The present invention relates generally to communication networks, and more specifically, to an MPLS (Multiprotocol Label Switching) cookie label and Virtual Private Network (VPN) security.
Virtual Private Networks serve as network overlays on IP network infrastructures. Service providers with an MPLS/IP backbone may provide VPNs for its customers. As described in RFC 2547 (“BGP/MPLS VPNs”, E. Rosen et al., March 1999), which is incorporated herein by reference in its entirety, MPLS may be used for forwarding packets over the backbone and Multi Protocol Border Gateway Protocol (MP-BGP) used for distributing routes over the backbone.
FIG. 1 illustrates an example of MPLS-VPN forwarding. A provider network is in communication with two customer networks, vpnA and vpnB. Both vpnA prefix: 10.10.10/24 and vpnB prefix 11.11.11/24 are identified with label 500 at their respective provider edge (PE) routers. (Only a portion of the IP address is used for simplification). The provider network includes a plurality of provider (P) routers 10a, 10b, 10c and PE routers 12a, 12b, 12c. The VPNs include customer routers 14a, 14b, 14c, 16a, 16b, 16c, 18a, 18b. Packet forwarding is performed based on label information within the MPLS core network. As illustrated in FIG. 1, an IP packet is transmitted from vpnA: 12.12.12/24 to vpnA: 10.10.10/24 via routers 12a, 10a, 10b, and 12b. The IP packet at the customer edge node 14a includes a source (src) and destination (det) address. At PE node 12a an IP lookup is performed and IGP and VPN labels are added to the packet. The packet is then sent through the network until it reaches provider edge 12b, which sends the packet to CE 16a. 
As shown in FIG. 1, MPLS-VPN traffic destined for a remote CE site is imposed, at an ingress PE, with a VPN label that corresponds to a matched VPN-IPv4 route, as well as an IGP label that directs the traffic to the egress PE. Since the VPN label is only significant at the router that allocates the label, it is possible for a mistake in forwarding (misforwarding) to occur. A misforwarding may occur, for example, if the packet has reached the wrong PE, due to an error in routing of the packet or error in swapping of the label value during the packet lifetime in the network. A forwarding error may also occur if the packet has reached the right PE, but that PE's forwarding plane is not consistent with its control plane with regard to the forwarding entry. Another possible source of error is if the packet has reached the right PE, but that PE has since changed the binding of the label value. Also, the packet may have misforwarded because it has not reached any PE, but instead forwarded based on VPN destination address in the global table due to a MPLS label stack popped by mistake.
FIG. 2 illustrates an example of MPLS-VPN misforwarding. The network is the same as shown in FIG. 1. In this instance, however, the packet is incorrectly routed to vpnB instead of vpnA. The misrouting occurs at provider node 10a. Since the next hop identifies label 500, the packet is sent to vpnB, which has the same label as vpnA. This type of misforwarding is common in conventional systems because the same label is often used for different VPNs on different PE routers.
Currently, methods for forwarding data include IP tunneling specific GRE key field and L2TPv2 cookie field. GRE key field and the L2TPv2 cookie field are both IP tunneling specific and do not work in native MPLS backbone or with MPLS traffic engineering. IETF Internet Draft “CE-to-CE Authentication for RFC 2547 VPNs” ((draft-bonica-13vpn-auth-02.txt), R. Bonica et al., February 2002) describes a scheme in which cookies are distributed along with labels to authenticate CEs. However, the cookies used in the system described in the Bonica Internet Draft are not distributed in the data plane.
In a backbone that consists of multi-vendor equipment, and spans across multi-AS, successful delivery of VPN traffic depends on correct forwarding at each individual intermediate router. The probability of a VPN packet being misforwarded grows exponentially as the number of intermediate hops increases. Furthermore, in a network that consists of equipment from multiple vendors, it may not be possible to upgrade all nodes at the same time. Thus, it is also desired to prevent VPN misforwarding in the presence of software and hardware defects in a MPLS network.
There is, therefore, a need for a system and method which allows cookies to appear in a MPLS label stack in the data plane independent of tunneling mechanism for use in identifying misforwarded packets. It is also desired to provide a method for distributing cookies together with FEC (forwarding equivalent class) labels in the control plane.