Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
Robert Raszuk <robert@raszuk.net> Mon, 09 July 2012 08:59 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: l2vpn@ietfa.amsl.com
Delivered-To: l2vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B06BB21F8804 for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 01:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DGkisHKHuNzY for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 01:59:26 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id DF4A921F8803 for <l2vpn@ietf.org>; Mon, 9 Jul 2012 01:59:25 -0700 (PDT)
Received: (qmail 18654 invoked by uid 399); 9 Jul 2012 08:59:48 -0000
Received: from unknown (HELO ?192.168.1.58?) (pbs:robert@raszuk.net@83.9.209.219) by mail1310.opentransfer.com with ESMTPM; 9 Jul 2012 08:59:48 -0000
X-Originating-IP: 83.9.209.219
Message-ID: <4FFA9D82.8090307@raszuk.net>
Date: Mon, 09 Jul 2012 10:59:46 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Balaji venkat Venkataswami <balajivenkat299@gmail.com>
Subject: Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
References: <CC1F6CF4.CA9C%balajivenkat299@gmail.com> <4FF9C9FA.2080902@raszuk.net> <CAHF4apPkRhXSE4DsURnbvFp2r5DL=6S_yGFRxWWQ-Z2N8sYHiQ@mail.gmail.com>
In-Reply-To: <CAHF4apPkRhXSE4DsURnbvFp2r5DL=6S_yGFRxWWQ-Z2N8sYHiQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: l2vpn@ietf.org, Shankar Raman M J <mjsraman@gmail.com>, Bhargav Bhikkaji <bharbhi@gmail.com>
X-BeenThere: l2vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: <l2vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2vpn>
List-Post: <mailto:l2vpn@ietf.org>
List-Help: <mailto:l2vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 08:59:26 -0000
Balaji, Many thx for clearly describing your target. I am of the opinion that your scheme does not protect from compromised ASBR as once hacker has control of the ASBR he can instantiate any vrf locally and inject data from the ASBR itself into any VPN using your scheme. For the link between ASBR yes you have a valid point. But note that over this link both ISPs exchange their precious infrastructure routes (addresses and labels to reach PEs) which if compromised can cause much more harm then injecting some packets into a VPN. Therefor for the case of ASBR to ASBR link being compromized I would much more see local link level security (ex: encryption) for both data and control planes rather then change of the VPN label allocation scheme in both L3VPN networks. Your scheme just makes the guess harder not that it eliminates the attacks. From the point of view of compromised inter-as link an attacker can sweep the VPN label range and still find the matching ones for some duration of time. Also I have a different question ... In each ISP there are 100s of PEs participating in given VPN and perhaps very few ASBRs with option C. Each PE iBGP peers with RR and advertised the VPN label. RR is advertising this label to other PEs in a given ISP domain as well as over eBGP multihop other RRs in other option C domian. Are you envisioning in your scheme direct BGP sessions between all participating in option C PEs ? Are you envisioning PTP full mesh between all PEs in all domains ? How PE if he has today a single IBGP session to vpnv4 RR is going to differentiate between VPN labels he want to advertise locally within his domain (as today) and those which would be used for Inter-AS option C ? Thx, R. > Dear Robert, > > We talking about the ASBRs between the two or more ISP networks. > > Consider the situation that the network / networks between the ASBRs is > compromised or the ASBR itself is compromised then this scheme would apply. > > In the case of Model-C the ASBR bordering the ISP networks does not > validate the inner label as it would in the case of Option A and B. > > (PE)----(ISP core network 1) ---->(ASBR1) -------(ASBR2)------(ISP core > network 2)----(PE) > > The above simple case shows that in the Model C the ASBR would not > validate the inner label and hence it is susceptible to spoofing > attacks/ unidirectional attacks etc... > > This is the situation that we are guarding against. > > Hope this helps. > > thanks and regards, > balaji venkat > > On Sun, Jul 8, 2012 at 11:27 PM, Robert Raszuk <robert@raszuk.net > <mailto:robert@raszuk.net>> wrote: > > > We do not bring into account or > Consider the case where the label injection is happening from > the Ces if > hackers are behind such a CE. > > > If the hacker is not behind the CE where is it ? > > Are you saying that peering ISP itself will attack his partner's ISP > VPNs ? It can still do it at will if the PE which attaches the VPN > sites are compromised. > > Are you saying that your VPN label would not be see by any cli and > show commands of the end to end participating PEs ? Then this is non > starter IMHO. > > r. > >
- Re: L2vpn Digest, Vol 98, Issue 6 balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Tal Mizrahi
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… UTTARO, JAMES
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: L2vpn Digest, Vol 98, Issue 6 Rogers, Josh
- RE: L2vpn Digest, Vol 98, Issue 6 UTTARO, JAMES
- Re: L2vpn Digest, Vol 98, Issue 6 Rogers, Josh
- Re: L2vpn Digest, Vol 98, Issue 6 Balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 Robert Raszuk
- Re: L2vpn Digest, Vol 98, Issue 6 Balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Greg Mirsky
- RE: L2vpn Digest, Vol 98, Issue 6 UTTARO, JAMES
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Tal Mizrahi
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Bhargav Bhikkaji
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Gregory Mirsky
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Bhargav Bhikkaji
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Stewart Bryant