Re: [mpls] [MPLS] HELP: Need your opinion on LDP security

"Mallette, Edwin" <Edwin.Mallette@bhnis.com> Mon, 25 October 2010 20:34 UTC

Return-Path: <prvs=5914b2cf86=edwin.mallette@bhnis.com>
X-Original-To: mpls@core3.amsl.com
Delivered-To: mpls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 711413A6901 for <mpls@core3.amsl.com>; Mon, 25 Oct 2010 13:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUeCib9pI1W0 for <mpls@core3.amsl.com>; Mon, 25 Oct 2010 13:34:40 -0700 (PDT)
Received: from mx2.mybrighthouse.com (MX2.mybrighthouse.com [209.16.122.104]) by core3.amsl.com (Postfix) with ESMTP id 8E01A3A6B81 for <mpls@ietf.org>; Mon, 25 Oct 2010 13:34:40 -0700 (PDT)
Received: from pps.filterd (mx2 [127.0.0.1]) by mx2.mybrighthouse.com (8.14.3/8.14.3) with SMTP id o9PKTM6Q015134; Mon, 25 Oct 2010 16:36:13 -0400
Received: from cntpacas1.corp.local ([10.225.1.123]) by mx2.mybrighthouse.com with ESMTP id s5g9908s1-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 25 Oct 2010 16:36:12 -0400
Received: from CNEMAIL.corp.local ([10.225.1.130]) by cntpacas1.corp.local ([10.225.1.123]) with mapi; Mon, 25 Oct 2010 16:36:12 -0400
From: "Mallette, Edwin" <Edwin.Mallette@bhnis.com>
To: Vero Zheng <verozheng@huawei.com>, mpls <mpls@ietf.org>
Date: Mon, 25 Oct 2010 16:35:58 -0400
Thread-Topic: [mpls] [MPLS] HELP: Need your opinion on LDP security
Thread-Index: Actz+qAIpa3+EGoISyyKwAuTAv1+YQAiKUPg
Message-ID: <6569379E42CFCB4192ECE021966F9A44704A3CC0B3@CNEMAIL.corp.local>
References: <681777EB1E8E4E71ADF65A2A1A89B3A6@z50128a>
In-Reply-To: <681777EB1E8E4E71ADF65A2A1A89B3A6@z50128a>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_6569379E42CFCB4192ECE021966F9A44704A3CC0B3CNEMAILcorplo_"
MIME-Version: 1.0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=5 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1004200000 definitions=main-1010250128
Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2010 20:34:42 -0000

Vero,

I cannot think of a case where I would utilize a different key to secure the hellos than the key used to secure the TCP session.  That being said, I also cannot think of a specific reason to preclude this functionality.

Ed

From: mpls-bounces@ietf.org [mailto:mpls-bounces@ietf.org] On Behalf Of Vero Zheng
Sent: Monday, October 25, 2010 12:11 AM
To: mpls
Subject: [mpls] [MPLS] HELP: Need your opinion on LDP security

Hi Folks,

We would like to hear you opinion on LDP security.

Unlike all other LDP messages, the Hello messages are sent using UDP not TCP.
This means that they cannot benefit from the security mechanisms available with TCP.
[RFC5036] does not provide any security mechanisms for use with Hello messages except to note that some configuration may help protect against bogus discovery events.

Do we need to allow the use of different keys from the ones used on the TCP session?

We have submitted a new "LDP Hello Cryptographic Authentication" draft. In this draft, we introduce a new Cryptographic Authentication TLV which is used in LDP Hello message as an optional parameter.
An LSR can be configured to only accept Hello messages from specific peers when authentication is in use.
The URL for it is: http://tools.ietf.org/id/draft-zheng-mpls-ldp-hello-crypto-auth-00.txt
Looking forward to your comments.

BR,
Mach and Vero

________________________________
CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.