The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] draft-behringer-mpls-security-03.txt
Michael/Jim: If I understand the problem you are addressing correctly, it is incorrect configuration of the RT associated with a CE at the PE. And you wish to do this with no changes to the CE, therefore you are re-using the HMAC/MD5 stuff to achieve this. What you actually want is the RT configured at the CE and a means of checking that there is consistency between the CE and PE. IMHO adding a level of indirection (two provisioned values to get right at the PE) in the network will not achieve this. What I would suggest is that you keep the HMAC/MD5 approach for CE-PE, but have the key configured into the CE algorithmically derived from the RT associated with the VRF (or from the set of RTs in more complex configuration cases). Therefore there is still typically only one value to provision at the PE for the CE (the RT, which is the one that matters). You are not using multiple values across the core (HMAC MD5 and RTs, you only need RTs) so no BGP changes are required, this is purely a S/W issue at the PE. The only issue I can see is that in the more complex VPN cases (hub and spoke/extranet etc.), there is not one key for all CEs, (e.g. hub site is different key than a spoke site or extranet issues). This seems like a small price for no protocol changes and actually closing the hole. Besides I believe a CE can belong to more than one VPN therefore without this approach there is still a gaping head wound as it can only verify membership in one VPN. cheers Dave
|
|