Re: [mpls] validating incoming frames at an Ethernet interface of an LSR
Anoop Ghanwani <anoop@brocade.com> Wed, 24 June 2009 17:10 UTC
Return-Path: <anoop@brocade.com>
X-Original-To: mpls@core3.amsl.com
Delivered-To: mpls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E6B133A6CBE for <mpls@core3.amsl.com>; Wed, 24 Jun 2009 10:10:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LTJWPHLzfAWl for <mpls@core3.amsl.com>; Wed, 24 Jun 2009 10:10:15 -0700 (PDT)
Received: from hq-exedge.brocade.com (hq-exedge.brocade.com [66.243.153.83]) by core3.amsl.com (Postfix) with ESMTP id 2A6D23A6814 for <mpls@ietf.org>; Wed, 24 Jun 2009 10:10:15 -0700 (PDT)
Received: from hq-exchfe-4.corp.brocade.com (192.168.39.133) by HQ-EXEDGE-2.corp.brocade.com (192.168.39.208) with Microsoft SMTP Server (TLS) id 8.1.375.2; Wed, 24 Jun 2009 10:09:50 -0700
Received: from HQ-EXCH-7.corp.brocade.com ([fe80::7100:82a1:1c93:b398]) by hq-exchfe-4.corp.brocade.com ([192.168.39.133]) with mapi; Wed, 24 Jun 2009 10:09:50 -0700
From: Anoop Ghanwani <anoop@brocade.com>
To: Jiang Yuan-long <yljiang@huawei.com>
Date: Wed, 24 Jun 2009 10:09:50 -0700
Thread-Topic: [mpls] validating incoming frames at an Ethernet interface of an LSR
Thread-Index: Acn0rhaAvONlSSuCQdqq7DUdKAuGcAAPiW8g
Message-ID: <54E40085E26FCB45AAB9D3DF3F9DD3DDD189E95CE9@HQ-EXCH-7.corp.brocade.com>
References: <54E40085E26FCB45AAB9D3DF3F9DD3DDD189E95C38@HQ-EXCH-7.corp.brocade.com> <001801c9f4ae$1423ff00$3428460a@china.huawei.com>
In-Reply-To: <001801c9f4ae$1423ff00$3428460a@china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "mpls@ietf.org" <mpls@ietf.org>
Subject: Re: [mpls] validating incoming frames at an Ethernet interface of an LSR
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2009 17:10:16 -0000
It's actually not just the interface; it's the
adjacency that matters. This means that the validation
for the label would have to be done on a {src mac, vlan}
basis. This, of course, only works for the
top label in the stack.
Validating packets for labels beyond the first
gets even more tricky because there is no information
in the packet that can help identify that the
frame was transmitted by a peer to which that
label was distributed.
Anyway, it doesn't sound like the specs require
any kind of validation. I wanted to make sure
I wasn't missing something obvious.
Anoop
> -----Original Message-----
> From: Jiang Yuan-long [mailto:yljiang@huawei.com]
> Sent: Wednesday, June 24, 2009 2:28 AM
> To: Anoop Ghanwani
> Cc: mpls@ietf.org
> Subject: Re: [mpls] validating incoming frames at an Ethernet
> interface of an LSR
>
> Hi Anoop:
>
> This is mentioned in "draft-ietf-l3vpn-ipsec-2547-05", which said:
> A Service Provider (SP) can protect against spoofed MPLS packets by
> the simple expedient of not accepting MPLS packets from outside its
> own boundaries (or more generally by keeping track of which labels
> are validly received over which interfaces, and discarding packets
> which arrive with labels that are not valid for their incoming
> interfaces)...
> But this draft was expired long ago. Hope it helps you.
>
> Cheers
>
> Jiang Yuanlong
>
> ----- Original Message -----
> From: "Anoop Ghanwani" <anoop@brocade.com>
> To: <mpls@ietf.org>
> Sent: Wednesday, June 24, 2009 8:49 AM
> Subject: [mpls] validating incoming frames at an Ethernet
> interface of an
> LSR
>
>
> >
> > Let's say I have 3 routers R1, R2 & R3 connected
> > by a layer 2 switch.
> >
> > Let's say R1 advertises a label, say L1, for a
> > certain FEC to R2. Let's assume R1 has a global
> > LIB (i.e. assigns different labels each time one
> > is requested).
> >
> > Now, if R3 sends a frame with L1 addressed to
> > R1's MAC address, would R1 just pick the frame
> > up and forward it, or would it actually notice
> > the problem and drop the frame?
> >
> > I know we're getting into implementation here,
> > but would appreciate if someone can point me to
> > an RFC/draft that discusses this issue.
> >
> > Thanks,
> > Anoop
> > _______________________________________________
> > mpls mailing list
> > mpls@ietf.org
> > https://www.ietf.org/mailman/listinfo/mpls
>
>
- [mpls] validating incoming frames at an Ethernet … Anoop Ghanwani
- Re: [mpls] validating incoming frames at an Ether… Mitchell Erblich
- Re: [mpls] validating incoming frames at an Ether… Jiang Yuan-long
- Re: [mpls] validating incoming frames at an Ether… mngpl
- Re: [mpls] validating incoming frames at an Ether… Mitchell Erblich
- Re: [mpls] validating incoming frames at an Ether… Himanshu Shah
- Re: [mpls] validating incoming frames at an Ether… Anoop Ghanwani
- Re: [mpls] validating incoming frames at an Ether… Jiang Yuan-long
- Re: [mpls] validating incoming frames at an Ether… albert.john