The MPLS WG Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Security issue re draft-ietf-mpls-in-ip-or-gre-07

From: Eric Rosen <erosen@cisco.com>
Date: Wed, 17 Mar 2004 12:40:35 -0500
cc: mpls@UU.NET, zinin@psg.com, pekkas@netcore.fi, bwijnen@lucent.com
User-Agent: EMH/1.14.1 SEMI/1.14.3 (Ushinoya) FLIM/1.14.3(Unebigoryōmae) APEL/10.3 Emacs/21.3(sparc-sun-solaris2.8) MULE/5.0 (SAKAKI)


It's nice to see someone paying  attention, as I seem to have really screwed
up the arguments for and against closed decapsulation.  So let me try again: 

  If the  decapsulator does not verify  the source address,  then the border
  routers  must   filter  on  destination  addresses,  to   ensure  that  no
  MPLS-in-IP-or-GRE packet can  enter the network if it  is addressed to one
  of the  routers in that  network.  It is this  destination-based filtering
  which obviates the need for the decapsulator to check the source address.

  The argument  would then  continue that  it is more  feasible to  have the
  decapsulators check  the source  addresses than it  is to have  the border
  routers check the destination addresses. 

  In  either case,  the source  address filtering  needs to  be done  at the
  border routers in order to prevent source address spoofing. 


I hope this makes more sense.

Follow-Ups:
- Security issue re draft-ietf-mpls-in-ip-or-gre-07
  - From: Kireeti Kompella <kireeti@juniper.net>
- Security issue re draft-ietf-mpls-in-ip-or-gre-07
  - From: Yakov Rekhter <yakov@juniper.net>

References:
- Security issue re draft-ietf-mpls-in-ip-or-gre-07
  - From: Yakov Rekhter <yakov@juniper.net>