[rrg] Remote ACLs [Proposals which match rrg architectures.htmlpls check the page]
Dino Farinacci
dino at cisco.com
Mon Jan 5 09:41:28 PST 2009
> I guess that one of the problems with using identifier is how can
> you trust the idnetifiers in the packet?
> I mean, if you include botht eh ID and the locator in the packet
> e.g. a tunnel, the source locator has some inherent security
> features, since it is the token that will be used by the routing
> system to send packets back,
Don't assume this.
> so spoofing it will result in retrun packet going somewhere else.
> The identifier does not have such property and spoofing it is trivial.
You could do a EID-to-RLOC map check at access points (i.e. PE
routers). That is just a different form or URPF.
> I guess that if we want to use identifiers in the ACL and make them
> minimally useful, the device holding the ACL needs to verify the ID
> loc mapping, which seems somehow more complex than current practice.
On the PE box, you may know what customer link has EID-prefixes and do
the ACL there.
Dino
More information about the rrg
mailing list