The MPLS WG Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Security issue re draft-ietf-mpls-in-ip-or-gre-07

From: Yakov Rekhter <yakov@juniper.net>
Date: Wed, 17 Mar 2004 10:02:34 -0800
cc: mpls@UU.NET, zinin@psg.com, pekkas@netcore.fi, bwijnen@lucent.com

Eric,

> It's nice to see someone paying  attention, as I seem to have really screwed
> up the arguments for and against closed decapsulation.  So let me try again: 
> 
>   If the  decapsulator does not verify  the source address,  then the border
>   routers  must   filter  on  destination  addresses,  to   ensure  that  no
>   MPLS-in-IP-or-GRE packet can  enter the network if it  is addressed to one
>   of the  routers in that  network.  It is this  destination-based filtering
>   which obviates the need for the decapsulator to check the source address.
> 
>   The argument  would then  continue that  it is more  feasible to  have the
>   decapsulators check  the source  addresses than it  is to have  the border
>   routers check the destination addresses. 

It would be useful to get more details on why (a) it is more feasible
to have the decapsulator check the source addresses than it is to
have the border routers check the destination addresses, and
likewise (b) why it is more feasible for the border routers to
check the destination addresses than it is to have the decapsulator
check the source addresses.

Yakov.

References:
- Security issue re draft-ietf-mpls-in-ip-or-gre-07
  - From: Eric Rosen <erosen@cisco.com>