Re: [mpls] validating incoming frames at an Ethernet interface of an LSR

[Mitchell Erblich <erblichs at earthlink.net>]

Group,

	I didn't think he wanted Refs from expired drafts
	and L1 MIGHT not be an invalid label. (see below)

	But since we are in somewhat of an implementation
	aspect.

	Some systems / OSs support ipchains and/or
	their equivs and thus, it is conceivable some rule
	on an input of R1 could DENY or REJECT a packet
	on the input interface based on a created rule.

	However, I wasn't 100% sure whether the example was
	specifying a local label binding or remote label binding,
	because the latter might not necessarily be a problem.

	But their also is the LDP (Label Distribution Protocol)
	which MIGHT generate the needed NOTIFICATION
	message versus just dropping the packet as suggested
	in the poster's post and the draft.

	So. I wanted to start the poster with the foundation
	of MPLS without first generating 100 questions and
	then giving him a set of rules to determine my answer.

	Mitchell Erblich
	=================
	

		
	

	
On Jun 24, 2009, at 2:28 AM, Jiang Yuan-long wrote:

> Hi Anoop:
>
> This is mentioned in "draft-ietf-l3vpn-ipsec-2547-05", which said:
>  A Service Provider (SP) can protect against spoofed MPLS packets by
>  the simple expedient of not accepting MPLS packets from outside its
>  own boundaries (or more generally by keeping track of which labels
>  are validly received over which interfaces, and discarding packets
>  which arrive with labels that are not valid for their incoming
>  interfaces)...
> But this draft was expired long ago. Hope it helps you.
>
> Cheers
>
> Jiang Yuanlong
>
> ----- Original Message ----- From: "Anoop Ghanwani"  
> <anoop at brocade.com>
> To: <mpls at ietf.org>
> Sent: Wednesday, June 24, 2009 8:49 AM
> Subject: [mpls] validating incoming frames at an Ethernet interface  
> of an LSR
>
>
> > Let's say I have 3 routers R1, R2 & R3 connected
> > by a layer 2 switch.
> >
> > Let's say R1 advertises a label, say L1, for a
> > certain FEC to R2.  Let's assume R1 has a global
> > LIB (i.e. assigns different labels each time one
> > is requested).
> >
> > Now, if R3 sends a frame with L1 addressed to
> > R1's MAC address, would R1 just pick the frame
> > up and forward it, or would it actually notice
> > the problem and drop the frame?
> >
> > I know we're getting into implementation here,
> > but would appreciate if someone can point me to
> > an RFC/draft that discusses this issue.
> >
> > Thanks,
> > Anoop
> > _______________________________________________
> > mpls mailing list
> > mpls at ietf.org
> > https://www.ietf.org/mailman/listinfo/mpls
>
> _______________________________________________
> mpls mailing list
> mpls at ietf.org
> https://www.ietf.org/mailman/listinfo/mpls