RE: [Full-Disclosure] MPLS Security
From: Cupps, James (James.Cupps_at_sappi.com)
To: firstname.lastname@example.org Date: Mon, 1 Dec 2003 10:51:41 -0500
Many people thinking of the security of an MPLS network assume that only
MPLS members have access to the root IP network that it is running over. It
might not be necessary to "Break out". I think that it is likely that in
many MPLS implementations there is little or no significant protection from
the carrier's standard internet services other than basic routing
configurations. Essentially this means you could attack the PE's from either
side if you had an internet account on the carrier's network.
MPLS uses BGP (IBGP) as a separating mechanism and has no inherent
encryption or true authentication. As such the "VPN's" created are not very
effective protection mechanisms (I'm sure many carriers would contest this
statement but they would be wrong). If someone has access (any type of
access) to the root IP network then it is very likely that they would be
able to eventually gain at least the ability to sniff the traffic of all
organizations using the MPLS network by using normal route hacking
techniques such as SRB and ICMP redirects. Most carriers pay a good amount
of attention to their security but on a network of thousands of nodes there
are bound to be a few weaknesses (as mentioned in your note below). Uncommon
but not unheard of.
Using the MPLS network to inject themselves into a client network would
require them to be able to somehow either alter or confuse one or more CE's
of that network. I could see the possibility of a complex Man in the middle
attack. Sniff the middle then create an imaginary machine on a "remote" node
that calls into the site with custom created IP packets saying that they are
from that remote site. Then sniff the replies and react accordingly.
Depending on the configuration on the PE and CE's involved it might also
require anticipating traffic. In the easiest form it would just require
spoofing the ASN's. Any good python or perl guys out there that understand
More likely this type of access would happen because the same organization
controls both the CE and the PE's and their systems have been compromised to
In either case it is a possible means of access. This same vulnerability
exists in frame relay networks but in my mind there are a few key
1. The number of people that know how to manipulate FR routing is only a
small fraction of the number that know how to manipulate IP routing.
2. Remote access to the control mechanisms of a frame relay network is much
harder to accidentally configure if you are Bob or Alice and harder to take
advantage of if you are Eve.
3. DLCI ranges are inherently tighter presenting a small bang for the
Well that is already longer than I wanted to take but hope it sparks some
Information Security Officer
> -----Original Message-----
> From: Magnus Eriksson [mailto:email@example.com]
> Sent: Friday, November 28, 2003 3:58 AM
> To: firstname.lastname@example.org
> Cc: email@example.com
> Subject: Re: [Full-Disclosure] MPLS Security
> IndianZ wrote:
> > After deep-searching Google and other search engines I only found 2
> > articles about MPLS Security (SANS and CISCO). Is that really all (or is
> > this kind of information closed to the public)?
> > Does anybody know more about MPLS Vulnerabilities and what to/how to
> > pentest in a MPLS architecture? Any input about tools, hints and tricks
> > welcome...
> I haven't heard of any vuln. specifically for MPLS.
> I think your best shot is attacking the PE routers. If you have access
> to the media which MPLS packet traverses, sniffing traffic is a breeze
> with any descent sniffer.
> Breaking out of a MPLS VPN which is configured properly is most likely
> almost impossibe without access to PE routers.
> Standard tools to audit Cisco/other vendors routers can be used.
> Especially Cisco is more likely to have management access open on
> customer interfaces, since Cisco ACLs are a pain in the ass to apply and
> maintain. Junipers are alot easier (all router access is forwarded to
> loopback and only loopback filters will need to be filtered). Ciscos
> have this feature on later IOS and high-end boxes, but many SP have yet
> to deploy them.
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.