The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Security issue re draft-ietf-mpls-in-ip-or-gre-07
On Sun, 21 Mar 2004, Bora Akyol wrote: > I think a more acceptable way to protect one's network is to enable > uRPF (at least in some mode), AND also packet filtering > based on the destination address network of your > GRE tunnels at the edges of your network. With > efficient use of subnets, for the GRE tunnel endpoint > addresses, this can be handled by a small number > of filter entries. Do not allow packets that terminate > at your network elements > from outside the network unless the peers or the traffic > type is well known. > > Only after you have done all this, if as an option someone > wants to enable src address checking, great. Is there any particular reason why you're fixated on destination -based checking? With source address based border checking, which you mention above and has already been extensively deployed today, and the src address decapsulation checking, you get full security. On top of that, destination-based checking does not give much (any?) extra security at all. The question is what we expect to be deployed by the operators using these techniques. We can already expect that source-based border checking is deployed, because otherwise they'd be in for a LOT of trouble already. I see no evidence to suggest that we could expect destination-based checking to be commonplace; in other words, if we assume it is deployed, we'd be effectively creating a mechanism which leaves almost everybody open to attacks when they deploy GRE or IP-IP, unless they also simultaneously deploy proper destination-based checks. > But if you have not done any of the above, and think > that src address checking is buying you security, > I think this is kind of like locking the door, > but leaving the front windows of the house open. *only* doing source-based checking at the decapsulator gives you basic protection, but does not protect you from willfull attackers. Against those you need source-based checking at the borders (e.g., strict uRPF or ACLs) -- but this is already deployed by pretty much every sane operator. That's very compresive protection. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
|
|