North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: iMPLS benefit
David Meyer wrote:
The only multi-vendor interoperable mode of GRE that I am aware of requires manual provisioning of point-to-point GRE tunnels between MPLS networks and to each and every IP-only reachable PE.On Fri, Mar 05, 2004 at 10:02:10AM -0800, Yakov Rekhter wrote:Dave,Hey Suki, On Thu, Mar 04, 2004 at 02:14:20PM -0800, sonet twister wrote:Hello,
The BGP extension defined in the draft below allows "iMPLS" for 2547 VPN support without requiring any manually provisioned tunnels (and works for "mGRE" or L2TPv3).
Note that "mGRE" (multipoint GRE) is *not* the same as the point-to-point GRE method that Yakov is referring to. Same header, different usage.
Enabling MPLS over any type of IP tunnel changes the security characteristics of your 2547 deployment, in particular with respect to packet spoofing attacks. The L2TPv3 encapsulation used with the extension defined above provides anti-spoofing protection for blind attacks (e.g., the kind that a script kiddie could launch fairly easily) with miniscule operational overhead vs. GRE which relies on IPsec.
The spec is draft-ietf-l3vpn-gre-ip-2547-01.txt.Yep, you are correct. Sorry not to cite that one too. Dave