The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Security issue re draft-ietf-mpls-in-ip-or-gre-07
On Wed, 17 Mar 2004, Eric Rosen wrote: > It's nice to see someone paying attention, as I seem to have really screwed > up the arguments for and against closed decapsulation. So let me try again: > > If the decapsulator does not verify the source address, then the border > routers must filter on destination addresses, to ensure that no > MPLS-in-IP-or-GRE packet can enter the network if it is addressed to one > of the routers in that network. One scenario for MPLS-in-IP-or-GRE is inter-provider tunnels for 2547. In that case, the above check would be too restrictive; however, capturing which sources can talk to which destinations would probably be prohibitive from an ops point of view, if not a performance pov. > The argument would then continue that it is more feasible to have the > decapsulators check the source addresses than it is to have the border > routers check the destination addresses. Sure. > In either case, the source address filtering needs to be done at the > border routers in order to prevent source address spoofing. In the context of MPLS-in-IP-or-GRE, or in general? If the latter, it seems irrelevant to the draft at hand. > I hope this makes more sense. You now seem to be arguing _for_ source address verification at the decapsulator. Do I read that right? Your other comment about the security being built-in when the decapsulator does the check was a good one, and should be left in. Kireeti. -------
|
|