The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Security issue re draft-ietf-mpls-in-ip-or-gre-07
> Which is the scenario where you would use 1) GRE keying or 2) IPsec. > Also, the attacker would also have to know/guess the IP > source address used by the tunnel from the outside, and the > neighboring AS would have to not filter spoofed packets. If > there are multiple ASs along the path, this is indeed > trickier -- but there is nothing to be done about that except > adding IPsec or the like. > I think we are in agreement here,the text as it stands is fine, the additional requirement for checking the source address provides really no additional protection for even the most clueless attacker. The text however should mention uRPF somewhere in the security section with a reference to BCP-38. And if one is doing uRPF is it "loose" mode or "strict" mode. BCP-38 only describes the "strict" mode. And as far as GRE keying, I doubt that you can use that to assure the security of the packets especially in high speed implementations. Regards, Bora
|
|