The MPLS-OPS Archive

[Rajiv Asati <rajiva@cisco.com>]

At 03:34 PM 7/28/2002, M. ELK wrote:
> the draft in section 6 state : 
>  
> Quote 
> 6. Maintaining Proper Isolation of VPNs
>
>    To maintain proper isolation of one VPN from another, it is
> important
>    that no router in the backbone accept a labeled packet from
> any
>    adjacent non-backbone device unless the following two
> conditions
>    hold:
>
>       1. the label at the top of the label stack
> was actually
>          distributed by that
> backbone router to that non-backbone
>          device, and
>
>       2. the backbone router can determine that
> use of that label will
>          cause the packet to
> leave the backbone before any labels lower
>          in the stack will be
> inspected, and before the IP header will
>          be inspected.
>    The first condition ensure that any labeled packets received
> from
>    non-backbone routers have a legitimate and properly assigned
> label at
>    the top of the label stack.  The second condition
> ensures that the
>    backbone routers will never look below that top label. 
> Of course,
>    the simplest way to meet these two conditions is just to
> have the
>    backbone devices refuse to accept labeled packets from
> non-backbone
>   Unquote 
>  
> For condition nbr "2", how a Router could check such condition
> . 

Backbone router must only do a one label lookup. No deeper than that.

Cheers,
Rajiv

 
Brgds

---

MSN Photos is the easiest way to share and print your photos: Click Here
------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml