IETF Logo Mail Archive

RE: L2vpn Digest, Vol 98, Issue 6

"UTTARO, JAMES" <ju1738@att.com> Mon, 09 July 2012 14:35 UTC

Return-Path: <ju1738@att.com>
X-Original-To: l2vpn@ietfa.amsl.com
Delivered-To: l2vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED87611E8099 for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 07:35:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.309
X-Spam-Level:
X-Spam-Status: No, score=-106.309 tagged_above=-999 required=5 tests=[AWL=0.290, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5JBN50vn5S9 for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 07:35:41 -0700 (PDT)
Received: from nbfkord-smmo05.seg.att.com (nbfkord-smmo05.seg.att.com [209.65.160.92]) by ietfa.amsl.com (Postfix) with ESMTP id DB5A211E808F for <l2vpn@ietf.org>; Mon, 9 Jul 2012 07:35:40 -0700 (PDT)
Received: from unknown [144.160.128.153] (EHLO nbfkord-smmo05.seg.att.com) by nbfkord-smmo05.seg.att.com(mxl_mta-6.11.0-10) with ESMTP id 65ceaff4.74fc0940.207638.00-586.546899.nbfkord-smmo05.seg.att.com (envelope-from <ju1738@att.com>); Mon, 09 Jul 2012 14:36:06 +0000 (UTC)
X-MXL-Hash: 4ffaec56132176b4-a2053a29ca1e2fdd19961adf3501066d2ad1ad11
Received: from unknown [144.160.128.153] (EHLO flpi408.enaf.ffdc.sbc.com) by nbfkord-smmo05.seg.att.com(mxl_mta-6.11.0-10) over TLS secured channel with ESMTP id e4ceaff4.0.207612.00-491.546817.nbfkord-smmo05.seg.att.com (envelope-from <ju1738@att.com>); Mon, 09 Jul 2012 14:35:59 +0000 (UTC)
X-MXL-Hash: 4ffaec4f3629999b-38561b0caf79031bd01e24946ab86493c40feeef
Received: from enaf.ffdc.sbc.com (localhost.localdomain [127.0.0.1]) by flpi408.enaf.ffdc.sbc.com (8.14.5/8.14.5) with ESMTP id q69EZuaw005842; Mon, 9 Jul 2012 07:35:58 -0700
Received: from fflint03.pst.cso.att.com (fflint03.pst.cso.att.com [150.234.39.63]) by flpi408.enaf.ffdc.sbc.com (8.14.5/8.14.5) with ESMTP id q69EZq1W005755 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 Jul 2012 07:35:54 -0700
Received: from MISOUT7MSGHUB9C.ITServices.sbc.com (misout7msghub9c.itservices.sbc.com [144.151.223.82]) by fflint03.pst.cso.att.com (RSA Interceptor); Mon, 9 Jul 2012 07:35:33 -0700
Received: from MISOUT7MSGUSR9I.ITServices.sbc.com ([144.151.223.56]) by MISOUT7MSGHUB9C.ITServices.sbc.com ([144.151.223.82]) with mapi id 14.02.0298.004; Mon, 9 Jul 2012 10:35:32 -0400
From: "UTTARO, JAMES" <ju1738@att.com>
To: "'Rogers, Josh'" <josh.rogers@twcable.com>, balaji venkat Venkataswami <balajivenkat299@gmail.com>, "l2vpn@ietf.org" <l2vpn@ietf.org>, "robert@raszuk.net" <robert@raszuk.net>
Subject: RE: L2vpn Digest, Vol 98, Issue 6
Thread-Topic: L2vpn Digest, Vol 98, Issue 6
Thread-Index: Ac1d3iOdVst3wH8vN0uvsrGUCI9bogAAKKdg
Date: Mon, 09 Jul 2012 14:35:31 +0000
Message-ID: <B17A6910EEDD1F45980687268941550FB32995@MISOUT7MSGUSR9I.ITServices.sbc.com>
References: <CC1F2A48.5CB9%balajivenkat299@gmail.com> <CC2051BD.9402%josh.rogers@twcable.com>
In-Reply-To: <CC2051BD.9402%josh.rogers@twcable.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.155.252]
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2010122901)]
X-MAIL-FROM: <ju1738@att.com>
X-SOURCE-IP: [144.160.128.153]
X-AnalysisOut: [v=1.0 c=1 a=gE9O8Arr410A:10 a=9xHMEmg6Re4A:10 a=ofMgfj31e3]
X-AnalysisOut: [cA:10 a=BLceEmwcHowA:10 a=-CRmgG0JhlAA:10 a=xwOvzTHDVLE4u4]
X-AnalysisOut: [nGvK72ag==:17 a=48vgC7mUAAAA:8 a=2clOPd4PAAAA:8 a=pGLkceIS]
X-AnalysisOut: [AAAA:8 a=NHGU_W0H71IkOvVAKAEA:9 a=jiObf9B0YAUA:10 a=lZB815]
X-AnalysisOut: [dzVvQA:10 a=bDUki_mJ7DgA:10 a=MSl-tDqOz04A:10 a=19j6LRxnqm]
X-AnalysisOut: [wKp53E:21 a=X__jf8Lwdhm1_Zpx:21]
Cc: Shankar Raman M J <mjsraman@gmail.com>, Bhargav Bhikkaji <bharbhi@gmail.com>
X-BeenThere: l2vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <l2vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2vpn>
List-Post: <mailto:l2vpn@ietf.org>
List-Help: <mailto:l2vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 14:35:42 -0000

Josh,

	Yes quite leery of building an Option C solution to other providers for a number of reasons including trust, security but also others i.e RT Mapping, Scale, Protected Infrastructure available to others, IGP Scale ( # of LBs ), Pri/Back Selection of ASBR, attack on the PEs, etc... Actually the more sophisticated the Option C solution the more alignment and possible risk. 

