37bde79979
An MPLS network is a single trust domain where the edges must be in control of what labels make their way into the core. The simplest way of ensuring this is for the edge device to always impose the labels, and not allow forward labeled traffic from untrusted neighbours. This is achieved by allowing a per-device configuration of whether MPLS traffic input from that interface should be processed or not. To be secure by default, the default state is changed to MPLS being disabled on all interfaces unless explicitly enabled and no global option is provided to change the default. Whilst this differs from other protocols (e.g. IPv6), network operators are used to explicitly enabling MPLS forwarding on interfaces, and with the number of links to the MPLS core typically fairly low this doesn't present too much of a burden on operators. Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Robert Shearman <rshearma@brocade.com> Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
30 lines
844 B
Plaintext
30 lines
844 B
Plaintext
/proc/sys/net/mpls/* Variables:
|
|
|
|
platform_labels - INTEGER
|
|
Number of entries in the platform label table. It is not
|
|
possible to configure forwarding for label values equal to or
|
|
greater than the number of platform labels.
|
|
|
|
A dense utliziation of the entries in the platform label table
|
|
is possible and expected aas the platform labels are locally
|
|
allocated.
|
|
|
|
If the number of platform label table entries is set to 0 no
|
|
label will be recognized by the kernel and mpls forwarding
|
|
will be disabled.
|
|
|
|
Reducing this value will remove all label routing entries that
|
|
no longer fit in the table.
|
|
|
|
Possible values: 0 - 1048575
|
|
Default: 0
|
|
|
|
conf/<interface>/input - BOOL
|
|
Control whether packets can be input on this interface.
|
|
|
|
If disabled, packets will be discarded without further
|
|
processing.
|
|
|
|
0 - disabled (default)
|
|
not 0 - enabled
|