[c-nsp] [j-nsp] draft-ietf-mpls-ldp-ipv6-16
Saku Ytti
saku at ytti.fi
Sat Feb 21 14:56:48 EST 2015
On (2015-02-21 18:01 +0200), Mark Tinka wrote:
Hey Mark,
> We tell l3vpn customers that we do not hide topology - security by
> obscurity never really helped anyone.
>
> If they don't like it, they can go shop elsewhere.
I wish we'd be in market situation where we can choose customers.
> I do recall one of the vendors (can't remember whether it was Juniper or
> Cisco) were looking at a knob that could allow you to enable hiding on a
> per service and/or node basis without getting into an all-or-nothing
> situation.
In ingress it would be fairly easy to use any ACL/FW key to determine if IP
TTL is copied to MPLS TTL or if MPLS TTL is set to 255. Maintaining that
egress PE has same idea as ingress PE might be tricky.
Then of course if there is MPLS loop in core, and your TTL 255 is not
sufficient in transit, what to do? Then you get in really fuzzy/heuristic
decision where you won't always be able to do what ideally should be done.
Now that we have two decades of experience, we better know the demands and we
could do some improvements on MPLS frame format, MPLSv2 if you wish. We could
address more efficiently and cleanly some of the problems that now require
imposing two+ labels (1 special stuff coming, 1 special stuff itself).
--
++ytti
More information about the cisco-nsp
mailing list