[c-nsp] u-pe placement
Raymond Burkholder
ray at oneunified.net
Fri Feb 22 08:12:57 EST 2013
At
http://etutorials.org/Networking/MPLS+VPN+security/Part+III+Practical+Guidel
ines+to+MPLS+VPN+Security/Chapter+7.+Security+of+MPLS+Layer+2+VPNs/C6+VPLS+a
nd+VPWS+Security+Overview/ they say: "We recommend that no service
provider edge (PE) router be located at a customer premise because such an
installation exposes the service provider to unwelcome access. Further, in
order to mitigate against control plane spoofing, examples of protocols that
should never be exposed to untrusted routers include IGP, BGP, LDP, and
RSVP-TE."
Is this common best practices? Is there indeed quite a bit of risk in
exposing the u-pe at the customer site? Is this exploited regularily? Are
there methods of mitigating the risks?
With routers like the 1921 sitting at customer sites, with better than
adequate horsepower to handle mpls, it is very tempting to take the pe out
to the customer site as a u-pe in the form of a 1921 or similar.
Any comments on advantages/dis-advantages?
Ray
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the cisco-nsp
mailing list