Control plane traffic filtering for LDP on PE routers

Unanswered Question
Jul 4th, 2008

Hi,

Do I really need to have ACL for LDP ( 646) on PE to allow LDP from valid PE only as part of control plane traffic filetering because I don't really really it is possible for CE to inject LDP traffic on PE interface ??

Regards,

Chintan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Harold Ritter Tue, 07/08/2008 - 04:54

Chintan,

The PE would not establish an LDP session with the CE if the interface to the CE is not configured for it (mpls ip).

Regards,

chintan-shah Tue, 07/08/2008 - 04:58

Hi,

Yes but if CE just send packet on TCP/UDP 646 on PE , can still have DoS attack and may impact PE performance. So Is it worth to have ACL for port 646 to allow only core Network loopback ( PE &P)....

Please suggest.

Regards,

Chintan

Giuseppe Larosa Wed, 07/23/2008 - 13:42

Hello Chintan,

the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.

So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.

If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.

Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.

Hope to help

Giuseppe

Actions

This Discussion