Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
"Mallette, Edwin" <Edwin.Mallette@bhnis.com> Mon, 25 October 2010 20:34 UTC
Return-Path: <prvs=5914b2cf86=edwin.mallette@bhnis.com>
X-Original-To: mpls@core3.amsl.com
Delivered-To: mpls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 711413A6901 for <mpls@core3.amsl.com>; Mon, 25 Oct 2010 13:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUeCib9pI1W0 for <mpls@core3.amsl.com>; Mon, 25 Oct 2010 13:34:40 -0700 (PDT)
Received: from mx2.mybrighthouse.com (MX2.mybrighthouse.com [209.16.122.104]) by core3.amsl.com (Postfix) with ESMTP id 8E01A3A6B81 for <mpls@ietf.org>; Mon, 25 Oct 2010 13:34:40 -0700 (PDT)
Received: from pps.filterd (mx2 [127.0.0.1]) by mx2.mybrighthouse.com (8.14.3/8.14.3) with SMTP id o9PKTM6Q015134; Mon, 25 Oct 2010 16:36:13 -0400
Received: from cntpacas1.corp.local ([10.225.1.123]) by mx2.mybrighthouse.com with ESMTP id s5g9908s1-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 25 Oct 2010 16:36:12 -0400
Received: from CNEMAIL.corp.local ([10.225.1.130]) by cntpacas1.corp.local ([10.225.1.123]) with mapi; Mon, 25 Oct 2010 16:36:12 -0400
From: "Mallette, Edwin" <Edwin.Mallette@bhnis.com>
To: Vero Zheng <verozheng@huawei.com>, mpls <mpls@ietf.org>
Date: Mon, 25 Oct 2010 16:35:58 -0400
Thread-Topic: [mpls] [MPLS] HELP: Need your opinion on LDP security
Thread-Index: Actz+qAIpa3+EGoISyyKwAuTAv1+YQAiKUPg
Message-ID: <6569379E42CFCB4192ECE021966F9A44704A3CC0B3@CNEMAIL.corp.local>
References: <681777EB1E8E4E71ADF65A2A1A89B3A6@z50128a>
In-Reply-To: <681777EB1E8E4E71ADF65A2A1A89B3A6@z50128a>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_6569379E42CFCB4192ECE021966F9A44704A3CC0B3CNEMAILcorplo_"
MIME-Version: 1.0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=5 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1004200000 definitions=main-1010250128
Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2010 20:34:42 -0000
Vero, I cannot think of a case where I would utilize a different key to secure the hellos than the key used to secure the TCP session. That being said, I also cannot think of a specific reason to preclude this functionality. Ed From: mpls-bounces@ietf.org [mailto:mpls-bounces@ietf.org] On Behalf Of Vero Zheng Sent: Monday, October 25, 2010 12:11 AM To: mpls Subject: [mpls] [MPLS] HELP: Need your opinion on LDP security Hi Folks, We would like to hear you opinion on LDP security. Unlike all other LDP messages, the Hello messages are sent using UDP not TCP. This means that they cannot benefit from the security mechanisms available with TCP. [RFC5036] does not provide any security mechanisms for use with Hello messages except to note that some configuration may help protect against bogus discovery events. Do we need to allow the use of different keys from the ones used on the TCP session? We have submitted a new "LDP Hello Cryptographic Authentication" draft. In this draft, we introduce a new Cryptographic Authentication TLV which is used in LDP Hello message as an optional parameter. An LSR can be configured to only accept Hello messages from specific peers when authentication is in use. The URL for it is: http://tools.ietf.org/id/draft-zheng-mpls-ldp-hello-crypto-auth-00.txt Looking forward to your comments. BR, Mach and Vero ________________________________ CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.
- [mpls] [MPLS] HELP: Need your opinion on LDP secu… Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mallette, Edwin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vishwas Manral
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Lamberto Sterling
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vishwas Manral
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Ronald Bonica
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Thomas Morin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Dave Katz
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … lizhong.jin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … lizhong.jin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … iLya
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Nitin Bahadur
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Adrian Farrel
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Gray
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)