IETF Logo Mail Archive

Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...

Robert Raszuk <robert@raszuk.net> Mon, 09 July 2012 08:59 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: l2vpn@ietfa.amsl.com
Delivered-To: l2vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B06BB21F8804 for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 01:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DGkisHKHuNzY for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 01:59:26 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id DF4A921F8803 for <l2vpn@ietf.org>; Mon, 9 Jul 2012 01:59:25 -0700 (PDT)
Received: (qmail 18654 invoked by uid 399); 9 Jul 2012 08:59:48 -0000
Received: from unknown (HELO ?192.168.1.58?) (pbs:robert@raszuk.net@83.9.209.219) by mail1310.opentransfer.com with ESMTPM; 9 Jul 2012 08:59:48 -0000
X-Originating-IP: 83.9.209.219
Message-ID: <4FFA9D82.8090307@raszuk.net>
Date: Mon, 09 Jul 2012 10:59:46 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Balaji venkat Venkataswami <balajivenkat299@gmail.com>
Subject: Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
References: <CC1F6CF4.CA9C%balajivenkat299@gmail.com> <4FF9C9FA.2080902@raszuk.net> <CAHF4apPkRhXSE4DsURnbvFp2r5DL=6S_yGFRxWWQ-Z2N8sYHiQ@mail.gmail.com>
In-Reply-To: <CAHF4apPkRhXSE4DsURnbvFp2r5DL=6S_yGFRxWWQ-Z2N8sYHiQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: l2vpn@ietf.org, Shankar Raman M J <mjsraman@gmail.com>, Bhargav Bhikkaji <bharbhi@gmail.com>
X-BeenThere: l2vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: <l2vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2vpn>
List-Post: <mailto:l2vpn@ietf.org>
List-Help: <mailto:l2vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 08:59:26 -0000

Balaji,

Many thx for clearly describing your target.

I am of the opinion that your scheme does not protect from compromised 
ASBR as once hacker has control of the ASBR he can instantiate any vrf 
locally and inject data from the ASBR itself into any VPN using your 
scheme.

For the link between ASBR yes you have a valid point. But note that over 
this link both ISPs exchange their precious infrastructure routes 
(addresses and labels to reach PEs) which if compromised can cause much 
more harm then injecting some packets into a VPN.

Therefor for the case of ASBR to ASBR link being compromized I would 
much more see local link level security (ex: encryption) for both data 
and control planes rather then change of the VPN label allocation scheme 
in both L3VPN networks.

Your scheme just makes the guess harder not that it eliminates the 
attacks. From the point of view of compromised inter-as link an attacker 
can sweep the VPN label range and still find the matching ones for some 
duration of time.

Also I have a different question ...

In each ISP there are 100s of PEs participating in given VPN and perhaps 
very few ASBRs with option C.

Each PE iBGP peers with RR and advertised the VPN label. RR is 
advertising this label to other PEs in a given ISP domain as well as 
over eBGP multihop other RRs in other option C domian.

Are you envisioning in your scheme direct BGP sessions between all 
participating in option C PEs ? Are you envisioning PTP full mesh 
between all PEs in all domains ? How PE if he has today a single IBGP 
session to vpnv4 RR is going to differentiate between VPN labels he want 
to advertise locally within his domain (as today) and those which would 
be used for Inter-AS option C ?


Thx,
R.

> Dear Robert,
>
> We talking about the ASBRs between the two or more ISP networks.
>
> Consider the situation that the network / networks between the ASBRs is
> compromised or the ASBR itself is compromised then this scheme would apply.
>
> In the case of Model-C the ASBR bordering the ISP networks does not
> validate the inner label as it would in the case of Option A and B.
>
> (PE)----(ISP core network 1) ---->(ASBR1) -------(ASBR2)------(ISP core
> network 2)----(PE)
>
> The above simple case shows that in the Model C the ASBR would not
> validate the inner label and hence it is susceptible to spoofing
> attacks/ unidirectional attacks etc...
>
> This is the situation that we are guarding against.
>
> Hope this helps.
>
> thanks and regards,
> balaji venkat
>
> On Sun, Jul 8, 2012 at 11:27 PM, Robert Raszuk <robert@raszuk.net
> <mailto:robert@raszuk.net>> wrote:
>
>
>         We do not bring into account or
>         Consider the case where the label injection is happening from
>         the Ces if
>         hackers are behind such a CE.
>
>
>     If the hacker is not behind the CE where is it ?
>
>     Are you saying that peering ISP itself will attack his partner's ISP
>     VPNs ? It can still do it at will if the PE which attaches the VPN
>     sites are compromised.
>
>     Are you saying that your VPN label would not be see by any cli and
>     show commands of the end to end participating PEs ? Then this is non
>     starter IMHO.
>
>     r.
>
>

v2.23.0 | Report a Bug | By Email