The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2004-Feb> msg00063



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

MPLS vs IP encap in RFC2547

  • From: richard.spencer@bt.com
  • Date: Wed, 11 Feb 2004 19:25:10 -0000
  • Cc: <l3vpn@ietf.org>, <mpls@UU.NET>
  • Thread-Index: AcPvwQyzGzGL89jhT9Shd5aX8scmegBE0c0P
  • Thread-Topic: MPLS vs IP encap in RFC2547
  • X-MIME-Autoconverted: from base64 to 8bit by cell.onecall.net id i1BJebn23882
  • X-OriginalArrivalTime: 11 Feb 2004 19:25:11.0162 (UTC) FILETIME=[C42E7DA0:01C3F0D4]

Hi Marc,

 

> maybe I'm missing something but from what you say I can't see the
> "spoof probability is higher for MPLS than for IP encapsulation". Looks
> more like a "not much difference" for me.

My argument was based on the fact that in an IP/MPLS network, VPN packets could potentially be forwarded using MPLS-in-IP/GRE or MPLS label stacking. Therefore at first pass I assumed the spoofing probability was P(MPLS-in-IP/GRE spoof attack) + P(MPLS label stacked spoof attack). However, having thought about it further, even if MPLS-in-IP/GRE was supported by default across an IP/MPLS network, it would be easy to stop MPLS-in-IP spoofing attacks by using IP protocol number filtering.

 

I now agree with existing IETF drafts that say VPN packet spoofing is easier to protect against in an MPLS PSN than it is in an IP PSN. However, this is based on the fact that 1) MPLS packets received at the edge can be dropped (or their labels checked against distributed labels if the interface supports MPLS), and 2) MPLS-in-IP/GRE packets (if supported) can be dropped by simply filtering on the IP protocol number. As far as I know, the current IETF drafts only mention 1, and not 2. I guess how important 2 is depends on whether router implementations support MPLS-in-IP/GRE by default and therefore IP protocol number filtering is required, or if MPLS-in-IP/GRE support is a feature that providers can simply turn on or off. 


> The overall complexity of the MPLS control plane is larger than for
> native IP due to additional protocols like LDP and RSVP. The challenge
> to protect these protocols is similar to a native IP network and the
> protection mechanism are identical, e.g. MD5 hashing, infrastructure
> ACL  and so on. With more protocols in place it is probably easier to
> disturb the MPLS service.

 

Agreed, IP only needs routing protocols whereas MPLS requires routing and signalling protocols, which adds extra complexity. However, using protocols like L2TP in an IP network also increases complexity.  

> I disagree with your statement that in an IP/MPLS network both option
> are available, forwarding based on IP and on MPLS and thus the overall
> risk is the sum of both.

 

Yes I agree that my original statement was incorrect, as I had not taken into account how easy it would be to block MPLS-in-IP packets in an IP/MPLS network. 

 

> To spoof into a MPLS VPN from the forwarding plane you need labelled traffic

 

… or support for MPLS-in-IP/GRE traffic.

 

Thanks for your comments,

 

Richard