Hi Saku, > Saku Ytti > Sent: Tuesday, September 02, 2014 4:09 PM > If I understood that correctly, you propose in OptC we verify the top label, > we distributed it, so we should be able to verify it is one of ours. > However, I > don't think this brings us any security? Because the 2nd label, may be > another PE box, so attack is just going to have to take round-trip via one of > the allowed egress PE boxes, before going to the target PE? > > For OptB, I think verification should be stack is 1 label deep, and we've just > ourselves advertised the label, so there should be no room for spoofing. > I see now. You are right this only works if the single label in the stack is the VPN label allocated by us. And the only profile that matches this is OptB.
It would be great though if the local PE or ASBR could receive the VPN label that was advertised to the foreign CEs or PEs so that it could use it during the label-stack check. This way the PE or ASBR would be able to verify stack that is two labels deep. Some knob or AF in BGP that would tell the ASBR, hey we know you don't have any VPNs configured but just keep the VPN labels (for all the Inter-AS prefixes) so that you can reference to them while doing label stack verification. This could also work for L2VPNs where BGP is used to advertise L2VPN label (EVPN) or PW label (standard L2VPN). adam _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
