Cisco Support Community
Community Member

InterAS option B security problem

Our customer is looking to protect their mpls infrastructure from spoofed labels when using inter-as vpn option b peering with over providers.

I refer to the situation when our peer send us packets with labels that do present in our forwarding table but have not been announced to this peer.

Could you reconmend any solution or workarround to solve this problem?

Community Member

Re: InterAS option B security problem

Models B and C allow for more interaction between AS, but it increase the risk of intrusions and DoS attacks from the other autonomous systems. MOdel A is the most Secure method.

Option B and C, each AS can send traffic into any VPN of another AS, whether this VPN is shared or not, although it cannot always receive return traffic. This can be used for DoS attacks or simple intrusions

So there is must be TRUST between the two Provider and implement some sort of security between the two ASBR

Re: InterAS option B security problem

If there is inherent trust between the 2 service providers about ethical business practises. ( as security can be breached no matter what if either of the SP is not trustworthy).

Having said that if you enable Md5 authentication on your MP-EBGP, it shoudl be working fine and its comparable to the security level you get in option A.

Also if you receive an incoming label at your ASBR which is not known, the ASBR would drop it there rather than forwarding it till the PE to reach the CE.

So there shouldnt be much to worry about with option B.

Can you specifically mention what exact concern the customer has.



CreatePlease to create content