[c-nsp] Extending MPLS over external providers cloud

Saku Ytti saku+cisco-nsp at ytti.fi
Tue Aug 5 15:53:00 EDT 2008


On (2008-08-05 09:23 -0400), David Curran wrote:

> Is there an actual requirement to run LDP/MPLS over these tunnels or are you
> simply looking to extend a VRF?  If its the latter, Multi-VRF CE (or
> VRF-Lite, whatever) works very well.

My vote on vrf-lite too. I fear we as a industry poop all over L3 MPLS VPN
by doing stunts like this (I'm guilty too). And in a customer role,
I would never trust on L3 MPLS VPN bought from operator, but would run my
own VPN over IP tunnels on cheapest pure Internet DSL available.
 You should only talk MPLS (be it 'native', OptB or OptC) only to a
router that is physically secured (not customers cabinet) and administered
by fully trusted party (not competitor with whom you run e.g. OptB.)

Main grief with having say OptB to untrusted physical location or managed
by other organization is lack of label checking, so they can just inject
any labels into the network and they will be forwarded.
Sure, label space is large, but take a look what space assigned 
labels hold and that space is very small, and pushing packet to any 
VRF from site connected to your MPLS network is easy. Of course
it's just unidirectional, but we can't ignore that, since then
other people may ignore other 'irrelevant' security issue that is
unidirectional, for the other direction, and you'd have fully
compromised VRF.


Possible remedies would be for CSCO and JNPR to implement OptB as 
RFC states, so that they'd only accept labels from OptB ASBR that
were previously advertised to it via BGP. Then you'd only need
to trust ASBR with the VRF's you're sharing with them, which is
much easier to be done (they'd be screwing their own customer).
For pure MPLS or OptC there is no remedy, you could randomize
label assignment to make it unfeasible to inject traffic to
every VRF, but it doesn't replace the need for trust.

> > From: Aaron Daniels - Lists <lists at daniels.id.au>
> > Date: Tue, 5 Aug 2008 21:44:40 +1000
> > To: <cisco-nsp at puck.nether.net>
> > Subject: [c-nsp] Extending MPLS over external providers cloud
> > 
> > Hello Guru's
> > 
> > Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some
> > smaller low bandwidth sites connected using DSL via an ISP. This external
> > VRF terminates within a single VRF of ours.
> > We are now looking at extending several of our VRF's to these remote DSL
> > sites, so as far as I see it, we can either put LDP over a tunnel, or each
> > vrf over a separate tunnel.
> > At first glance I was thinking about LDP over DMVPN, which I will lab up
> > over the next few days.
> > 
> > Has anyone done something like this before? What methods have been tried and
> > tested, etc, etc.
> > All feedback welcome.
> > 
> > Thanks,
> > Aaron Daniels
> > 
> > 
> > 
> > 
> 
> 
> 
> This email and any attachments ("Message") may contain legally privileged and/or confidential information.  If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email.  Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
  ++ytti


More information about the cisco-nsp mailing list