I-D Action: draft-mjsraman-l2vpn-vpls-tictoc-label-hop-01.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A New Internet-Draft is available from the on-line Internet-Drafts directories.


	Title           : Securing Model-C Inter-Provider VPLS L2 VPNs with Label Hopping and TicToc
	Author(s)       : Shankar Raman
                          Balaji Venkat Venkataswami
                          Gaurav Raina
                          Bhargav Bhikkaji
	Filename        : draft-mjsraman-l2vpn-vpls-tictoc-label-hop-01.txt
	Pages           : 19
	Date            : 2012-08-17

Abstract:
   In certain models of inter-provider Multi- Protocol Label Switching
   (MPLS) based Virtual Private Networks (VPNs) spoofing attack against
   VPN sites is a key concern. For example, MPLS-based VPN inter-
   provider model "C" for VPLS is not favoured, owing to security
   concerns in the dataplane, even though it can scale with respect to
   maintenance of routing state. Since the inner labels associated with
   VPN sites are not encrypted during transmission, a man-in-the-middle
   attacker can spoof packets to a specific VPLS site. In this paper, we
   propose a label-hopping technique which uses a set of randomized
   labels and a method for hopping amongst these labels using the time
   instant the packet leaves the port from a sending Provider Edge
   Router. To prevent the attacker from identifying the labels in
   polynomial time, we also use an additional label. The proposed
   technique can be applied to other variants of inter-provider MPLS
   based VPNs where Multi-Protocol exterior-BGP (MP-eBGP) multi-hop is
   used. As we address a key security concern, we can make a case for
   the deployment of MPLS based VPLS inter-provider model "C".
   Specifically we use the TicToc based Precision Time Protocol LSP to
   provide the timing for determining the time instant at which the
   packet is sent from the remote end Provider Edge Router and for
   calculating when it must have left the that peer at the Provider Edge
   Router at the near end / receiving end.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-mjsraman-l2vpn-vpls-tictoc-label-hop

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-mjsraman-l2vpn-vpls-tictoc-label-hop-01

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-mjsraman-l2vpn-vpls-tictoc-label-hop-01


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux