The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Basic LDP Question
Hi Yakov, Thanks for the reference. I read the mentioned draft. However, I am not convinced that MPLS provides simpler protection against packet spoofing than IP in VPN environment. To mitigate against packet spoofing and accessing core routers in MPLS/BGP-VPN network (with MPLS core), the draft mentions 2 methods: 1) Not accepting the labeled packets from CE 2) Using VRF table, which effectively confines the access of a VPN user to the same VPN and (if applicable) to Public Internet. Both these bullets apply equally to MPLS/BGP VPN (with IP core). Effectively in both cases the VRF table is acting the filter/firewall. Could you please clarify why do you think that MPLS core has simpler packet spoofing capability than IP core? Thanks, -Shahram > -----Original Message----- > From: Yakov Rekhter [mailto:yakov@juniper.net] > Sent: Friday, May 31, 2002 2:04 PM > To: Shahram Davari > Cc: Giles Heron; 'mpls@uu.net'; 'ppvpn@ppvpn.francetelecom.com' > Subject: Re: Basic LDP Question > > > > > -----Original Message----- > > > From: Yakov Rekhter [mailto:yakov@juniper.net] > > > Sent: Friday, May 31, 2002 1:41 PM > > > To: Giles Heron > > > Cc: Shahram Davari; 'mpls@uu.net'; 'ppvpn@ppvpn.francetelecom.com' > > > Subject: Re: Basic LDP Question > > > > > > > > > Giles, > > > > > > > 1. Efficient encapsulation of VPN traffic > > > > 2. Ability to run VPN on current hardware > > > > > > > > There are probably other reasons as well... > > > > > > One of the "other reasons" is straightforward protection > > > against packet > > > spoofing. > > > > How? > > read draft-behringer-mpls-security-01.txt > > > in IP also you can do ACL. > > yes, but it has its own cost/complexity. > > Yakov. >
|
|