Re: L2vpn Digest, Vol 98, Issue 6
"Rogers, Josh" <josh.rogers@twcable.com> Mon, 09 July 2012 14:39 UTC
Return-Path: <josh.rogers@twcable.com>
X-Original-To: l2vpn@ietfa.amsl.com
Delivered-To: l2vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAE6E21F8573 for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 07:39:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.063
X-Spam-Level:
X-Spam-Status: No, score=-1.063 tagged_above=-999 required=5 tests=[AWL=0.400, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdK3HbqAtACf for <l2vpn@ietfa.amsl.com>; Mon, 9 Jul 2012 07:39:38 -0700 (PDT)
Received: from cdpipgw01.twcable.com (cdpipgw01.twcable.com [165.237.59.22]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6B721F859A for <l2vpn@ietf.org>; Mon, 9 Jul 2012 07:39:37 -0700 (PDT)
X-SENDER-IP: 10.136.163.11
X-SENDER-REPUTATION: None
X-IronPort-AV: E=Sophos;i="4.77,552,1336363200"; d="scan'208";a="407085806"
Received: from unknown (HELO PRVPEXHUB02.corp.twcable.com) ([10.136.163.11]) by cdpipgw01.twcable.com with ESMTP/TLS/RC4-MD5; 09 Jul 2012 10:39:43 -0400
Received: from PRVPEXVS08.corp.twcable.com ([10.136.163.36]) by PRVPEXHUB02.corp.twcable.com ([10.136.163.11]) with mapi; Mon, 9 Jul 2012 10:40:02 -0400
From: "Rogers, Josh" <josh.rogers@twcable.com>
To: "UTTARO, JAMES" <ju1738@att.com>, balaji venkat Venkataswami <balajivenkat299@gmail.com>, "l2vpn@ietf.org" <l2vpn@ietf.org>, "robert@raszuk.net" <robert@raszuk.net>
Date: Mon, 09 Jul 2012 10:40:03 -0400
Subject: Re: L2vpn Digest, Vol 98, Issue 6
Thread-Topic: L2vpn Digest, Vol 98, Issue 6
Thread-Index: Ac1d4LiUFrc7vk4nQiCBpAKv6Ip8Kw==
Message-ID: <CC2056D0.9463%josh.rogers@twcable.com>
In-Reply-To: <B17A6910EEDD1F45980687268941550FB32995@MISOUT7MSGUSR9I.ITServices.sbc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.2.120421
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Shankar Raman M J <mjsraman@gmail.com>, Bhargav Bhikkaji <bharbhi@gmail.com>
X-BeenThere: l2vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <l2vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2vpn>
List-Post: <mailto:l2vpn@ietf.org>
List-Help: <mailto:l2vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 14:39:38 -0000
I would propose tabling this draft, and attempting to create a document outlining 1) how best to establish option C peering with other SP's, and 2) outstanding caveats/exposures that are not addressed with available technology/standards. Having such a document would better frame any subsequent 'solution' drafts that address concerns not currently addressable with good policy/practice. -josh On 7/9/12 9:35 AM, "UTTARO, JAMES" <ju1738@att.com> wrote: >Josh, > > Yes quite leery of building an Option C solution to other providers for >a number of reasons including trust, security but also others i.e RT >Mapping, Scale, Protected Infrastructure available to others, IGP Scale ( ># of LBs ), Pri/Back Selection of ASBR, attack on the PEs, etc... >Actually the more sophisticated the Option C solution the more alignment >and possible risk. > >I understand the ask that this draft is attempting to meet, but does it >make sense to do this without addressing the other facets of building an >Option C solution between different ISPs.. > >Jim Uttaro > > > > >-----Original Message----- >From: l2vpn-bounces@ietf.org [mailto:l2vpn-bounces@ietf.org] On Behalf Of >Rogers, Josh >Sent: Monday, July 09, 2012 10:22 AM >To: balaji venkat Venkataswami; l2vpn@ietf.org; robert@raszuk.net >Cc: Shankar Raman M J; Bhargav Bhikkaji >Subject: Re: L2vpn Digest, Vol 98, Issue 6 > >While I don't necessarily agree with this draft's approach ("security >through obscurity" comes to mind), I'd like to point out that I do see a >need to assuage concerns about using Option C between operators. In my >part of the world, when I propose Option C to other operators, often the >idea is met with concern/resistance, seemingly because the other operator >has not done it before. Even internally, many of my colleagues are >concerned about security and the trust model in general. It appears to >me, to be no different than any other IP peering relationship, which >requires some basic 'trust', albeit not implicit trust. > >I think Robert's suggestion of leveraging encryption is a more ironclad >and reasonable solution to the problems presented here. However, I'd >still like to see an informative 'best practices' document at some point >that covered some basic policies that should be followed when peering with >another ISP for LxVPN exchange. > >-Josh > > > >On 7/8/12 1:46 AM, "balaji venkat Venkataswami" ><balajivenkat299@gmail.com> wrote: > >>Dear Robert, >> >>As mentioned in the earlier mail the following restriction is imposed on >>the >>Model C deploymentŠ >> >>The consequence of this is that in model C the service providers must >>trust each other also in areas that are not shared. Therefore, model C is >>most commonly used today where a single operator uses several ASs on the >>backbone. In this case, implicit trust exists between the ASs because >>they >>have the same operational control. >> >> >>In order to stretch this scheme to other Ases under different admin >>control this scheme helps out. >> >>Thanks and regards, >>Balaji venkat >> >>On 08/07/12 12:30 AM, "l2vpn-request@ietf.org" <l2vpn-request@ietf.org> >>wrote: >> >>>If you have received this digest without all the individual message >>>attachments you will need to update your digest options in your list >>>subscription. To do so, go to >>> >>>https://www.ietf.org/mailman/listinfo/l2vpn >>> >>>Click the 'Unsubscribe or edit options' button, log in, and set "Get >>>MIME or Plain Text Digests?" to MIME. You can set this option >>>globally for all the list digests you receive at this point. >>> >>> >>> >>>Send L2vpn mailing list submissions to >>> l2vpn@ietf.org >>> >>>To subscribe or unsubscribe via the World Wide Web, visit >>> https://www.ietf.org/mailman/listinfo/l2vpn >>>or, via email, send a message with subject or body 'help' to >>> l2vpn-request@ietf.org >>> >>>You can reach the person managing the list at >>> l2vpn-owner@ietf.org >>> >>>When replying, please edit your Subject line so it is more specific >>>than "Re: Contents of L2vpn digest..." >>> >>> >>>Today's Topics: >>> >>> 1. draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ... >>> (Robert Raszuk) >>> >>> >>>---------------------------------------------------------------------- >>> >>>Message: 1 >>>Date: Sat, 07 Jul 2012 14:39:56 +0200 >>>From: Robert Raszuk <robert@raszuk.net> >>>To: "l2vpn@ietf.org" <l2vpn@ietf.org> >>>Subject: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ... >>>Message-ID: <4FF82E1C.6000009@raszuk.net> >>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed >>> >>> >>>I have read the draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt. >>> >>>It proposed an interesting solution to apply algorithmically computed >>>VPN lable (for L2VPNs, but also possible for L3VPN) where inter-as >>>option C is used. >>> >>>However I have a fundamental question .. from who the draft is >>>protecting the inter-as service ? >>> >>>Who other then participating ISPs can spoof a value of VPN label ? If >>>the solution is protecting from ISPs itself then I think it does not >>>help at all as corresponding ISPs/SPs still have full access to their >>>PEs and could inject packets to VPN sites at will. >>> >>>Moreover main issue with option C is not security (at least for the last >>>10+ years). Main issue with option C and MPLS is that participating >>>providers need to inject into each other's network all of their >>>participating PE's /32 addresses so the end to end MPLS LSP can be >>>build. Originally that was recommended to be done by mutual >>>redistribution to the IGP .. now the general recommendation is to use >>>labeled BGP (both IBGP and EBGP). >>> >>>So fundamental question to the authors ... who is the potential >>>attacker/spoofer this draft is aiming to protect from ? >>> >>>Best regards, >>>R. >>> >>> >>> >>> >>> >>>------------------------------ >>> >>>_______________________________________________ >>>L2vpn mailing list >>>L2vpn@ietf.org >>>https://www.ietf.org/mailman/listinfo/l2vpn >>> >>> >>>End of L2vpn Digest, Vol 98, Issue 6 >>>************************************ >> >> > > >This E-mail and any of its attachments may contain Time Warner Cable >proprietary information, which is privileged, confidential, or subject to >copyright belonging to Time Warner Cable. This E-mail is intended solely >for the use of the individual or entity to which it is addressed. If you >are not the intended recipient of this E-mail, you are hereby notified >that any dissemination, distribution, copying, or action taken in >relation to the contents of and attachments to this E-mail is strictly >prohibited and may be unlawful. If you have received this E-mail in >error, please notify the sender immediately and permanently delete the >original and any copy of this E-mail and any printout. This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
- Re: L2vpn Digest, Vol 98, Issue 6 balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Tal Mizrahi
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… UTTARO, JAMES
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: L2vpn Digest, Vol 98, Issue 6 Rogers, Josh
- RE: L2vpn Digest, Vol 98, Issue 6 UTTARO, JAMES
- Re: L2vpn Digest, Vol 98, Issue 6 Rogers, Josh
- Re: L2vpn Digest, Vol 98, Issue 6 Balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 Robert Raszuk
- Re: L2vpn Digest, Vol 98, Issue 6 Balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Greg Mirsky
- RE: L2vpn Digest, Vol 98, Issue 6 UTTARO, JAMES
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Tal Mizrahi
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Bhargav Bhikkaji
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Gregory Mirsky
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Bhargav Bhikkaji
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Stewart Bryant