The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] MPLS over L2TPv3 encap for RFC 2547 VPNs
Robert, > > in which case the same security > > risks apply to MPLS 2547 networks and IP 2547 networks anyway. > It would be interesting to see how did you achieved the above conclusion. > If any PSN carries internet natively it seems much harder to inject MPLS > labeled packets into them then IP packets. If you do not agree with my conclusion then I would be interested to know if this just your own personal view? I ask because at a seminar a few months ago attendees were assured by Cisco representatives that the forwarding of VPN packets using IP/GRE was just as secure as using MPLS headers. This was regarding the use of GRE for multicast with RFC2547 VPNs. If you do not agree with this then am I to assume that in your view RFC2547 networks belonging to providers that offer multicast services are not as secure as provider networks that do not offer multicast services? IMO the primary security concern is that the control plane will be compromised. If Internet traffic is carried natively then there is a risk that an intruder may attempt to access the providers control plane via the Internet by spoofing control packets. This security concern exists on ingress to the provider network so the PSN encapsulation used is irrelevant. As you suggest, using ACLs is one solution to the problem, using out-of-band signalling is another solution. Regards, Richard
|
|