On (2008-08-05 09:23 -0400), David Curran wrote: > Is there an actual requirement to run LDP/MPLS over these tunnels or are you > simply looking to extend a VRF? If its the latter, Multi-VRF CE (or > VRF-Lite, whatever) works very well.
My vote on vrf-lite too. I fear we as a industry poop all over L3 MPLS VPN by doing stunts like this (I'm guilty too). And in a customer role, I would never trust on L3 MPLS VPN bought from operator, but would run my own VPN over IP tunnels on cheapest pure Internet DSL available. You should only talk MPLS (be it 'native', OptB or OptC) only to a router that is physically secured (not customers cabinet) and administered by fully trusted party (not competitor with whom you run e.g. OptB.) Main grief with having say OptB to untrusted physical location or managed by other organization is lack of label checking, so they can just inject any labels into the network and they will be forwarded. Sure, label space is large, but take a look what space assigned labels hold and that space is very small, and pushing packet to any VRF from site connected to your MPLS network is easy. Of course it's just unidirectional, but we can't ignore that, since then other people may ignore other 'irrelevant' security issue that is unidirectional, for the other direction, and you'd have fully compromised VRF. Possible remedies would be for CSCO and JNPR to implement OptB as RFC states, so that they'd only accept labels from OptB ASBR that were previously advertised to it via BGP. Then you'd only need to trust ASBR with the VRF's you're sharing with them, which is much easier to be done (they'd be screwing their own customer). For pure MPLS or OptC there is no remedy, you could randomize label assignment to make it unfeasible to inject traffic to every VRF, but it doesn't replace the need for trust. > > From: Aaron Daniels - Lists <[EMAIL PROTECTED]> > > Date: Tue, 5 Aug 2008 21:44:40 +1000 > > To: <cisco-nsp@puck.nether.net> > > Subject: [c-nsp] Extending MPLS over external providers cloud > > > > Hello Guru's > > > > Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some > > smaller low bandwidth sites connected using DSL via an ISP. This external > > VRF terminates within a single VRF of ours. > > We are now looking at extending several of our VRF's to these remote DSL > > sites, so as far as I see it, we can either put LDP over a tunnel, or each > > vrf over a separate tunnel. > > At first glance I was thinking about LDP over DMVPN, which I will lab up > > over the next few days. > > > > Has anyone done something like this before? What methods have been tried and > > tested, etc, etc. > > All feedback welcome. > > > > Thanks, > > Aaron Daniels > > > > > > > > > > > > This email and any attachments ("Message") may contain legally privileged > and/or confidential information. If you are not the addressee, or if this > Message has been addressed to you in error, you are not authorized to read, > copy, or distribute it, and we ask that you please delete it (including all > copies) and notify the sender by return email. Delivery of this Message to > any person other than the intended recipient(s) shall not be deemed a waiver > of confidentiality and/or a privilege. > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/