RE: [Full-Disclosure] MPLS Security

From: Cupps, James (
Date: 12/01/03

  • Next message: Ron DuFresne: "Re: [Full-Disclosure] automated vulnerability testing"
    Date: Mon, 1 Dec 2003 10:51:41 -0500

    Many people thinking of the security of an MPLS network assume that only
    MPLS members have access to the root IP network that it is running over. It
    might not be necessary to "Break out". I think that it is likely that in
    many MPLS implementations there is little or no significant protection from
    the carrier's standard internet services other than basic routing
    configurations. Essentially this means you could attack the PE's from either
    side if you had an internet account on the carrier's network.

    MPLS uses BGP (IBGP) as a separating mechanism and has no inherent
    encryption or true authentication. As such the "VPN's" created are not very
    effective protection mechanisms (I'm sure many carriers would contest this
    statement but they would be wrong). If someone has access (any type of
    access) to the root IP network then it is very likely that they would be
    able to eventually gain at least the ability to sniff the traffic of all
    organizations using the MPLS network by using normal route hacking
    techniques such as SRB and ICMP redirects. Most carriers pay a good amount
    of attention to their security but on a network of thousands of nodes there
    are bound to be a few weaknesses (as mentioned in your note below). Uncommon
    but not unheard of.

    Using the MPLS network to inject themselves into a client network would
    require them to be able to somehow either alter or confuse one or more CE's
    of that network. I could see the possibility of a complex Man in the middle
    attack. Sniff the middle then create an imaginary machine on a "remote" node
    that calls into the site with custom created IP packets saying that they are
    from that remote site. Then sniff the replies and react accordingly.
    Depending on the configuration on the PE and CE's involved it might also
    require anticipating traffic. In the easiest form it would just require
    spoofing the ASN's. Any good python or perl guys out there that understand

    More likely this type of access would happen because the same organization
    controls both the CE and the PE's and their systems have been compromised to
    some extent.

    In either case it is a possible means of access. This same vulnerability
    exists in frame relay networks but in my mind there are a few key

    1. The number of people that know how to manipulate FR routing is only a
    small fraction of the number that know how to manipulate IP routing.
    2. Remote access to the control mechanisms of a frame relay network is much
    harder to accidentally configure if you are Bob or Alice and harder to take
    advantage of if you are Eve.
    3. DLCI ranges are inherently tighter presenting a small bang for the
    hackers buck.

    Well that is already longer than I wanted to take but hope it sparks some
    interesting conversation.

    James Cupps
    Information Security Officer

    > -----Original Message-----
    > From: Magnus Eriksson []
    > Sent: Friday, November 28, 2003 3:58 AM
    > To:
    > Cc:
    > Subject: Re: [Full-Disclosure] MPLS Security
    > IndianZ wrote:
    > > After deep-searching Google and other search engines I only found 2
    > > articles about MPLS Security (SANS and CISCO). Is that really all (or is
    > > this kind of information closed to the public)?
    > >
    > > Does anybody know more about MPLS Vulnerabilities and what to/how to
    > > pentest in a MPLS architecture? Any input about tools, hints and tricks
    > is
    > > welcome...
    > I haven't heard of any vuln. specifically for MPLS.
    > I think your best shot is attacking the PE routers. If you have access
    > to the media which MPLS packet traverses, sniffing traffic is a breeze
    > with any descent sniffer.
    > Breaking out of a MPLS VPN which is configured properly is most likely
    > almost impossibe without access to PE routers.
    > Standard tools to audit Cisco/other vendors routers can be used.
    > Especially Cisco is more likely to have management access open on
    > customer interfaces, since Cisco ACLs are a pain in the ass to apply and
    > maintain. Junipers are alot easier (all router access is forwarded to
    > loopback and only loopback filters will need to be filtered). Ciscos
    > have this feature on later IOS and high-end boxes, but many SP have yet
    > to deploy them.
    > Magnus
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter:

    Full-Disclosure - We believe in it.

  • Next message: Ron DuFresne: "Re: [Full-Disclosure] automated vulnerability testing"

    Relevant Pages

    • Re: Help in understanding an MPLS network (MPLS newbie)
      ... the more confused I am about the network I have. ... all connected to a Bellsouth MPLS ... back to the main site through VPN tunnels. ... vendor for most, but not all, of these local connections. ...
    • QoS and Traffic shaping across MPLS?
      ... I am trying to setup CoS, QoS and queuing across our MPLS network ... Your only concern is to apply appropriate queuing out of the ...
    • Re: QoS and Traffic shaping across MPLS?
      ... > I am trying to setup CoS, QoS and queuing across our MPLS network ... We don't run any MPLS natively; ... > to do QoS for VoIP through my network and I'm scratching my head as to ... > of applying the same traffic-shaping syntax to my own Cisco routers, ...
    • RE: MPLS IDS question
      ... The MPLS tunnel gets terminated at the CE router. ... If you put an NIDS/NIPS between your network and the CE then you don't need ... The NeVO passive vulnerability sensor continuously finds vulnerabilities, ...
    • Re: MPLS vs VLAN and 802.1q tags for QOS
      ... Now we have ethernet on the access side. ... MPLS everywhere and dont have to worry anything else. ... Because MPLS establishes paths among layer 3 boxes, routers, and not inside a layer 2 network. ...