1 / 9

IETF 72 MPLS WG – Dublin – July 28, 2008

Requirements for LER Forwarding of IPv4 Option Packets. (draft-dasmith-mpls-ip-options-00.txt). IETF 72 MPLS WG – Dublin – July 28, 2008. David J. Smith John Mullooly Cisco Systems, Inc. Bill Jaeger AT&T Tom Scholl AT&T Labs. 3. LSR Switches Packets Using Label Swapping.

fifi
Download Presentation

IETF 72 MPLS WG – Dublin – July 28, 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Requirements for LER Forwarding of IPv4 Option Packets (draft-dasmith-mpls-ip-options-00.txt) IETF 72 MPLS WG – Dublin –July 28, 2008 David J. Smith John Mullooly Cisco Systems, Inc. Bill Jaeger AT&T Tom Scholl AT&T Labs

  2. 3. LSR Switches Packets Using Label Swapping MPLS Architecture (RFC3031) 4. Edge LSR at Egress Removes Any Labels and Forwards Packet 1a. Existing Routing Protocols (e.g. OSPF, IS-IS) Establish Reachability to Destination Networks 1b. Label Distribution Protocols (e.g. LDP) Establish Label to Destination Network (FEC) Mappings LSR LSR LER Source LER Destination Prefix X 2. Ingress LER Receives IP Packet, Performs Layer 3 Value-Added Services, and “Labels” Packets

  3. LER Forwarding of IPv4 Option Packets 1a. Existing Routing Protocols (e.g. OSPF, IS-IS) Establish Reachability to Destination Networks 1b. Label Distribution Protocols (e.g. LDP) Establish Label to Destination Network (FEC) Mappings LSR LSR LER Source LER Destination Prefix X 2. Ingress LER Receives IP Packet, Performs Layer 3 Value-Added Services, and “Routes” IPv4 Option Packets 3. LSR Routes IPv4 Option Packets

  4. LER Forwarding of IPv4 Option Packets • Varies depending upon specific IPv4 option type • Varies amongst LER implementations* * Not applicable to MPLS VPN LERs. IPv4 option packets within an MPLS VPN always MPLS encapsulated.

  5. Security Considerations (1/2) • Crafted IP option packets that bypass MPLS encapsulation at a ingress LER may: • Allow an attacker to DoS downstream LSRs by saturating their software forwarding paths. • Exposes the MPLS network topology via traceroute. • Allow for IP TTL expiry-based DoS attacks against downstream LSRs. • Allow an attacker to bypass LSP Diff-Serv tunnels and any associated MPLS CoS field marking policies at ingress LERs and, thereby, DoS or steal high-priority traffic services within the MPLS core. • Allow an attacker to specify explicit IP forwarding path(s) across an MPLS network and, thereby, target specific LSRs with any of the DoS attacks outlined above. • Allow an attacker to build RSVP soft-states on downstream LSRs which could lead to theft of service by unauthorized parties or to a DoS condition caused by locking up LSR resources.

  6. Security Considerations (2/2) • Crafted IP packets that: • Trigger imposition of Router Alert Label which could lead to a DoS condition on downstream LSRs.

  7. Proposed LER Requirement (Ingress) • An ingress LER MUST implement the following policy, and the policy MUST be enabled by default: • When determining whether to push an MPLS label stack onto an IP packet, the determination is made without considering any IP options that may be carried in the IP packet header. • Further, the label values that appear in the label stack are determined without considering any such IP options. • How an ingress LER processes IP header options before MPLS encapsulation is out of scope as it is not relevant to MPLS.

  8. Proposed LER Requirement (Egress) • An egress LER SHOULD only process IP options in those cases where the egress LER forwarding decision is based on the native IP packet. • When the egress LER forwarding decision is based on a popped label, the MPLS encapsulated IP header information including IP options should be ignored with the exception of the IP TTL per [RFC3443] and the Tunneled Diff-Serv information per [RFC3270].

  9. Conclusion • Comments are welcome • We would like this draft to be a WG draft

More Related