The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2004-Mar> msg00099



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

Security issue re draft-ietf-mpls-in-ip-or-gre-07

  • From: "Bora Akyol" <bora@cisco.com>
  • Date: Mon, 22 Mar 2004 10:47:42 -0800
  • Cc: <erosen@cisco.com>, <mpls@UU.NET>, <zinin@psg.com>, <bwijnen@lucent.com>
  • Importance: Normal

For tunnels within a domain/AS, I think we are in agreement that you can
use multiple tunnels one of which is source address filtering.

I was more concerned with tunnels that are between administrative
domains
either in a single SP or between SPs.

Regards,

Bora


> -----Original Message-----
> From: Pekka Savola [mailto:pekkas@netcore.fi] 
> Sent: Monday, March 22, 2004 10:35 AM
> To: Bora Akyol
> Cc: erosen@cisco.com; mpls@UU.NET; zinin@psg.com; bwijnen@lucent.com
> Subject: RE: Security issue re draft-ietf-mpls-in-ip-or-gre-07
> 
> 
> On Mon, 22 Mar 2004, Bora Akyol wrote:
> > I don't think so, destination address is the only field in the IP 
> > header that really matters. That is, if one forges the src address 
> > that can be used as a check, but that is about it, if one is doing 
> > destination address checks, we are checking against the 
> only field in 
> > the ip header that matters. In other words, if the DA field 
> is forged, 
> > do you really care. The attacker must set the DA correctly so that 
> > they can inject packets into the MPLS LSP that terminates at that 
> > router.
> > 
> > This is precisely why source address checking is a weak form of 
> > security whereas destination addr based filtering is not.
> 
> I don't think you understand the context and the operational 
> assumption in which source based checking is performed.
> 
> Assume that you have network using prefix 1.1.0.0/16.  You 
> run IP/GRE tunneling internally.  At your borders, you check 
> that 1.1.0.0/16 is not used as a source address for packets 
> entering your network;  
> these kind of checks are already commonplace (and should be 
> more so).  
> At the IP/GRE decapsulator, you check that the source address 
> is the correct end-point address.
> 
> This results to a practically unspoofable IP/GRE when run it 
> internally, within 1.1.0.0/16.  When you run it over your 
> borders, this is trickier -- but the result is basically the 
> same as you'd have with destination based checking; you'll 
> have to ensure that (more or
> less) your peers and guys on the path are also doing some 
> form of filtering. (Destination based checking doesn't help 
> you at all here.)
> 
> -- 
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>