[c-nsp] MPLS to Customer (Option B) / Multiple VRFs on CPEs

Saku Ytti saku at ytti.fi
Tue Sep 2 10:09:09 EDT 2014

On (2014-09-02 07:54 +0000), Vitkovský Adam wrote:

Hi Adam,

> I see, as the Cisco mpls label sec checks only the top-most label we have to make sure the topmost label is indeed the VPN label which applies only to opt.B with direct link peering and explicit null sig. scenario and possibly it could work in Option C where the PE (acting as ASBR&Inter-AS-RR) BGP-peers with CE via a direct link so that there is just the VPN label in the label stack. 

If I understood that correctly, you propose in OptC we verify the top label,
we distributed it, so we should be able to verify it is one of ours.  However,
I don't think this brings us any security? Because the 2nd label, may be
another PE box, so attack is just going to have to take round-trip via one of
the allowed egress PE boxes, before going to the target PE?

For OptB, I think verification should be stack is 1 label deep, and we've just
ourselves advertised the label, so there should be no room for spoofing.


More information about the cisco-nsp mailing list