The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2004-Feb> msg00048



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

MPLS over L2TPv3 encap for RFC 2547 VPNs

  • From: richard.spencer@bt.com
  • Date: Mon, 9 Feb 2004 15:42:19 -0000
  • Cc: <mpls@UU.NET>, <l3vpn@ietf.org>
  • Thread-Index: AcPr5v4OXGBiOWTFRKiSEfTAKqcFOwDOtUYj
  • Thread-Topic: MPLS over L2TPv3 encap for RFC 2547 VPNs
  • X-MIME-Autoconverted: from base64 to 8bit by cell.onecall.net id i19G4qn18968
  • X-OriginalArrivalTime: 09 Feb 2004 15:42:20.0501 (UTC) FILETIME=[4DD20850:01C3EF23]

Mark,

 > The inherent problem being that IP the control traffic shares the
> same data plane as the public Internet traffic, unlike ATM which uses an
> out-of-band control plane (and is the only sensible solution to the problem,
> i.e. use reserved labels for control/management traffic in MPLS).

Interesting, but how does carrying the control channel out of band help in a
blind spoofing attack on the data plane (where one is merely guessing labels in
attempt to break into a VPN)?
 
RS> Because if the control channel is out of band then anyone with access to the control channel can only effect what goes in the control channel, they cannot attempt VPN spoofing attacks in the data plane. As things currently stand in IP/MPLS, anyone with access to the control channel is free to initiate a VPN spoof attack on the data plane because they share the same address space. 
 
Richard