The MPLS WG Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Basic LDP Question

From: Yakov Rekhter <yakov@juniper.net>
Date: Tue, 04 Jun 2002 09:30:13 -0700
cc: "'Yakov Rekhter'" <yakov@juniper.net>, "'mpls@uu.net'" <mpls@UU.NET>, "'ppvpn@ppvpn.francetelecom.com'" <ppvpn@ppvpn.francetelecom.com>

Shahram,

> Thanks for the reference. I read the mentioned draft.
> However, I am not convinced that MPLS provides simpler protection
> against packet spoofing than IP in VPN environment.
> 
> To mitigate against packet spoofing and accessing core routers in 
> MPLS/BGP-VPN network (with MPLS core), the draft mentions 2 methods:
> 
> 1) Not accepting the labeled packets from CE
> 2) Using VRF table, which  effectively confines the access of a VPN 
> user to the same VPN and (if applicable) to Public Internet.
> 
> Both these bullets apply equally to MPLS/BGP VPN (with IP core).
> Effectively in both cases the VRF table is acting the filter/firewall.
> 
> Could you please clarify why do you think that MPLS core has simpler
> packet spoofing capability than IP core?

for further clarifications you may look at section 8.9
of "MPLS: Technology and Applications" (by Bruce Davie and myself).

Yakov.

References:
- Basic LDP Question
  - From: Shahram Davari <Shahram_Davari@pmc-sierra.com>