The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2004-Mar> msg00093



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

Security issue re draft-ietf-mpls-in-ip-or-gre-07

  • From: "Bora Akyol" <bora@cisco.com>
  • Date: Mon, 22 Mar 2004 09:13:18 -0800
  • Cc: <erosen@cisco.com>, <mpls@UU.NET>, <zinin@psg.com>, <bwijnen@lucent.com>
  • Importance: Normal

> 
> Is there any particular reason why you're fixated on destination 
> -based checking?  With source address based border checking, 
> which you 
> mention above and has already been extensively deployed 
> today, and the 
> src address decapsulation checking, you get full security.
Yes, very basic. Src address checking does very little to protect
this particular scenario. A determined attacker would forge the 
source addresses.

> 
> On top of that, destination-based checking does not give much (any?)  
> extra security at all.
> 
> The question is what we expect to be deployed by the 
> operators using these techniques.  We can already expect that 
> source-based border checking is deployed, because otherwise 
> they'd be in for a LOT of trouble already.  I see no evidence 
> to suggest that we could expect destination-based checking to 
> be commonplace; in other words, if we assume it is deployed, 
> we'd be effectively creating a mechanism which leaves almost 
> everybody open to attacks when they deploy GRE or IP-IP, 
> unless they also simultaneously deploy proper 
> destination-based checks.
> 
> > But if you have not done any of the above, and think
> > that src address checking is buying you security,
> > I think this is kind of like locking the door,
> > but leaving the front windows of the house open.
> 
> *only* doing source-based checking at the decapsulator gives 
> you basic protection, but does not protect you from willfull 
> attackers.  
> Against those you need source-based checking at the borders 
> (e.g., strict uRPF or ACLs) -- but this is already deployed 
> by pretty much 
> every sane operator.  That's very compresive protection.
> 

*only* doing source-based checking gives you very little protection.
A determined attacker would forge the src address. If the traffic that
is being protected is important, one would use IPSEC with IKE.

If you protect the destination addresses for example allocated from a
/20
and all loopbacks, at the border of your network (and probably with
a single line ACL), you buy a lot more protection than source address
filtering does.

Bora