The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Security issue re draft-ietf-mpls-in-ip-or-gre-07
> -----Original Message----- > From: Pekka Savola [mailto:pekkas@netcore.fi] > Sent: Monday, March 22, 2004 10:02 AM > To: Bora Akyol > Cc: erosen@cisco.com; mpls@UU.NET; zinin@psg.com; bwijnen@lucent.com > Subject: RE: Security issue re draft-ietf-mpls-in-ip-or-gre-07 > > > On Mon, 22 Mar 2004, Bora Akyol wrote: > > > Is there any particular reason why you're fixated on destination > > > -based checking? With source address based border checking, > > > which you > > > mention above and has already been extensively deployed > > > today, and the > > > src address decapsulation checking, you get full security. > > > > Yes, very basic. Src address checking does very little to > protect this > > particular scenario. A determined attacker would forge the source > > addresses. > > Read above again. I said "With source address based border > checking [...]". That eliminates the threat of address > forging to the extent it can be eliminated with > destination-based checking as well. > I don't think so, destination address is the only field in the IP header that really matters. That is, if one forges the src address that can be used as a check, but that is about it, if one is doing destination address checks, we are checking against the only field in the ip header that matters. In other words, if the DA field is forged, do you really care. The attacker must set the DA correctly so that they can inject packets into the MPLS LSP that terminates at that router. This is precisely why source address checking is a weak form of security whereas destination addr based filtering is not. Regards, Bora
|
|