[c-nsp] MPLS to Customer (Option B) / Multiple VRFs on CPEs

Vitkovský Adam adam.vitkovsky at swan.sk
Tue Sep 2 03:54:34 EDT 2014

Hi Saku,

I see, as the Cisco mpls label sec checks only the top-most label we have to make sure the topmost label is indeed the VPN label which applies only to opt.B with direct link peering and explicit null sig. scenario and possibly it could work in Option C where the PE (acting as ASBR&Inter-AS-RR) BGP-peers with CE via a direct link so that there is just the VPN label in the label stack. 
Or am I getting it wrong? 

> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Saku Ytti
> Sent: Saturday, August 30, 2014 11:09 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] MPLS to Customer (Option B) / Multiple VRFs on CPEs
> On (2014-08-29 22:43 +0000), Vitkovský Adam wrote:
> Hi Adamn,
> > I would recommend Option C + RFC3107.
> > That is couple of MP-eBGP sessions from CE to local RRs and RFC3107 to
> carry loopbacks and their particular labels between PEs and CEs (No LDP).
> > BGP sessions will be protected so that customer can not inject false
> prefixes or labels should the CE be replaced by a rouge device.
> Customer can inject labels to wire to reach arbitrary customer. As labels are
> not allocated random, it's quite easy, then you can inject traffic to customer,
> but not receive anything from customer. But some other attack vector could
> be used to compromise that direction, such as if provider offers bgp flowspec
> and is not careful, you could use flowspec to ask diversion of packets to your
> VRF (And bridge them back via your OptC hack for transparent
> sniffing)
> How likely this is, is of course very debatable. But if your main product is
> L3 MPLS VPN, might be good idea to keep exposure to minimum.
> OptB with label checking reduces risk to 'shared' customer, so customer can
> hop between /their/ vrfs, but that is fine, because they can do it anyhow by
> moving LAN ports.
> --
>   ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list