Hello, this is my first post here so i thought i best start with a hello.  Im trying to find out information on VRF Lite , specificly information on the security aspects.  I have had a google and read quite a few documents on various implmentations specificly cisco documentation.  I havn't seen many other document around yet.  could anyone let me know if this is proriatery, i couldn't fin and RFC.  Anyway the questions i had are
  --what extra security VFR-lite offers
--what security assumptions does it make
--Are there any know insecurities in current implmentations
--Are tere any know insecuriteis in the protocol (is this a protocol?, if so where is the spec)
--Alo a bit of an obscure one but if any one has GSE/GSI experience i would be intrested in how it is viewed under that framework

Any documentation or articles people could point me too would be much appreciated.

hi Charlie,

Thanks for the response thats quite a nice use case which i may be able to use for a completly different problem cheers .  What im currently trying to work out is what security vrf-lite offeres when used to seperat networks.  i have drawn up a quick visio diagram to try and explain what we intend to do; beware im rubush at visio http://bayimg.com/LaphFaabI

from this i can see how VRF's offer a functional benifit;  however im unsure what security it offers.  is it more secure then vlans.  if it is more secure then vlans does that mean each VRF needs to be on its own layer2 hardware to achive this security.

ok so after you response i thought i best go off and do some research.  so i went of and did this lab (http://netsg.wordpress.com/2009/02/02/216/).  it was a prety good lab and enabled me to get my head around vrf-lite a bit more.  i can now see how it can offer backboe security.  i.e you can conect a router to a vrf-lite mesh and it will only know about one routing table.  this is leaning me more into the opinion that vrfs dont offer any extra security if the end decices are conected to the same layer 2 i.e. if they can vlan hop they can hop into a different vrf context.

i am still confused by what you have said in regard to having nat because of  overlaping lans.  i had thought one of the benifits of vrf's was that you can ues the sam subnets.  can you please explain this a bit more or point me to some docs

cheers


if anyone is intrested my config is here http://pastebay.com/14496