The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2002-Nov> msg00127



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

draft-behringer-mpls-vpn-auth-00.txt

  • From: "David Allan" <dallan@nortelnetworks.com>
  • Date: Tue, 19 Nov 2002 17:42:49 -0500
  • Cc: mpls@UU.NET

Hi Jim:

<snipped>

> 
> but if you derive the key from the configured RT, and the RT 
> as configured
> is incorrect, the key becomes irrelevant. Could you explain 
> the flow of how
> the RT relates to the key and how this is communicated to the CE ?
> 

Phrasing issue, CE configured with info derived from the RT(s) to be
provisioned in the PE. (some off line process). So if CE is provisioned
incorrectly, there is a PE-CE mismatch. If RT provisioned at the PE is wrong
there is a PE-CE mismatch. If the RT(s) assigned to the CE/VRF in the first
place is wrong (which would be pretty much the same as which VPN the CE
should be in) I think you are dead regardless of the approach...

cheers
Dave







> Jim
> 
> > >
> > >>
> > >> , but
> > >> > >have the key configured into the CE algorithmically
> > >> derived from the RT
> > >> > >associated with the VRF (or from the set of RTs in 
> more complex
> > >> > >configuration cases). Therefore there is still typically only
> > >> > >one value to
> > >> > >provision at the PE for the CE (the RT, which is the one that
> > >> > >matters). You
> > >> > >are not using multiple values across the core (HMAC MD5
> > >> and RTs, you only
> > >> > >need RTs) so no BGP changes are required, this is purely a S/W
> > >> > >issue at the
> > >> > >PE.
> > >>
> > >> the correct draft specifies that an ingress PE uses a
> > >> 'generator' value
> > >> (which is a random number at the PE) and creates a signature
> > >> by using the
> > >> key against the 'generator'. The result of this operation is
> > >> carried within
> > >> BGP so that a receiving PE can run its local key against the
> > >> 'generator' and
> > >> compare the result with the signature that was created by the
> > >> originating
> > >> PE. Jim
> > >
> > >I'll have to look at the revised draft. My original take was
> > >that the goal
> > >of the draft was to provide a mechanism to ensure consistency
> > >between PE/VRF
> > >and CE with repsect to VPN membership. PE to PE consistency was
> > >achieved via
> > >correct configuration  of RTs and whatever inter-PE security
> > >mechanism you
> > >chose to employ.
> > >
> > >cheers
> > >Dave
> > >
> > >
> > ><snipped to end>
> 
>