial64:~$
I now abused our common service to hop from customer A to customer B. Ofcourse,
in real life, you will never allow logging in to the common service from
any of the customer networks. But many allow logging in from the Internet and consider
this safe enough. Here, not only your own network might be compromised, but also
those of all the customers.