The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] MPLS vs IP encap in RFC2547
Hi Jim, > Hi Richard - my basic point is that labelled packets cannot be sent > into a PSN that is either IP or MPLS enabled. So, if an attacker knows > all the relevant label information then how can it get its packets from > an IP network onto an MPLS network ? Regarding the sending of labelled packets into an MPLS PSN, I was thinking of the inter-provider case where a PSN may receive labelled packets from another provider. I agree that labelled packets cannot normally be sent into a PSN, i.e. by a CE. > if the answer is that it can't then I would argue that the MPLS > infrastructure is more secure, not less. If you contrast that with an > IP network then if an attacker can obtain all the relevant IP > information then all they need to do is put the right encapsulation > onto the packet and they may attack the VPN - Jim I now agree with you that the VPN data plane is more secure in a MPLS PSN than it is in an IP PSN. The reasons being that 1) any labelled packets received from a CE can simply be dropped, 2) any labelled packets received from another provider can have their labels checked against a list of valid labels distributed by the PE to that provider, and 3) MPLS-in-IP/GRE packets (if supported) can be dropped by turning the feature off or by filtering based on IP protocol numbers. Richard |
|