The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Security issue re draft-ietf-mpls-in-ip-or-gre-07
On Mon, 22 Mar 2004, Bora Akyol wrote: > > Is there any particular reason why you're fixated on destination > > -based checking? With source address based border checking, > > which you > > mention above and has already been extensively deployed > > today, and the > > src address decapsulation checking, you get full security. > > Yes, very basic. Src address checking does very little to protect > this particular scenario. A determined attacker would forge the > source addresses. Read above again. I said "With source address based border checking [...]". That eliminates the threat of address forging to the extent it can be eliminated with destination-based checking as well. > > > But if you have not done any of the above, and think > > > that src address checking is buying you security, > > > I think this is kind of like locking the door, > > > but leaving the front windows of the house open. > > > > *only* doing source-based checking at the decapsulator gives you > > basic protection, but does not protect you from willfull > > attackers. Against those you need source-based checking at the > > borders (e.g., strict uRPF or ACLs) -- but this is already > > deployed by pretty much every sane operator. That's very > > compresive protection. > > > > *only* doing source-based checking gives you very little protection. > A determined attacker would forge the src address. That's pretty close to what I said above. > If you protect the destination addresses for example allocated from > a /20 and all loopbacks, at the border of your network (and probably > with a single line ACL), you buy a lot more protection than source > address filtering does. The amount of protection is a bit better (or roughly the same) with src address decapsulation checking + src address edge checking (already done) vs destination based edge checking. The (in)feasibility of destination based edge checking, and whether it's implemented or not, has already been discussed, so I don't go into that in detail again. Needless to say that 1) such border checks are non-trivial and not commonplace today, and 2) it is a rather far fetch to assume all the ptp's and loopbacks are numbered from a single aggregatable address block (w/ good design, this may be the case, but networks are usually badly designed :). -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
|
|