Transcript LER Forwarding of IPv4 Option Packets

Requirements for LER Forwarding
of IPv4 Option Packets
(draft-dasmith-mpls-ip-options-00.txt)
IETF 72 MPLS WG – Dublin – July 28, 2008
David J. Smith
John Mullooly
Cisco Systems, Inc.
Bill Jaeger
AT&T
Tom Scholl
AT&T Labs
1
MPLS Architecture (RFC3031)
4. Edge LSR at
Egress Removes
Any Labels and
Forwards Packet
1a. Existing Routing Protocols (e.g. OSPF, IS-IS)
Establish Reachability to Destination Networks
1b. Label Distribution Protocols (e.g. LDP)
Establish Label to Destination
Network (FEC) Mappings
LSR
LSR
LER
Source
LER
Destination
Prefix X
2. Ingress LER Receives IP Packet,
Performs Layer 3 Value-Added
Services, and “Labels” Packets
3. LSR Switches Packets
Using Label Swapping
2
LER Forwarding of IPv4 Option Packets
1a. Existing Routing Protocols (e.g. OSPF, IS-IS)
Establish Reachability to Destination Networks
1b. Label Distribution Protocols (e.g. LDP)
Establish Label to Destination
Network (FEC) Mappings
LSR
LSR
LER
Source
LER
Destination
Prefix X
2. Ingress LER Receives IP Packet,
Performs Layer 3 Value-Added
Services, and “Routes” IPv4 Option
Packets
3. LSR Routes IPv4 Option Packets
3
LER Forwarding of IPv4 Option Packets
 Varies depending upon specific IPv4 option type
 Varies amongst LER implementations*
* Not applicable to MPLS VPN LERs. IPv4 option packets within an
MPLS VPN always MPLS encapsulated.
4
Security Considerations (1/2)

Crafted IP option packets that bypass MPLS
encapsulation at a ingress LER may:
1. Allow an attacker to DoS downstream LSRs by saturating
their software forwarding paths.
2. Exposes the MPLS network topology via traceroute.
3. Allow for IP TTL expiry-based DoS attacks against
downstream LSRs.
4. Allow an attacker to bypass LSP Diff-Serv tunnels and any
associated MPLS CoS field marking policies at ingress
LERs and, thereby, DoS or steal high-priority traffic services
within the MPLS core.
5. Allow an attacker to specify explicit IP forwarding path(s)
across an MPLS network and, thereby, target specific LSRs
with any of the DoS attacks outlined above.
6. Allow an attacker to build RSVP soft-states on downstream
LSRs which could lead to theft of service by unauthorized
parties or to a DoS condition caused by locking up LSR
resources.
5
Security Considerations (2/2)

Crafted IP packets that:
7. Trigger imposition of Router Alert Label which could lead to
a DoS condition on downstream LSRs.
6
Proposed LER Requirement (Ingress)
 An ingress LER MUST implement the following policy,
and the policy MUST be enabled by default:
When determining whether to push an MPLS label stack onto
an IP packet, the determination is made without considering any
IP options that may be carried in the IP packet header.
Further, the label values that appear in the label stack are
determined without considering any such IP options.
 How an ingress LER processes IP header options
before MPLS encapsulation is out of scope as it is not
relevant to MPLS.
7
Proposed LER Requirement (Egress)
 An egress LER SHOULD only process IP options in
those cases where the egress LER forwarding decision
is based on the native IP packet.
When the egress LER forwarding decision is based on a
popped label, the MPLS encapsulated IP header information
including IP options should be ignored with the exception of the
IP TTL per [RFC3443] and the Tunneled Diff-Serv information
per [RFC3270].
8
Conclusion
 Comments are welcome
 We would like this draft to be a WG draft
9