[c-nsp] MPLS down to the CPE

Saku Ytti saku at ytti.fi
Mon Mar 4 12:04:23 EST 2013


On (2013-03-04 16:04 +0100), William Jackson wrote:

> I wanted to find out how many people run mpls down to the CPE ( owned by SP but co-located at customer ).
> We are looking for pros/cons of doing so.
> Security is the main concern, we have heard quite a lot about it as the current trend, but in reality is it a practise?

I don't think it's very common, due to security reasons.

Technically RFC4364 OptB would be quite nice replacement for VRFLite. But
right now no one is implementing the 'uRPF/strict' style label checking RFC
mandates, I know IOSXR short will.
Maybe L2 pseudowires end-to-end from CEs securely probably isn't possible
today.

As labels are not randomized it's actually quite practical to send traffic
to arbitrary L3 MPLS VPN, especially if you know what vendor they are
running (to know where to start looking).

-- 
  ++ytti


More information about the cisco-nsp mailing list