The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2002-Jul> msg00092



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

RFC2547bis security

  • From: "M. ELK" <elkou141061@hotmail.com>
  • Date: Sun, 28 Jul 2002 19:34:24 +0000
  • Resent-Date: Sun, 28 Jul 2002 16:47:34 -0400
  • To: mpls-ops@mplsrc.com
  • X-OriginalArrivalTime: 28 Jul 2002 19:34:24.0699 (UTC) FILETIME=[C78C48B0:01C2366D]
  • X-Originating-IP: [57.250.229.136]

the draft in section 6 state :
 
Quote
6. Maintaining Proper Isolation of VPNs

   To maintain proper isolation of one VPN from another, it is important
   that no router in the backbone accept a labeled packet from any
   adjacent non-backbone device unless the following two conditions
   hold:

      1. the label at the top of the label stack was actually
         distributed by that backbone router to that non-backbone
         device, and

      2. the backbone router can determine that use of that label will
         cause the packet to leave the backbone before any labels lower
         in the stack will be inspected, and before the IP header will
         be inspected.
   The first condition ensure that any labeled packets received from
   non-backbone routers have a legitimate and properly assigned label at
   the top of the label stack.  The second condition ensures that the
   backbone routers will never look below that top label.  Of course,
   the simplest way to meet these two conditions is just to have the
   backbone devices refuse to accept labeled packets from non-backbone
  Unquote
 
For condition nbr "2", how a Router could check such condition .
 
Brgds

MSN Photos is the easiest way to share and print your photos: Click Here
------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml