iMPLS benefit
W. Mark Townsley
townsley at cisco.com
Sat Mar 6 11:33:04 UTC 2004
David Meyer wrote:
> On Fri, Mar 05, 2004 at 10:02:10AM -0800, Yakov Rekhter wrote:
>
>>>Dave,
>>>
>>>
>>>>Hey Suki,
>>>>
>>>>On Thu, Mar 04, 2004 at 02:14:20PM -0800, sonet twister wrote:
>>>>
>>>>>>Hello,
>>>>>>
>>>>>>i heard there is a way to run MPLS for layer3 VPN(2547)
>>>>>>service without needing to run label switching in the
>>>>>>core(LDP/TDP/RSVP) but straight IP (aka iMPLS).
>>>>
>>>> ftp://ftp.ietf.org/internet-drafts/draft-townsley-l2tpv3-mpls-01.txt
>>>>
>>>> See also Mark's talk from the last NANOG
>>>>
>>>> http://nanog.org/mtg-0402/townsley.html
>>>
>>>That requires to run L2TP. An alternative is to run GRE (or even plain
>>>IP). The latter (GRE) is implemented by quite a few vendors (and is
>>>known to be interoperable among multiple vendors).
The only multi-vendor interoperable mode of GRE that I am aware of requires
manual provisioning of point-to-point GRE tunnels between MPLS networks and to
each and every IP-only reachable PE.
The BGP extension defined in the draft below allows "iMPLS" for 2547 VPN support
without requiring any manually provisioned tunnels (and works for "mGRE" or
L2TPv3).
http://www.watersprings.org/pub/id/draft-nalawade-kapoor-tunnel-safi-01.txt
Note that "mGRE" (multipoint GRE) is *not* the same as the point-to-point GRE
method that Yakov is referring to. Same header, different usage.
Enabling MPLS over any type of IP tunnel changes the security characteristics of
your 2547 deployment, in particular with respect to packet spoofing attacks. The
L2TPv3 encapsulation used with the extension defined above provides
anti-spoofing protection for blind attacks (e.g., the kind that a script kiddie
could launch fairly easily) with miniscule operational overhead vs. GRE which
relies on IPsec.
- Mark
>>>
>>>The spec is draft-ietf-l3vpn-gre-ip-2547-01.txt.
>
>
> Yep, you are correct. Sorry not to cite that one too.
>
> Dave
>
More information about the NANOG
mailing list