The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Re: Fwd: RE: Label Distribution Process
Hi Roger, Thank you for the excellent explanation. There are some queries I have raised inline, The idea behind label spoofing would be this: Assume for a moment thatsomeone's IP address is blocked from a destination by an Access List.Assume also this unscrupulous someone wants to get to this destinationover an MPLS network. ===> Will this not need for this "someone" to be present in the core of the network/within the service provider network? Though, I admit it can have an IMPACT on Carrier of Carrier scenario. If that person could find the label that is issuedby a given router for that destination and insert it in a frame, and ifthey could connect to any interface of the router that issued the label,they could then send the frame and the router would forward the frametowards the destination. This is one reason that Service Provider labeldistribution is normally limited to network-facing interfaces and notcustomer-facing interfaces. From: Roger Clark Williams[mailto:rogerw@nordlink.com] Downstream distribution in general means that the router willdistribute labels for a certain destination in a direction away from thatdestination, i.e. out interfaces that are not the direction to thedestination. The name seems counter-intuitive, as the actual labeldistribution is, in fact, upstream relative to traffic flow. The routersends out a label whenever it learns about a destination. Thedistribution tends to be what is called a platform specific label. Thismeans that, for a single destination, the same label can be distributedon all upstream interfaces. When used on a frame heading toward thedestination (i.e downstream), the label coming in any interface will berecognized by that router. The benefit is that, assuming some sort ofmeshed network, there will be multiple labels at every router that couldbe used to forward packets toward a destination if the chosen path goesdown. The reason: Assuming a link state routing protocol such as OSPF orIS-IS, the router is learning about destinations from multiple sources,and therefore has multiple labels from downstream routers. ===> This would be the case with any routing protocol in a fullmesh/ring or any other topology. would it not? One drawbackis that a spoofed label would still be recognized by the routerregardless of the interface it enters. ==> thats true even today on an IP network. As long as routing cannot be made symeteric, this problem will crop up at any point of time. Downstream on demand has a slightly different pattern. The router willnot distribute a label until asked by the upstream router, the routerfarther away from the destination. How would it know to ask? When a framearrives at the ingress router with an IP address for the destination,that router has no label for the destination. It asks for one from therouter closer to the destination. That downstream router in turn asks thenext closer router, and this goes on all the way downstream to the egressrouter. ==> this i believe is also called "data driven LSP setup?" Doesnt the impact on LSP setup time etc. cause problems? If that was the case to be, even RSVP-TE would be a good fit. Each router is waiting now for a label from the next one closer.The egress sends a label upstream. This allows the next router in line torelease a label upstream, and so it goes upstream until the ingressrouter gets a label for the destination. Only then can the ingress routerforward a frame. This method is used in situations in which there is apremium on available or supported labels, ATM specifically. As well, thisdistribution tends to be interface-specific, with a specific label sentout only on the interface on which the original request arrived. Thoughthere will be a delay in the initial forwarding, one benefit would besecurity: A labelled frame must arrive on a specific interface or it willbe rejected. Spoofing labels would be more difficult. ==> Which would also mean that the same label could not be used on different interfaces. Hence a LSR kind of device can have only 2^20 flows passing through it? Unless I am mistaken, Cisco doesn't use upstream distribution, and I amcertainly willing to be corrected if I am wrong. ==> This part has made me confused. I read through the part where you described upstream label distribution. Consider a typical Label distribution protocol. It tends to look at a way to setup an LSP to a destination (assuming on demand case). It then uses the routing information it has to contact an upstream node and so on to get a label. So as long as the routing protocol which is modified to act as the label distribution protocol is sending out "destination prefixes" or information on how to reach a destination, how would one case be different from the other? In other words, how would the LSP setup by an "upstream on demand" be different as far as the path goes? ___________________________________________________________ BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml |
|