The MPLS-OPS Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Re: Flooding in MPLS

From: Ajay Simha <asimha@cisco.com>
Date: Sat, 11 Jan 2003 10:39:09 -0500
Cc: mpls-ops@mplsrc.com, "Thomas D. Nadeau" <tnadeau@cisco.com>
Resent-Date: Sat, 11 Jan 2003 12:08:06 -0500
To: Mehwish Ahmed <mehwishkhurshid@yahoo.com>
User-Agent: Mutt/1.4i

On Sat Jan 11 10:33:41 2003, Ajay Simha wrote:
> On Fri Jan 10 20:22:24 2003, Mehwish Ahmed wrote:
> > 
> >    How can we address flooding  attacks in MPLS ??
> >    
> >    An attacker cannot be prevented from finding a way to flood the router
> >    with bogus routing messages.Flooding the PE router from a CE can not
> >    break security as far as the MPLS mechanisms are concerned .
> 
> Why is this a concern? If this happens more than once the SP gets rid of this customer - period. :)
> 
> Also no SP I know would want to run IGP instance (other than vrf) towards the CE. You also
> have knobs like max routes per vrf (at least on Cisco) to offer some protection.

and one more thing.. there is notifications in SNMP (Trap) that I found:

mplsNumVrfRouteMidThresExceeded
mplsNumVrfRouteMaxThresExceeded

which you can use as a trigger to act on these misbehaved customer.

-ajay
> 
> -ajay
> >    
> >    
> >    
> >      _________________________________________________________________
> >    
> >    Do you Yahoo!?
> >    [1]Yahoo! Mail Plus - Powerful. Affordable. [2]Sign up now
> > 
> > References
> > 
> >    1. http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com
> >    2. http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

References:
- Flooding in MPLS
  - From: Mehwish Ahmed <mehwishkhurshid@yahoo.com>
- Re: Flooding in MPLS
  - From: Ajay Simha <asimha@cisco.com>
- Re: Flooding in MPLS
  - From: Ajay Simha <asimha@cisco.com>