The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2004-Feb> msg00023



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

MPLS over L2TPv3 encap for RFC 2547 VPNs

  • From: neil.2.harrison@bt.com
  • Date: Thu, 5 Feb 2004 12:30:23 -0000
  • Cc: <mpls@UU.NET>, <l3vpn@ietf.org>
  • Thread-Index: AcPru2C8M9+o57meQ22woWrs6ruyRQAFUqEuAASJ33A=
  • Thread-Topic: MPLS over L2TPv3 encap for RFC 2547 VPNs
  • X-MIME-Autoconverted: from base64 to 8bit by cell.onecall.net id i15CqHn18550
  • X-OriginalArrivalTime: 05 Feb 2004 12:30:23.0708 (UTC) FILETIME=[D39FE1C0:01C3EBE3]

Robert,

Just to add to Richard's (closing) remarks (and I hope you also saw my more general ones wrt generic VPNs the other day)......having an OOB control/management-plane where this is possible is something that should be almost be a no-brainer requirement for an operator.  Its something I would urge all suppliers to carefully consider.

regads, Neil 

> -----Original Message-----
> From: owner-mpls@UU.NET [mailto:owner-mpls@UU.NET]On Behalf Of
> richard.spencer@bt.com
> Sent: 05 February 2004 11:01
> To: raszuk@cisco.com
> Cc: yakov@juniper.net; townsley@cisco.com; mpls@UU.NET; l3vpn@ietf.org
> Subject: RE: MPLS over L2TPv3 encap for RFC 2547 VPNs
> 
> 
> Robert,
> 
> > > in which case the same security
> > > risks apply to MPLS 2547 networks and IP 2547 networks anyway.
> 
> > It would be interesting to see how did you achieved the 
> above conclusion. 
> 
>  
> 
> > If any PSN carries internet natively it seems much harder 
> to inject MPLS
> > labeled packets into them then IP packets.
> 
>  
> 
> If you do not agree with my conclusion then I would be 
> interested to know if this just your own personal view? I ask 
> because at a seminar a few months ago attendees were assured 
> by Cisco representatives that the forwarding of VPN packets 
> using IP/GRE was just as secure as using MPLS headers. This 
> was regarding the use of GRE for multicast with RFC2547 VPNs. 
> If you do not agree with this then am I to assume that in 
> your view RFC2547 networks belonging to providers that offer 
> multicast services are not as secure as provider networks 
> that do not offer multicast services?
> 
>  
> 
> IMO the primary security concern is that the control plane 
> will be compromised. If Internet traffic is carried natively 
> then there is a risk that an intruder may attempt to access 
> the providers control plane via the Internet by spoofing 
> control packets. This security concern exists on ingress to 
> the provider network so the PSN encapsulation used is 
> irrelevant. As you suggest, using ACLs is one solution to the 
> problem, using out-of-band signalling is another solution.
> 
>  
> 
> Regards,
> 
>  
> 
> Richard
>