On (2014-08-29 22:43 +0000), Vitkovský Adam wrote: Hi Adamn,
> I would recommend Option C + RFC3107. > That is couple of MP-eBGP sessions from CE to local RRs and RFC3107 to carry > loopbacks and their particular labels between PEs and CEs (No LDP). > BGP sessions will be protected so that customer can not inject false prefixes > or labels should the CE be replaced by a rouge device. Customer can inject labels to wire to reach arbitrary customer. As labels are not allocated random, it's quite easy, then you can inject traffic to customer, but not receive anything from customer. But some other attack vector could be used to compromise that direction, such as if provider offers bgp flowspec and is not careful, you could use flowspec to ask diversion of packets to your VRF (And bridge them back via your OptC hack for transparent sniffing) How likely this is, is of course very debatable. But if your main product is L3 MPLS VPN, might be good idea to keep exposure to minimum. OptB with label checking reduces risk to 'shared' customer, so customer can hop between /their/ vrfs, but that is fine, because they can do it anyhow by moving LAN ports. -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
