10-24-2007 08:18 AM
Our customer is looking to protect their mpls infrastructure from spoofed labels when using inter-as vpn option b peering with over providers.
I refer to the situation when our peer send us packets with labels that do present in our forwarding table but have not been announced to this peer.
Could you reconmend any solution or workarround to solve this problem?
10-24-2007 10:05 AM
Models B and C allow for more interaction between AS, but it increase the risk of intrusions and DoS attacks from the other autonomous systems. MOdel A is the most Secure method.
Option B and C, each AS can send traffic into any VPN of another AS, whether this VPN is shared or not, although it cannot always receive return traffic. This can be used for DoS attacks or simple intrusions
So there is must be TRUST between the two Provider and implement some sort of security between the two ASBR
10-24-2007 10:42 AM
If there is inherent trust between the 2 service providers about ethical business practises. ( as security can be breached no matter what if either of the SP is not trustworthy).
Having said that if you enable Md5 authentication on your MP-EBGP, it shoudl be working fine and its comparable to the security level you get in option A.
Also if you receive an incoming label at your ASBR which is not known, the ASBR would drop it there rather than forwarding it till the PE to reach the CE.
So there shouldnt be much to worry about with option B.
Can you specifically mention what exact concern the customer has.
HTH-Cheers,
Swaroop
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide