[c-nsp] MPLS down to the CPE
Adam Vitkovsky
adam.vitkovsky at swan.sk
Tue Mar 5 08:07:48 EST 2013
I was concerned about the control plane security.
And I admit I haven't thought about the data-plane security i.e. sniffing or
forging of the PE to PE data type of attacks.
So you are 100% sure that no one can access your wires under no
circumstances in all of your backbone?
I mean this is why banks run their own encryption over our mpls links.
adam
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Tuesday, March 05, 2013 11:28 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] MPLS down to the CPE
On (2013-03-05 11:06 +0100), Benny Amorsen wrote:
> Maybe one day we will get either strict MPLS label checks or L2
> encryption and authentication. At that point the only attacks are to
> the CE itself. I am not holding my breath.
You need lung capacity of just weeks. Next IOS-XR release will implement
RFC4364 page32 last sentence, i.e. uRPF/strict for OptB labels.
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list