Re: L2vpn Digest, Vol 98, Issue 6
balaji venkat Venkataswami <balajivenkat299@gmail.com> Sun, 08 July 2012 05:25 UTC
Return-Path: <balajivenkat299@gmail.com>
X-Original-To: l2vpn@ietfa.amsl.com
Delivered-To: l2vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBBB121F867B for <l2vpn@ietfa.amsl.com>; Sat, 7 Jul 2012 22:25:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zhIqNx+CkMF for <l2vpn@ietfa.amsl.com>; Sat, 7 Jul 2012 22:25:53 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id A8D3021F8679 for <l2vpn@ietf.org>; Sat, 7 Jul 2012 22:25:53 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so17606996pbc.31 for <l2vpn@ietf.org>; Sat, 07 Jul 2012 22:26:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :in-reply-to:mime-version:content-type:content-transfer-encoding; bh=Vqg58J9H1P+KgPDxofMtzlt6i8R/+0Olqj6WTaFio98=; b=lkfA39A+cUhwWCUSg938Y+PBJopXMQA5P77Eq1Ly3kQRyTSVA2v8tx6p/HYTyCyy/Z F6ukyemwMalV/PJAovNY7JvfBx7eCgBaftBejYVS1c4l5NEXTKYIfoSUYWo/6Aicoqjr BPDzVnAUl7GHaP6TyRl7nsVSc9kUwRjgyO53bbGmpo44Q8n6KcaqhyXPa3SB98xn7boQ O70vMheCtL6GRJEmlKgDFKMI17sztdHwD4P8YrsLWdtvANNo6cc35dkwHz8yBYM9n+D9 oqydO8N/cqmEnBLmqLEx/gf2Gi9A7QSVqtF/5WXtRzgDm4Wbx2iRv3mjEYWo+QkIffY0 6r+g==
Received: by 10.68.191.201 with SMTP id ha9mr49778196pbc.75.1341725174360; Sat, 07 Jul 2012 22:26:14 -0700 (PDT)
Received: from [192.168.15.105] ([122.174.19.64]) by mx.google.com with ESMTPS id iu6sm25109048pbc.35.2012.07.07.22.26.11 (version=SSLv3 cipher=OTHER); Sat, 07 Jul 2012 22:26:13 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.10.0.110310
Date: Sun, 08 Jul 2012 10:56:07 +0530
Subject: Re: L2vpn Digest, Vol 98, Issue 6
From: balaji venkat Venkataswami <balajivenkat299@gmail.com>
To: l2vpn@ietf.org, "robert@raszuk.net" <robert@raszuk.net>
Message-ID: <CC1F140F.5C97%balajivenkat299@gmail.com>
Thread-Topic: L2vpn Digest, Vol 98, Issue 6
In-Reply-To: <mailman.11.1341687602.7368.l2vpn@ietf.org>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: Shankar Raman M J <mjsraman@gmail.com>
X-BeenThere: l2vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <l2vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2vpn>
List-Post: <mailto:l2vpn@ietf.org>
List-Help: <mailto:l2vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 05:25:55 -0000
Dear Robert, This scheme is primarily to protect against attacks from within a network That intervenes the two providers that are participating in inter-provider Model C. While it is agreed that if the ISP itself sends packets then the whole situation Cannot be recovered from, we intend to use this scheme in places where the Intervening network between the two providers is compromised. Also if one or more Routers of the ISP have been compromised within the ISP's network then an intruder Trying to gain access to the VPN traffic would have a hard time guessing which Traffic belongs to which VPN with our scheme. We have added more data on why We think Model C has a bad protection with respect to its data plane. By increasing the label space to 40 bits the scheme we propose increases Guessing the right labels for the right VPNs to non-polynomial time. Also the following recommendation is usually advised for Model C. Never connect ASBRs over a shared Layer 2 infrastructure such as an Internet Exchange Point (IXP). Use a private connection, or at least a private VLAN. With our scheme this can be relaxed to a degree is what we feel. More on Data Plane insecurity in Model C : ========================================== The security of model C is considerably more open than in models A and B. On the data plane, the traffic exchanged between the ASBRs contains two labels: * VPN label? Is set by the ingress PE to identify the VPN * PE label? Specifies the LSP to the egress PE Model C is considerably more open in terms of security than the previous models, for the following reasons: * To be able to establish end-to-end LSPs, the service provider must be able to reach all PEs of the other AS, which hold connections of shared VPNs. This can be a considerable number of PEs, exposing important parts of the normally internal infrastructure of an AS to the other AS. This also means that considerations that are usually local to an AS in terms of addressing need to be coordinated with the other AS. It also means that traffic can be sent to a number of internal addresses from the outside, making possible attacks from the outside. The recommendation is to filter IP packets into the core as tightly as possible to prevent these issues. Labeled packets cannot be filtered currently. * The ASBR does not hold any VPN information. This is a scalability advantage, but at the same time it prevents the ASBR from checking the VPN label for its validity. This means that it is impossible to verify the VPN label in the data path. (In model B, the ASBR holds this information and can therefore validate the VPN label.) The egress PE cannot verify the packet anymore because at this point the origin of the packet can no longer be determined. Considering these reasons, a potential attack could be AS 1 sending labeled traffic into AS 2, where the top label represents the label to a valid egress PE in AS 2. AS 1 holds PE labels for all those PEs in AS 2, on which it has shared VPNs. However, because the VPN label cannot be checked by the ASBR, AS 1 could send packets with random VPN labels into AS 2 without AS 2 having a