I understand the ask that this draft is attempting to meet, but does it make sense to do this without addressing the other facets of building an Option C solution between different ISPs..

Jim Uttaro




-----Original Message-----
From: l2vpn-bounces@ietf.org [mailto:l2vpn-bounces@ietf.org] On Behalf Of Rogers, Josh
Sent: Monday, July 09, 2012 10:22 AM
To: balaji venkat Venkataswami; l2vpn@ietf.org; robert@raszuk.net
Cc: Shankar Raman M J; Bhargav Bhikkaji
Subject: Re: L2vpn Digest, Vol 98, Issue 6

While I don't necessarily agree with this draft's approach ("security
through obscurity" comes to mind), I'd like to point out that I do see a
need to assuage concerns about using Option C between operators.  In my
part of the world, when I propose Option C to other operators, often the
idea is met with concern/resistance, seemingly because the other operator
has not done it before.  Even internally, many of my colleagues are
concerned about security and the trust model in general.  It appears to
me, to be no different than any other IP peering relationship, which
requires some basic 'trust', albeit not implicit trust.

I think Robert's suggestion of leveraging encryption is a more ironclad
and reasonable solution to the problems presented here.  However, I'd
still like to see an informative 'best practices' document at some point
that covered some basic policies that should be followed when peering with
another ISP for LxVPN exchange.

-Josh



On 7/8/12 1:46 AM, "balaji venkat Venkataswami"
<balajivenkat299@gmail.com> wrote:

>Dear Robert,
>
>As mentioned in the earlier mail the following restriction is imposed on
>the
>Model C deploymentŠ
>
>The consequence of this is that in model C the service providers must
>trust each other also in areas that are not shared. Therefore, model C is
>most commonly used today where a single operator uses several ASs on the
>backbone. In this case, implicit trust exists between the ASs because they
>have the same operational control.
>
>
>In order to stretch this scheme to other Ases under different admin
>control this scheme helps out.
>
>Thanks and regards,
>Balaji venkat
>
>On 08/07/12 12:30 AM, "l2vpn-request@ietf.org" <l2vpn-request@ietf.org>
>wrote:
>
>>If you have received this digest without all the individual message
>>attachments you will need to update your digest options in your list
>>subscription.  To do so, go to
>>
>>https://www.ietf.org/mailman/listinfo/l2vpn
>>
>>Click the 'Unsubscribe or edit options' button, log in, and set "Get
>>MIME or Plain Text Digests?" to MIME.  You can set this option
>>globally for all the list digests you receive at this point.
>>
>>
>>
>>Send L2vpn mailing list submissions to
>>      l2vpn@ietf.org
>>
>>To subscribe or unsubscribe via the World Wide Web, visit
>>      https://www.ietf.org/mailman/listinfo/l2vpn
>>or, via email, send a message with subject or body 'help' to
>>      l2vpn-request@ietf.org
>>
>>You can reach the person managing the list at
>>      l2vpn-owner@ietf.org
>>
>>When replying, please edit your Subject line so it is more specific
>>than "Re: Contents of L2vpn digest..."
>>
>>
>>Today's Topics:
>>
>>   1. draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
>>      (Robert Raszuk)
>>
>>
>>----------------------------------------------------------------------
>>
>>Message: 1
>>Date: Sat, 07 Jul 2012 14:39:56 +0200
>>From: Robert Raszuk <robert@raszuk.net>
>>To: "l2vpn@ietf.org" <l2vpn@ietf.org>
>>Subject: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
>>Message-ID: <4FF82E1C.6000009@raszuk.net>
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>>
>>I have read the draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt.
>>
>>It proposed an interesting solution to apply algorithmically computed
>>VPN lable (for L2VPNs, but also possible for L3VPN) where inter-as
>>option C is used.
>>
>>However I have a fundamental question .. from who the draft is
>>protecting the inter-as service ?
>>
>>Who other then participating ISPs can spoof a value of VPN label ? If
>>the solution is protecting from ISPs itself then I think it does not
>>help at all as corresponding ISPs/SPs still have full access to their
>>PEs and could inject packets to VPN sites at will.
>>
>>Moreover main issue with option C is not security (at least for the last
>>10+ years). Main issue with option C and MPLS is that participating
>>providers need to inject into each other's network all of their
>>participating PE's /32 addresses so the end to end MPLS LSP can be
>>build. Originally that was recommended to be done by mutual
>>redistribution to the IGP .. now the general recommendation is to use
>>labeled BGP (both IBGP and EBGP).
>>
>>So fundamental question to the authors ... who is the potential
>>attacker/spoofer this draft is aiming to protect from ?
>>
>>Best regards,
>>R.
>>
>>
>>
>>
>>
>>------------------------------
>>
>>_______________________________________________
>>L2vpn mailing list
>>L2vpn@ietf.org
>>https://www.ietf.org/mailman/listinfo/l2vpn
>>
>>
>>End of L2vpn Digest, Vol 98, Issue 6
>>************************************
>
>


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

v2.23.0 | Report a Bug | By Email