On (2014-09-02 07:54 +0000), Vitkovský Adam wrote: Hi Adam,
> I see, as the Cisco mpls label sec checks only the top-most label we have to > make sure the topmost label is indeed the VPN label which applies only to > opt.B with direct link peering and explicit null sig. scenario and possibly > it could work in Option C where the PE (acting as ASBR&Inter-AS-RR) BGP-peers > with CE via a direct link so that there is just the VPN label in the label > stack. If I understood that correctly, you propose in OptC we verify the top label, we distributed it, so we should be able to verify it is one of ours. However, I don't think this brings us any security? Because the 2nd label, may be another PE box, so attack is just going to have to take round-trip via one of the allowed egress PE boxes, before going to the target PE? For OptB, I think verification should be stack is 1 label deep, and we've just ourselves advertised the label, so there should be no room for spoofing. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
