The MPLS-OPS Archive

["Shailendra Gupta" <shailendra.gupta@estelcom.com>]

 

----- Original Message -----

From: Shailendra Gupta

To: MPLS-ops Mailing List ; Roger Clark Williams

Sent: Monday, February 02, 2004 1:34 PM

Subject: Re: RE: [MPLS-OPS]: Label Distribution Process

Dear Roger

 

Thanks for clarification, Indeed "per platform" has this problem which may be minimized through Secured RR & Ext BGP-Peering. Please post me/advise how we can invoke "per interface" space for "Non-ATM/Fr-Relay" Core-Connectivity.

 

Shailendra

 

 

----- Original Message -----

From: Roger Clark Williams

To: MPLS-ops Mailing List

Sent: Saturday, January 31, 2004 8:00 PM

Subject: Fwd: RE: [MPLS-OPS]: Label Distribution Process

Kartik, as far as I know, a Cisco ATM interface will automatically run LDP in the downstream-on-demand mode. For more information on this, see http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a96.html.

The idea behind label spoofing would be this: Assume for a moment that someone's IP address is blocked from a destination by an Access List. Assume also this unscrupulous someone wants to get to this destination over an MPLS network. If that person could find the label that is issued by a given router for that destination and insert it in a frame, and if they could connect to any interface of the router that issued the label, they could then send the frame and the router would forward the frame towards the destination. This is one reason that Service Provider label distribution is normally limited to network-facing interfaces and not customer-facing interfaces.

I hope this is helpful.

Roger Williams

X-SpamCatcher-Score:   1 [X]
X-Real-To: rogerw@nordlink.com
From: "kartik" <kartik.kashyap@estelcom.com>
To: "Roger Clark Williams" <rogerw@nordlink.com>,
        "MPLS-ops Mailing List" <mpls-ops@mplsrc.com>
Subject: RE: [MPLS-OPS]: Label Distribution Process
Date: Sat, 31 Jan 2004 09:58:52 +0530
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cpanel.people-connect.com
X-AntiAbuse: Original Domain - nordlink.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - estelcom.com

Dear Roger

 

It was a good post. I would like to understand

q       What is label Spoofing ? How it happens?

q       How can we use downstream on demand on cisco routers ?

 

Regards

Kartik

 

 

-----Original Message-----
From: Roger Clark Williams [mailto:rogerw@nordlink.com]
Sent: Friday, January 30, 2004 11:37 PM
To: MPLS-ops Mailing List
Subject: Fwd: [MPLS-OPS]: Label Distribution Process

 

Shailendra, it can get confusing. And I may have it confused as well, but I will say what I believe to be true.

Upstream and downstream, even though the terms are used relative to labels, are always in reference to the direction of traffic flow, not direction of label distribution. Also remember that labels are unidirectional, so though we talk about a single traffic direction in the example, in fact the same thing happens the other direction for traffic flowing the opposite way.

Downstream distribution in general means that the router will distribute labels for a certain destination in a direction away from that destination, i.e. out interfaces that are not the direction to the destination. The name seems counter-intuitive, as the actual label distribution is, in fact, upstream relative to traffic flow. The router sends out a label whenever it learns about a destination. The distribution tends to be what is called a platform specific label. This means that, for a single destination, the same label can be distributed on all upstream interfaces. When used on a frame heading toward the destination (i.e downstream), the label coming in any interface will be recognized by that router. The benefit is that, assuming some sort of meshed network, there will be multiple labels at every router that could be used to forward packets toward a destination if the chosen path goes down. The reason: Assuming a link state routing protocol such as OSPF or IS-IS, the router is learning about destinations from multiple sources, and therefore has multiple labels from downstream routers. One drawback is that a spoofed label would still be recognized by the router regardless of the interface it enters.

Downstream on demand has a slightly different pattern. The router will not distribute a label until asked by the upstream router, the router farther away from the destination. How would it know to ask? When a frame arrives at the ingress router with an IP address for the destination, that router has no label for the destination. It asks for one from the router closer to the destination. That downstream router in turn asks the next closer router, and this goes on all the way downstream to the egress router. Each router is waiting now for a label from the next one closer. The egress sends a label upstream. This allows the next router in line to release a label upstream, and so it goes upstream until the ingress router gets a label for the destination. Only then can the ingress router forward a frame. This method is used in situations in which there is a premium on available or supported labels, ATM specifically. As well, this distribution tends to be interface-specific, with a specific label sent out only on the interface on which the original request arrived. Though there will be a delay in the initial forwarding, one benefit would be security: A labelled frame must arrive on a specific interface or it will be rejected. Spoofing labels would be more difficult.

Unless I am mistaken, Cisco doesn't use upstream distribution, and I am certainly willing to be corrected if I am wrong. If Juniper does we can wait for that word from a Juniper person. But it brings up an interesting point. Each manufacturer will claim to be following the LDP standard, and in fact they are - to a degree. If one does support upstream distribution and the other doesn't, then even though they are both following the standard as far as they go, the two will not communicate. It is always worth asking the salesperson - carefully- what the platform actually supports.

I hope this helps

Roger Williams



X-SpamCatcher-Score:   1 [X]
X-Real-To: rogerw@nordlink.com
Resent-Date: Fri, 30 Jan 2004 02:35:40 -0500
X-Authentication-Warning: host.secure4-hosting.net: mplsrc12 set sender to mpls-ops-request@mplsrc.com using -f
From: "Shailendra Gupta" <shailendra.gupta@estelcom.com>
To: <mpls-ops@mplsrc.com>
Date: Fri, 30 Jan 2004 12:52:45 +0530
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Subject: [MPLS-OPS]: Label Distribution Process
Resent-From: mpls-ops@mplsrc.com
X-Mailing-List: <mpls-ops@mplsrc.com> archive/latest/6748
X-Loop: mpls-ops@mplsrc.com
Resent-Sender: mpls-ops-request@mplsrc.com

Dear Friends
 
Kindly help to clarify following label distribution mechanism, associated benefit and Cisco/Juniper default support.
 
1. Downstrem Distribution
2. Downstream on Demand Distribution
3. Upstream on Demand Distribution
 
Peter Tomsu & Gerhard Wieser[Prentice Hall] has very briefly described the same and I have some confusion on this subject. Please share your views & supply any available link on the same.
 
Thanks in advance.
 
Shailendra
 
------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml