The MPLS WG Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Comments requested: draft-behringer-mpls-security-04.txt

From: Mark Seery <mark@mseery.com>
Date: Mon, 2 Jun 2003 09:45:13 -0700 (PDT)
Cc: PPVPN@nortelnetworks.com, mpls@UU.NET

Hi Michael,

Given the statement in 5.1 "...security mechanisms
discussed here assume correct configuration..." my
comments may not apply, but FYI for consideration in
future drafts.

label swapping forwarding elements introduce the
possibility of label swap/merge faults; either through
misconfiguration or through label distribution bugs.

the traditional way that label swap networks have
dealt with this problem is through continuity tests
(verifying correct end point addresses). Such
mechanisms are being discussed in PWE/MPLS WGs, and
hence when/if applied would provide for a way to
recognise a misconfiguration and reduce the amount of
time the security leak is present for.

When such mechanisms are implemented in MPLS VPN 
networks, then such a network could be considered as
secure as an ATM-based network (for example a Frame
over ATM core network).

Mark

References:
- Comments requested: draft-behringer-mpls-security-04.txt
  - From: "Michael H. Behringer" <mbehring@cisco.com>