The MPLS WG Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Security issue re draft-ietf-mpls-in-ip-or-gre-07

From: Loa Andersson <loa@pi.se>
Date: Mon, 05 Apr 2004 00:32:41 +0200
Cc: Eric Rosen <erosen@cisco.com>, mpls@UU.NET, zinin@psg.com, bwijnen@lucent.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

All,

I'll try to summarize, and see if there is a wg rough consensus

- it seems that all agree that the "encapuslator" should do
   source address filtering

- the "decapuslator" could also do source address filtering,
   to verify tht the packet hs been received from the right
   source addresses (actually an encapsulators for that particular
   LSP)

- an encapsulator that do destination address filtering does not
   achieve the same thing as a decapsulator that do source address
   filtering

A packet may enter the network "anywhere", a encapsulator that makes
sure that the destination address is allowed, does only check on packet
that enter through the encapsulator, if a packet is spoofed into the
and sent to the decapsulator from anywhere else that packet need to be
filtered by the decapsulator to be detected.

It seems to me that all three of these filtering functions have their
independent uses. Further it is up to the operator to decide on how to
use them. I think it would be correct to say that the decapsulator MAY
implement source address filtering.

I would listen to arguments to make this stronger, but would be
reluctant to accept anyhting weaker.

/Loa

-- 

Loa Andersson

mobile +46 739 81 21 64