IETF Logo Mail Archive

Re: L2vpn Digest, Vol 98, Issue 6

"Rogers, Josh" <josh.rogers@twcable.com> Mon, 09 July 2012 14:21 UTC

Return-Path: <josh.rogers@twcable.com>
X-Original-To: l2vpn@ietfa.amsl.com
Delivered-To: l2vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A571F11E8083 for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 07:21:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.663
X-Spam-Level:
X-Spam-Status: No, score=-0.663 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwiMmzSzsGvs for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 07:21:57 -0700 (PDT)
Received: from cdpipgw01.twcable.com (cdpipgw01.twcable.com [165.237.59.22]) by ietfa.amsl.com (Postfix) with ESMTP id 5679011E8079 for <l2vpn@ietf.org>; Mon, 9 Jul 2012 07:21:56 -0700 (PDT)
X-SENDER-IP: 10.136.163.15
X-SENDER-REPUTATION: None
X-IronPort-AV: E=Sophos;i="4.77,552,1336363200"; d="scan'208";a="407071452"
Received: from unknown (HELO PRVPEXHUB06.corp.twcable.com) ([10.136.163.15]) by cdpipgw01.twcable.com with ESMTP/TLS/RC4-MD5; 09 Jul 2012 10:21:14 -0400
Received: from PRVPEXVS08.corp.twcable.com ([10.136.163.36]) by PRVPEXHUB06.corp.twcable.com ([10.136.163.15]) with mapi; Mon, 9 Jul 2012 10:21:33 -0400
From: "Rogers, Josh" <josh.rogers@twcable.com>
To: balaji venkat Venkataswami <balajivenkat299@gmail.com>, "l2vpn@ietf.org" <l2vpn@ietf.org>, "robert@raszuk.net" <robert@raszuk.net>
Date: Mon, 09 Jul 2012 10:21:34 -0400
Subject: Re: L2vpn Digest, Vol 98, Issue 6
Thread-Topic: L2vpn Digest, Vol 98, Issue 6
Thread-Index: Ac1d3iOdDjelgaQmQ8+qv1VIhIuU5w==
Message-ID: <CC2051BD.9402%josh.rogers@twcable.com>
In-Reply-To: <CC1F2A48.5CB9%balajivenkat299@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.2.120421
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Shankar Raman M J <mjsraman@gmail.com>, Bhargav Bhikkaji <bharbhi@gmail.com>
X-BeenThere: l2vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <l2vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2vpn>
List-Post: <mailto:l2vpn@ietf.org>
List-Help: <mailto:l2vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 14:21:57 -0000

While I don't necessarily agree with this draft's approach ("security
through obscurity" comes to mind), I'd like to point out that I do see a
need to assuage concerns about using Option C between operators.  In my
part of the world, when I propose Option C to other operators, often the
idea is met with concern/resistance, seemingly because the other operator
has not done it before.  Even internally, many of my colleagues are
concerned about security and the trust model in general.  It appears to
me, to be no different than any other IP peering relationship, which
requires some basic 'trust', albeit not implicit trust.

I think Robert's suggestion of leveraging encryption is a more ironclad
and reasonable solution to the problems presented here.  However, I'd
still like to see an informative 'best practices' document at some point
that covered some basic policies that should be followed when peering with
another ISP for LxVPN exchange.

-Josh



On 7/8/12 1:46 AM, "balaji venkat Venkataswami"
<balajivenkat299@gmail.com> wrote:

>Dear Robert,
>
>As mentioned in the earlier mail the following restriction is imposed on
>the
>Model C deploymentŠ
>
>The consequence of this is that in model C the service providers must
>trust each other also in areas that are not shared. Therefore, model C is
>most commonly used today where a single operator uses several ASs on the
>backbone. In this case, implicit trust exists between the ASs because they
>have the same operational control.
>
>
>In order to stretch this scheme to other Ases under different admin
>control this scheme helps out.
>
>Thanks and regards,
>Balaji venkat
>
>On 08/07/12 12:30 AM, "l2vpn-request@ietf.org" <l2vpn-request@ietf.org>
>wrote:
>
>>If you have received this digest without all the individual message
>>attachments you will need to update your digest options in your list
>>subscription.  To do so, go to
>>
>>https://www.ietf.org/mailman/listinfo/l2vpn
>>
>>Click the 'Unsubscribe or edit options' button, log in, and set "Get
>>MIME or Plain Text Digests?" to MIME.  You can set this option
>>globally for all the list digests you receive at this point.
>>
>>
>>
>>Send L2vpn mailing list submissions to
>>      l2vpn@ietf.org
>>
>>To subscribe or unsubscribe via the World Wide Web, visit
>>      https://www.ietf.org/mailman/listinfo/l2vpn
>>or, via email, send a message with subject or body 'help' to
>>      l2vpn-request@ietf.org
>>
>>You can reach the person managing the list at
>>      l2vpn-owner@ietf.org
>>
>>When replying, please edit your Subject line so it is more specific
>>than "Re: Contents of L2vpn digest..."
>>
>>
>>Today's Topics:
>>
>>   1. draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
>>      (Robert Raszuk)
>>
>>
>>----------------------------------------------------------------------
>>
>>Message: 1
>>Date: Sat, 07 Jul 2012 14:39:56 +0200
>>From: Robert Raszuk <robert@raszuk.net>
>>To: "l2vpn@ietf.org" <l2vpn@ietf.org>
>>Subject: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
>>Message-ID: <4FF82E1C.6000009@raszuk.net>
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>>
>>I have read the draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt.
>>
>>It proposed an interesting solution to apply algorithmically computed
>>VPN lable (for L2VPNs, but also possible for L3VPN) where inter-as
>>option C is used.
>>
>>However I have a fundamental question .. from who the draft is
>>protecting the inter-as service ?
>>
>>Who other then participating ISPs can spoof a value of VPN label ? If
>>the solution is protecting from ISPs itself then I think it does not
>>help at all as corresponding ISPs/SPs still have full access to their
>>PEs and could inject packets to VPN sites at will.
>>
>>Moreover main issue with option C is not security (at least for the last
>>10+ years). Main issue with option C and MPLS is that participating
>>providers need to inject into each other's network all of their
>>participating PE's /32 addresses so the end to end MPLS LSP can be
>>build. Originally that was recommended to be done by mutual
>>redistribution to the IGP .. now the general recommendation is to use
>>labeled BGP (both IBGP and EBGP).
>>
>>So fundamental question to the authors ... who is the potential
>>attacker/spoofer this draft is aiming to protect from ?
>>
>>Best regards,
>>R.
>>
>>
>>
>>
>>
>>------------------------------
>>
>>_______________________________________________
>>L2vpn mailing list
>>L2vpn@ietf.org
>>https://www.ietf.org/mailman/listinfo/l2vpn
>>
>>
>>End of L2vpn Digest, Vol 98, Issue 6
>>************************************
>
>


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

v2.23.0 | Report a Bug | By Email