[c-nsp] RFC2547bis, 10) Option B

Saku Ytti saku+cisco-nsp at ytti.fi
Sun Mar 26 05:51:29 EST 2006


On (2006-03-26 11:27 +0200), Oliver Boehmer (oboehmer) wrote:

> > ###
> > An ASBR should never accept a labeled packet from an EBGP peer unless
> > it has actually distributed the top label to that peer.
> > ###
> 
> IOS has not (yet?) implemented this check for InterAS, it is implemented
> for CsC, though.
> Please check RFC4381, 4.2 for a discssion about this, essentially any
> InterAS setup requires a trust relationship for this model to work
> securely.

 Will do. However trust may not be all that black and white, I may be ready to 
accept that neighbor can inject hostile labels for all the VRF's we share
between.

 One application that comes in mind, is where both ASBR's are owned and
operated by same instance, other ASBR is PE and other CE for customer of
operator. Option B would be used just to multiplex the VRF's without eating
virtual circuits or using VRF-Select.
 In this application it may be very acceptable risk when the VRF's are 
just eg. different BU's of single customer, so the the different BU's
of customer may be able to inject data to other BU's by replacing the CE with
some device capable of doing this. But still not posing risk to other
customers.
 It may be that above application is becoming appealing when smaller and
smaller boxes (eg. 1800 series) support MPLS officially.

 But thanks, You and Piotr Marecki saved me some labbing. Regarding
Piotr's question about IOS-XR, I'm not sure if it's valid, as RFC4364
is not supported yet but IOS-XR. But if Cisco can disclose if this
label checking is planned for IOS-XR it would be nice to hear.
 
 (ps. apparently still errors in my .muttrc hooks:)

-- 
  ++ytti


More information about the cisco-nsp mailing list