The MPLS-OPS Archive

[Roger Clark Williams <rogerw@nordlink.com>]

I understand your question, and I may not have said it carefully enough. 
You ask: "Will this not need for this "someone" to be
>present in the core of the network/within the service provider network?"


In fact, no. Assume for the moment that the Service Provider did not close 
off the LDP distribution on interfaces that looked out towards the 
customers. The customers connected to that Service Provider would get those 
LDP session initiation invitations. From that, if the customer also started 
LDP, the customer would "hear" the labels that were being distributed. Even 
without LPD running on the customer side, a sniffer would be able to pull 
out the label information. From there the door would be wide open.

Roger Williams



>X-SpamCatcher-Score:   1 [X]
>X-Real-To: rogerw@nordlink.com
>Date: Mon, 2 Feb 2004 11:33:25 +0000 (GMT)
>From: Spice Sylvia <falsesylvia@yahoo.co.uk>
>Subject: Re: Fwd: RE: [MPLS-OPS]: Label Distribution Process
>To: Roger Clark Williams <rogerw@nordlink.com>,
>   MPLS-ops Mailing List <mpls-ops@mplsrc.com>
>
>Hi Roger,
>
>Thank you for the excellent explanation.
>
>There are some queries I have raised inline,
>
>
>The idea behind label spoofing would be this: Assume
>for a moment thatsomeone's IP address is blocked from
>a destination by an Access List.Assume also this
>unscrupulous someone wants to get to this
>destinationover an MPLS network.
>
>
>===> Will this not need for this "someone" to be
>present in the core of the network/within the service
>provider network? Though, I admit it can have an
>IMPACT on Carrier of Carrier scenario.
>
>
>If that person could find the label that is issuedby a
>given router for that destination and insert it in a
>frame, and ifthey could connect to any interface of
>the router that issued the label,they could then send
>the frame and the router would forward the
>frametowards the destination. This is one reason that
>Service Provider labeldistribution is normally limited
>to network-facing interfaces and notcustomer-facing
>interfaces.
>
>From: Roger Clark Williams[mailto:rogerw@nordlink.com]
>
>Downstream distribution in general means that the
>router willdistribute labels for a certain destination
>in a direction away from thatdestination, i.e. out
>interfaces that are not the direction to
>thedestination. The name seems counter-intuitive, as
>the actual labeldistribution is, in fact, upstream
>relative to traffic flow. The routersends out a label
>whenever it learns about a destination.
>Thedistribution tends to be what is called a platform
>specific label. Thismeans that, for a single
>destination, the same label can be distributedon all
>upstream interfaces. When used on a frame heading
>toward thedestination (i.e downstream), the label
>coming in any interface will berecognized by that
>router. The benefit is that, assuming some sort
>ofmeshed network, there will be multiple labels at
>every router that couldbe used to forward packets
>toward a destination if the chosen path goesdown. The
>reason: Assuming a link state routing protocol such as
>OSPF orIS-IS, the router is learning about
>destinations from multiple sources,and therefore has
>multiple labels from downstream routers.
>
>===> This would be the case with any routing protocol
>in a fullmesh/ring or any other topology. would it
>not?
>
>One drawbackis that a spoofed label would still be
>recognized by the routerregardless of the interface it
>enters.
>
>==> thats true even today on an IP network. As long as
>routing cannot be made symeteric, this problem will
>crop up at any point of time.
>
>Downstream on demand has a slightly different pattern.
>The router willnot distribute a label until asked by
>the upstream router, the routerfarther away from the
>destination. How would it know to ask? When a
>framearrives at the ingress router with an IP address
>for the destination,that router has no label for the
>destination. It asks for one from therouter closer to
>the destination. That downstream router in turn asks
>thenext closer router, and this goes on all the way
>downstream to the egressrouter.
>
>==> this i believe is also called "data driven LSP
>setup?" Doesnt the impact on LSP setup time etc. cause
>problems? If that was the case to be, even RSVP-TE
>would be a good fit.
>
>Each router is waiting now for a label from the next
>one closer.The egress sends a label upstream. This
>allows the next router in line torelease a label
>upstream, and so it goes upstream until the
>ingressrouter gets a label for the destination. Only
>then can the ingress routerforward a frame. This
>method is used in situations in which there is
>apremium on available or supported labels, ATM
>specifically. As well, thisdistribution tends to be
>interface-specific, with a specific label sentout only
>on the interface on which the original request
>arrived. Thoughthere will be a delay in the initial
>forwarding, one benefit would besecurity: A labelled
>frame must arrive on a specific interface or it willbe
>rejected. Spoofing labels would be more difficult.
>
>==> Which would also mean that the same label could
>not be used on different interfaces. Hence a LSR kind
>of device can have only 2^20 flows passing through it?
>
>Unless I am mistaken, Cisco doesn't use upstream
>distribution, and I amcertainly willing to be
>corrected if I am wrong.
>
>==>
>This part has made me confused.
>I read through the part where you described upstream
>label distribution.
>
>Consider a typical Label distribution protocol.
>It tends to look at a way to setup an LSP to a
>destination (assuming on demand case).
>It then uses the routing information it has to contact
>an upstream node and so on to get a label.
>So as long as the routing protocol which is modified
>to act as the label distribution protocol is sending
>out "destination prefixes" or information on how to
>reach a destination, how would one case be different
>from the other?
>In other words, how would the LSP setup by an
>"upstream  on demand" be different as far as the path goes?
>
>
>
>
>
>___________________________________________________________
>BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 
>http://btyahoo.yahoo.co.uk


-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml