The MPLS WG Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Security issue re draft-ietf-mpls-in-ip-or-gre-07

From: Yakov Rekhter <yakov@juniper.net>
Date: Mon, 22 Mar 2004 10:52:15 -0800
cc: Pekka Savola <pekkas@netcore.fi>, Bora Akyol <bora@cisco.com>, mpls@UU.NET, zinin@psg.com, bwijnen@lucent.com

Eric,

> > Destination address verification checks (disallow anything coming to
> > your routers) at the border, however, is something that is not as
> > simple
> 
> One thing you might be able to do is: 
> 
> - create a set of loopbacks from a particular address range, 
> 
> - a  decapsulator  doesn't  accept  encapsulated  packets  unless  they  are
>   destined for an address within that range
>
> - filter  any packet  entering the network  from outside with  a destination
>   address in that range. 
> 
> > when  in place,  source-based  decapsulator checks  eliminate the  threats
> > which can be eliminated 
> 
> Yes, but on the other hand: 
> 
> - possible performance implications
> 
> - presumption  that some  higher  layer is  signaling  the allowable  source
>   addresses 

Rather than this presumption, make sure that the decapsulator does not 
accept encapsulated packets unless they sources from an address within 
the address range that is used for loopbacks.

Yakov.

References:
- Security issue re draft-ietf-mpls-in-ip-or-gre-07
  - From: Eric Rosen <erosen@cisco.com>