[c-nsp] MPLS down to the CPE

[Benny Amorsen]

Adam Vitkovsky <adam.vitkovsky at swan.sk> writes:

> How plausible is that customer will replace your device with theirs without
> you noticing it + they crack all the passwords so they can run ISIS, LDP and
> BGP sessions with you. 

They don't need to do that. Just put a switch between the CE and the
upstream. Then inject MPLS packets from a different port on the switch.

Maybe one day we will get either strict MPLS label checks or L2
encryption and authentication. At that point the only attacks are to the
CE itself. I am not holding my breath.


/Benny