way to block this. AS 1 has an LSP to the egress PE in AS 2. This PE has two VPNs configured: VPN A, which is shared with AS 1, and VPN B, which is not shared with AS 1. By sending the packet with a VPN label for VPN B, the packet will be forwarded into VPN B. At the time of writing this draft there was no solution to this issue. First of all, AS 1 would need to know the VPN label for VPN B. The MPLS VPN network does not expose the label externally, so there are two ways of getting it: by espionage, or simply by trying the entire label space. A label has 20 bits, yielding 220 = 1,048,576 potential label values. Assuming a single packet attack with a 500-byte packet size, in the worst case an attacker would need to send 524 MB, which would take approximately 7 minutes on a 10 Mbps link, and 9 hours on a 128 k link. Note that in practice this number would be statistically smaller, and also, label numbering is not random, so intelligent guessing could reduce this number significantly. Then, a malicious user in AS 1 could only send traffic into the VPN, but not receive a reply. However, there are a large number of examples in the history of security where a single unidirectional packet was enough to propagate a worm, for example. So while this limits the scope of an attack, it does not rule it out. In any case, the potential attacker would not receive feedback as to whether the attack was successful. Therefore, it is not easy to carry out a sophisticated attack against a VPN from a given AS. But a single-packet unidirectional attack, as frequently used in the propagation of worms, is possible, even though statistically unlikely. Thanks and regards, Balaji and shankar On 08/07/12 12:30 AM, "l2vpn-request@ietf.org" <l2vpn-request@ietf.org> wrote: >If you have received this digest without all the individual message >attachments you will need to update your digest options in your list >subscription. To do so, go to > >https://www.ietf.org/mailman/listinfo/l2vpn > >Click the 'Unsubscribe or edit options' button, log in, and set "Get >MIME or Plain Text Digests?" to MIME. You can set this option >globally for all the list digests you receive at this point. > > > >Send L2vpn mailing list submissions to > l2vpn@ietf.org > >To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/l2vpn >or, via email, send a message with subject or body 'help' to > l2vpn-request@ietf.org > >You can reach the person managing the list at > l2vpn-owner@ietf.org > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of L2vpn digest..." > > >Today's Topics: > > 1. draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ... > (Robert Raszuk) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Sat, 07 Jul 2012 14:39:56 +0200 >From: Robert Raszuk <robert@raszuk.net> >To: "l2vpn@ietf.org" <l2vpn@ietf.org> >Subject: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ... >Message-ID: <4FF82E1C.6000009@raszuk.net> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > >I have read the draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt. > >It proposed an interesting solution to apply algorithmically computed >VPN lable (for L2VPNs, but also possible for L3VPN) where inter-as >option C is used. > >However I have a fundamental question .. from who the draft is >protecting the inter-as service ? > >Who other then participating ISPs can spoof a value of VPN label ? If >the solution is protecting from ISPs itself then I think it does not >help at all as corresponding ISPs/SPs still have full access to their >PEs and could inject packets to VPN sites at will. > >Moreover main issue with option C is not security (at least for the last >10+ years). Main issue with option C and MPLS is that participating >providers need to inject into each other's network all of their >participating PE's /32 addresses so the end to end MPLS LSP can be >build. Originally that was recommended to be done by mutual >redistribution to the IGP .. now the general recommendation is to use >labeled BGP (both IBGP and EBGP). > >So fundamental question to the authors ... who is the potential >attacker/spoofer this draft is aiming to protect from ? > >Best regards, >R. > > > > > >------------------------------ > >_______________________________________________ >L2vpn mailing list >L2vpn@ietf.org >https://www.ietf.org/mailman/listinfo/l2vpn > > >End of L2vpn Digest, Vol 98, Issue 6 >************************************
- Re: L2vpn Digest, Vol 98, Issue 6 balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Tal Mizrahi
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… UTTARO, JAMES
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: L2vpn Digest, Vol 98, Issue 6 Rogers, Josh
- RE: L2vpn Digest, Vol 98, Issue 6 UTTARO, JAMES
- Re: L2vpn Digest, Vol 98, Issue 6 Rogers, Josh
- Re: L2vpn Digest, Vol 98, Issue 6 Balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 Robert Raszuk
- Re: L2vpn Digest, Vol 98, Issue 6 Balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Greg Mirsky
- RE: L2vpn Digest, Vol 98, Issue 6 UTTARO, JAMES
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Tal Mizrahi
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Bhargav Bhikkaji
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Gregory Mirsky
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Bhargav Bhikkaji
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Stewart Bryant