The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2004-Feb> msg00047



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

Fwd: RE: Explicit Null Configuration

  • From: Roger Clark Williams <rogerw@nordlink.com>
  • Date: Sun, 22 Feb 2004 18:40:07 -0700
  • Resent-Date: Sun, 22 Feb 2004 21:12:34 -0500
  • To: MPLS-ops Mailing List <mpls-ops@mplsrc.com>
  • X-Sender: rogerw@nordlink.com@81.0.237.12
  • X-SpamCatcher-Score: 1 [X]

Mooney, under some circumstances it is possible to spoof a label. 
Generally, labels are distributed upstream (against the direction of the 
traffic they will represent), and in the case of platform-specific labels, 
the same label is sent from a router out multiple interfaces. It is 
possible that, if the provider has not turned off label forwarding on the 
edge of the network, an outsider could get those labels and use them to 
send traffic to some remote subnet.  This is why (in Cisco-speak)  it is 
important to disable tag switching on the customer-facing interfaces.

The VPN label would be harder to get at. The labels are distributed by BGP 
between PEs and if all is properly set up would never be sent out a 
customer facing interface.

There is an underlying question here as well: Is MPLS secure? It depends on 
your definition of secure. It is not encrypted of course, and security is, 
in concept, provided by the separation of VRFs. Since VRFs are specific to 
particular interfaces, in order to slip into someone's network you, on the 
customer side, would have to be sending traffic into an interface that is 
related to the particular VRF. But if you are plugged into the interface 
that is related to the specific VRF, you will be on the other guy's network 
by definition.

Roger Williams


>X-SpamCatcher-Score:   1 [X]
>X-Real-To: rogerw@nordlink.com
>From: Mooney Sherman <Mooney.Sherman@gov.ab.ca>
>To: 'Roger Clark Williams ' <rogerw@nordlink.com>
>Subject: RE: [MPLS-OPS]: Explicit Null Configuration
>Date: Sun, 22 Feb 2004 00:06:20 -0700
>X-Mailer: Internet Mail Service (5.5.2657.72)
>
>Does this mean that if I know the VPN label and spoof it that this will be
>forwarded? or does the PE check the MAC/IP of CE?
>
>-----Original Message-----
>From: Roger Clark Williams
>To: MPLS-ops Mailing List
>Sent: 2/21/2004 6:28 PM
>Subject: Fwd: [MPLS-OPS]: Explicit Null Configuration
>
>Milind, I have a slightly different understanding of this than what your
>
>question implies.
>
>The Null label means the label gets popped and the packet gets forwarded
>as
>IP, yes. And in this case the label will have been originated by the
>Penultimate Hop router, not the originating PE. But what if there are
>two
>labels, the second one being a VPN label? Then what does the Null label
>mean?
>
>I believe it means, in effect, "ignore this label" and deal with what
>follows. In the situation of an MPLS VPN, the outer label is peeled off,
>
>leaving the inner label. A PE that supports MPLS VPNs receiving such a
>frame will then forward the packet based on the VPN label. This VPN
>label
>will be peeled off by the PE and the packet forwarded out the
>appropriate
>interface for that specific VPN.
>
>
>I hope this helps a bit.
>
>Roger Williams
>
> >X-SpamCatcher-Score:  57 [XX]
> >X-Real-To: rogerw@nordlink.com
> >Resent-Date: Sat, 21 Feb 2004 05:18:08 -0500
> >X-Authentication-Warning: host.secure4-hosting.net: mplsrc12 set sender
>to
> >mpls-ops-request@mplsrc.com using -f
> >X-Mailer: Lotus Notes Release 5.0.1a (Intl) 17 August 1999
> >From: Milind Deshpande <Milind.Deshpande@relianceinfo.com>
> >Date: Sat, 21 Feb 2004 15:31:37 +0530
> >X-MIMETrack: Serialize by Router on INFWHUB011/SVR/RIL(Release
> >6.5|September 26, 2003) at
> >  02/21/2004 03:31:41 PM
> >Subject: [MPLS-OPS]: Explicit Null Configuration
> >To: mpls-ops@mplsrc.com
> >Resent-From: mpls-ops@mplsrc.com
> >X-Mailing-List: <mpls-ops@mplsrc.com> archive/latest/6794
> >X-Loop: mpls-ops@mplsrc.com
> >Resent-Sender: mpls-ops-request@mplsrc.com
> >
> >
> >
> >
> >
> >As per the rfc3032 -  "A value of 0 represents the "IPv4 Explicit NULL
> >Label".  This label value is only legal at the bottom of the label
>stack.
> >It indicates that the label stack must be popped, and the forwarding of
>the
> >packet must then be based on the IPv4 header"
> >
> >Q. Does it means that Explicit Null should ONLY be configured on the
>edge
> >routers in the MPLS domain (rfc 2547bis network).
> >
> >Thanks
> >Milind.
> >
> >-------
> >The MPLS-OPS Mailing List
> >Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
>
>-------
>The MPLS-OPS Mailing List
>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
>
>----------------------------------------------------------------------------
>This communication is intended for the use of the recipient to which it is
>addressed, and may contain confidential, personal, and or privileged
>information. Please contact us immediately if you are not the intended
>recipient of this communication, and do not copy, distribute, or take action
>relying on it. Any communication received in error, or subsequent reply,
>should be deleted or destroyed.

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml