Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
Robert Raszuk <robert@raszuk.net> Sun, 08 July 2012 11:01 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: l2vpn@ietfa.amsl.com
Delivered-To: l2vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3312E21F86CA for <l2vpn@ietfa.amsl.com>; Sun, 8 Jul 2012 04:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Kj7WYZqbA0z for <l2vpn@ietfa.amsl.com>; Sun, 8 Jul 2012 04:01:42 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id 762A321F869F for <l2vpn@ietf.org>; Sun, 8 Jul 2012 04:01:42 -0700 (PDT)
Received: (qmail 29823 invoked by uid 399); 8 Jul 2012 11:02:02 -0000
Received: from unknown (HELO ?192.168.1.58?) (pbs:robert@raszuk.net@83.9.210.132) by mail1310.opentransfer.com with ESMTPM; 8 Jul 2012 11:02:02 -0000
X-Originating-IP: 83.9.210.132
Message-ID: <4FF968A8.7060806@raszuk.net>
Date: Sun, 08 Jul 2012 13:02:00 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: balaji venkat Venkataswami <balajivenkat299@gmail.com>
Subject: Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00.txt ...
References: <CC1F140F.5C97%balajivenkat299@gmail.com>
In-Reply-To: <CC1F140F.5C97%balajivenkat299@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: l2vpn@ietf.org, Shankar Raman M J <mjsraman@gmail.com>
X-BeenThere: l2vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: <l2vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2vpn>
List-Post: <mailto:l2vpn@ietf.org>
List-Help: <mailto:l2vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 11:01:43 -0000
Hi Balaji, > Also if one or more Routers of the ISP have been compromised > within the ISP's network then an intruder Trying to gain > access to the VPN traffic would have a hard time guessing > which Traffic belongs to which VPN with our scheme. You are effectively saying that if intruder compromises any router in the ISP or between ISPs it is quite likely that it may get access to VPN label information which are pretty static today. That is actually true for L3VPN and L2VPN. It is the same in basic non inter-as service as well as with inter-as service option A, B & C. I do not see why in particular you are just focused on option C ? Do you have this case in mind: ISP1 -- ISP2 -- ISP3 where ISP2 is just an MPLS transit sitting with a sniffer and observing VPN labels in the data plane ? I do agree that any LxVPN using BGP does not protect from this type of attacks. It is in fact well understood since the early days of MPLS-VPN deployments that sites which require security place hardware encryption devices between or next to their CEs. In other words if your ISP network is so unsecure that it would allow to inject third party an MPLS encapsulated packets (not your trusted ISP option B or option C peer, but one of your customers or hackers) then I think all bet's are off as far as your services go. That is also why for CSC one of the first feature which was added was label validation. CE can not inject any other label then the label already advertised to it. Some implementations do it also for option B. While I like your solution in general I think it still needs to find a problem. For the problem presented IMHO ISP is much better to protect his PEs and his infrastructure rather then trying to make a VPN label a bit harder to guess. Best, R.
- Re: L2vpn Digest, Vol 98, Issue 6 balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Tal Mizrahi
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… UTTARO, JAMES
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Robert Raszuk
- Re: L2vpn Digest, Vol 98, Issue 6 Rogers, Josh
- RE: L2vpn Digest, Vol 98, Issue 6 UTTARO, JAMES
- Re: L2vpn Digest, Vol 98, Issue 6 Rogers, Josh
- Re: L2vpn Digest, Vol 98, Issue 6 Balaji venkat Venkataswami
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 Robert Raszuk
- Re: L2vpn Digest, Vol 98, Issue 6 Balaji venkat Venkataswami
- Re: L2vpn Digest, Vol 98, Issue 6 Robert Raszuk
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Greg Mirsky
- RE: L2vpn Digest, Vol 98, Issue 6 UTTARO, JAMES
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Tal Mizrahi
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Bhargav Bhikkaji
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Gregory Mirsky
- RE: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Bhargav Bhikkaji
- Re: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-00… Stewart Bryant