• Robert Shearman's avatar
    mpls: Per-device enabling of packet input · 37bde799
    Robert Shearman authored
    An MPLS network is a single trust domain where the edges must be in
    control of what labels make their way into the core. The simplest way
    of ensuring this is for the edge device to always impose the labels,
    and not allow forward labeled traffic from untrusted neighbours. This
    is achieved by allowing a per-device configuration of whether MPLS
    traffic input from that interface should be processed or not.
    
    To be secure by default, the default state is changed to MPLS being
    disabled on all interfaces unless explicitly enabled and no global
    option is provided to change the default. Whilst this differs from
    other protocols (e.g. IPv6), network operators are used to explicitly
    enabling MPLS forwarding on interfaces, and with the number of links
    to the MPLS core typically fairly low this doesn't present too much of
    a burden on operators.
    
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarRobert Shearman <rshearma@brocade.com>
    Reviewed-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    37bde799
af_mpls.c 26.3 KB