The MPLS WG Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Security issue re draft-ietf-mpls-in-ip-or-gre-07

From: Pekka Savola <pekkas@netcore.fi>
Date: Mon, 22 Mar 2004 20:57:55 +0200 (EET)
cc: erosen@cisco.com, <mpls@UU.NET>, <zinin@psg.com>, <bwijnen@lucent.com>

On Mon, 22 Mar 2004, Bora Akyol wrote:
> I was more concerned with tunnels that are between administrative
> domains either in a single SP or between SPs.

Right -- but again, destination based checking provides no better
security in this aspect (actually worse) -- because you WILL have to
pass through a few destination addresses for these multi-domain
tunnels to work.

And then the only way to protect against packet injection would be
IPsec/GRE keying or additional source address based filtering in quite
a few other places as well.

Really, not that much different from multi-domain source address based
border checking + src decapsulation checking.. except the src border
checking is something that you want to do anyway.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- Security issue re draft-ietf-mpls-in-ip-or-gre-07
  - From: "Bora Akyol" <bora@cisco.com>