Re: [mpls] [MPLS] HELP: Need your opinion on LDP security

["Rajiv Asati (rajiva)" <rajiva@cisco.com>]

Hi Mach,

> In addition, in case of LDP is not enabled on the edge devices, even if the
> LDP implementation can do source address and UDP port check, then the
> spoofing hellos will not be blocked at the edge devices by LDP, unless you

If LDP is not enabled on an interface, then link hello must not be accepted on that interface. Otherwise, it is a violation of RFC 5036 section 3.5.2.1.

It is orthogonal to whether the hellos are spoofed or not.


Cheers,
Rajiv


> -----Original Message-----
> From: Mach Chen [mailto:mach@huawei.com]
> Sent: Friday, October 29, 2010 9:49 PM
> To: Rajiv Asati (rajiva); Ronald Bonica; Vishwas Manral
> Cc: mpls@ietf.org; Lamberto Sterling
> Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
> 
> Hi Rajiv,
> 
> Thanks for your prompt response!
> 
> Please see inline...
> --------------------------------------------------
> From: "Rajiv Asati (rajiva)" <rajiva@cisco.com>
> Sent: Friday, October 29, 2010 9:44 PM
> To: "Mach Chen" <mach@huawei.com>; "Ronald Bonica" <rbonica@juniper.net>;
> "Vishwas Manral" <vishwas.ietf@gmail.com>
> Cc: <mpls@ietf.org>; "Lamberto Sterling" <lamberto.sterling@gmail.com>
> Subject: RE: [mpls] [MPLS] HELP: Need your opinion on LDP security
> 
> > Hi Mach,
> >
> > Pls see inline,
> >
> >> > As far as network boundary/edge is concerned, if LDP is not enabled on
> >> > the
> >> > outside interfaces, then the implementation should allow any LDP packet
> >> > (IP packet with UDP/TCP port=646) to be ignored. This should not
> >> > require
> >> > any filtering.
> >> >
> >> Not all the implmentations will do such check and drop the LDP packets
> >> (Target hello) , and I know there are at least two implmentations do not
> >> do
> >> this.
> >
> > Aah!! Such an implementation would be susceptible to a bigger DoS attack,
> > IMO.
> >
> > It is a bad idea to accept and process a packet on a port/socket whose
> > protocol is not enabled yet.
> >
> > In fact, that's a violation of RFC 5036 section 3.5.2.1
> >
> > <excerpt>
> >      A Link Hello is acceptable if the interface on which it was
> >      received has been configured for label switching.
> >
> >      A Targeted Hello from source address A is acceptable if either:
> >
> >      -  The LSR has been configured to accept Targeted Hellos, or
> >      -  The LSR has been configured to send Targeted Hellos to A.
> > </excerpt>
> 
> Recently, we did experiments in lab and found that the result of most of the
> major implmentations are alike on this. Actually, this does not violate the
> rules for Targeted Hello as you excerpted. If an LSR has established a
> Target session with A, it should have been configured to accept/send
> Targeted Hellos from/to A, and a spoofing Hello can easily to be made up as
> if sending from A.
> 
> >
> >
> >
> >> In addition, in case of LDP is enabled on the outside interfaces, then
> >> you
> >> can't lie on such mechanism.
> >
> > Ditto. If LDP is enabled (for things such as Inter-AS), then the problem
> > may happen.
> 
> Yes, this one of the scenarios that the draft tries to solve.
> 
> In addition, in case of LDP is not enabled on the edge devices, even if the
> LDP implementation can do source address and UDP port check, then the
> spoofing hellos will not be blocked at the edge devices by LDP, unless you
> configure the other necessay filtering rules on the edges.
> 	
> Best regards,
> Mach