The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] MPLS over L2TPv3 encap for RFC 2547 VPNs
Hi Neil, I fully support and agree that control plane separation from forwarding and OOB control plane is the future which should happen as soon as possible. In fact some of this is already here in a lot of production networks in one form or the other. I am convinced that we will see more of those coming. But this thread is not about securing control plane but data plane so I think we should keep those quite orthogonal issues separate ;) Thx, R. PS, Regarding Richard's comment about seminar he attended I have not seen the material and therefore can't comment on it. > neil.2.harrison@bt.com wrote: > > Robert, > > Just to add to Richard's (closing) remarks (and I hope you also saw > my more general ones wrt generic VPNs the other day)......having an > OOB control/management-plane where this is possible is something that > should be almost be a no-brainer requirement for an operator. Its > something I would urge all suppliers to carefully consider. > > regads, Neil > > >> -----Original Message----- From: owner-mpls@UU.NET >> [mailto:owner-mpls@UU.NET]On Behalf Of richard.spencer@bt.com Sent: >> 05 February 2004 11:01 To: raszuk@cisco.com Cc: yakov@juniper.net; >> townsley@cisco.com; mpls@UU.NET; l3vpn@ietf.org Subject: RE: MPLS >> over L2TPv3 encap for RFC 2547 VPNs >> >> >> Robert, >> >> >>>> in which case the same security risks apply to MPLS 2547 >>>> networks and IP 2547 networks anyway. >> >>> It would be interesting to see how did you achieved the >> >> above conclusion. >> >> >> >> >>> If any PSN carries internet natively it seems much harder >> >> to inject MPLS >> >>> labeled packets into them then IP packets. >> >> >> >> If you do not agree with my conclusion then I would be interested >> to know if this just your own personal view? I ask because at a >> seminar a few months ago attendees were assured by Cisco >> representatives that the forwarding of VPN packets using IP/GRE was >> just as secure as using MPLS headers. This was regarding the use of >> GRE for multicast with RFC2547 VPNs. If you do not agree with this >> then am I to assume that in your view RFC2547 networks belonging to >> providers that offer multicast services are not as secure as >> provider networks that do not offer multicast services? >> >> >> >> IMO the primary security concern is that the control plane will be >> compromised. If Internet traffic is carried natively then there is >> a risk that an intruder may attempt to access the providers control >> plane via the Internet by spoofing control packets. This security >> concern exists on ingress to the provider network so the PSN >> encapsulation used is irrelevant. As you suggest, using ACLs is one >> solution to the problem, using out-of-band signalling is another >> solution. >> >> >> >> Regards, >> >> >> >> Richard >>
|
|