The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Security issue re draft-ietf-mpls-in-ip-or-gre-07
Eric, > One last issue remains from the IESG review of this little document. > > The issue is whether, when a node decapsulates an mpls-in-ip or mpls-in-gre > packet, there should be a requirement that the node verify that the source > address from the encapsulation header is a source address from which we are > expecting to receive these encapsulated packets. > > I am reluctant to put in such a requirement, for the following reasons: > > 1. If appropriate source address filtering is done at the border routers, > nothing is added by having the decapsulator do this check. Could you be more precise on what you mean by "appropriate source address filtering". > 2. There may be performance implications (with consequent hardware require- > ments) in requiring this check. > > 3. The encapsulation does not come with any built-in signaling; whether the > list of valid source address can be determined dynamically therefore > depends on the application which is using the encapsulation. If the > application does not supply appropriate signaling, then the source > addresses would have to be manually configured. > > The argument for putting in such a requirement is that it obviates the need > to do source address filtering at the border routers and it makes the > security built-in, rather than making it dependent on operator action. (At > least, if one can assume that the operator doesn't have to manually > configure the addresses at all the decapsulators.) I am not sure that requiring decapsulator to verify source address "obviates the need to do source address filtering at the border routers". E.g., in the absence of source address filtering at the border routers what would prevent source address spoofing ? Yakov.
|
|