[c-nsp] MPLS to Customer (Option B) / Multiple VRFs on CPEs

Saku Ytti saku at ytti.fi
Sat Aug 30 05:09:08 EDT 2014


On (2014-08-29 22:43 +0000), Vitkovský Adam wrote:

Hi Adamn,

> I would recommend Option C + RFC3107. 
> That is couple of MP-eBGP sessions from CE to local RRs and RFC3107 to carry loopbacks and their particular labels between PEs and CEs (No LDP). 
> BGP sessions will be protected so that customer can not inject false prefixes or labels should the CE be replaced by a rouge device. 

Customer can inject labels to wire to reach arbitrary customer. As labels are
not allocated random, it's quite easy, then you can inject traffic to
customer, but not receive anything from customer. But some other attack vector
could be used to compromise that direction, such as if provider offers bgp
flowspec and is not careful, you could use flowspec to ask diversion of
packets to your VRF (And bridge them back via your OptC hack for transparent
sniffing)

How likely this is, is of course very debatable. But if your main product is
L3 MPLS VPN, might be good idea to keep exposure to minimum.
OptB with label checking reduces risk to 'shared' customer, so customer can
hop between /their/ vrfs, but that is fine, because they can do it anyhow by
moving LAN ports.

-- 
  ++ytti


More information about the cisco-nsp mailing list