Full Disclosure mailing list archives
RE: MPLS Security
From: "Cupps, James" <James.Cupps () sappi com>
Date: Mon, 1 Dec 2003 10:51:41 -0500
Many people thinking of the security of an MPLS network assume that only MPLS members have access to the root IP network that it is running over. It might not be necessary to "Break out". I think that it is likely that in many MPLS implementations there is little or no significant protection from the carrier's standard internet services other than basic routing configurations. Essentially this means you could attack the PE's from either side if you had an internet account on the carrier's network. MPLS uses BGP (IBGP) as a separating mechanism and has no inherent encryption or true authentication. As such the "VPN's" created are not very effective protection mechanisms (I'm sure many carriers would contest this statement but they would be wrong). If someone has access (any type of access) to the root IP network then it is very likely that they would be able to eventually gain at least the ability to sniff the traffic of all organizations using the MPLS network by using normal route hacking techniques such as SRB and ICMP redirects. Most carriers pay a good amount of attention to their security but on a network of thousands of nodes there are bound to be a few weaknesses (as mentioned in your note below). Uncommon but not unheard of. Using the MPLS network to inject themselves into a client network would require them to be able to somehow either alter or confuse one or more CE's of that network. I could see the possibility of a complex Man in the middle attack. Sniff the middle then create an imaginary machine on a "remote" node that calls into the site with custom created IP packets saying that they are from that remote site. Then sniff the replies and react accordingly. Depending on the configuration on the PE and CE's involved it might also require anticipating traffic. In the easiest form it would just require spoofing the ASN's. Any good python or perl guys out there that understand BGP? More likely this type of access would happen because the same organization controls both the CE and the PE's and their systems have been compromised to some extent. In either case it is a possible means of access. This same vulnerability exists in frame relay networks but in my mind there are a few key differences. 1. The number of people that know how to manipulate FR routing is only a small fraction of the number that know how to manipulate IP routing. 2. Remote access to the control mechanisms of a frame relay network is much harder to accidentally configure if you are Bob or Alice and harder to take advantage of if you are Eve. 3. DLCI ranges are inherently tighter presenting a small bang for the hackers buck. Well that is already longer than I wanted to take but hope it sparks some interesting conversation. James Cupps Information Security Officer
-----Original Message----- From: Magnus Eriksson [mailto:magnus () eriksson mu] Sent: Friday, November 28, 2003 3:58 AM To: indianz () indianz ch Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] MPLS Security IndianZ wrote:After deep-searching Google and other search engines I only found 2 articles about MPLS Security (SANS and CISCO). Is that really all (or is this kind of information closed to the public)? Does anybody know more about MPLS Vulnerabilities and what to/how to pentest in a MPLS architecture? Any input about tools, hints and tricksiswelcome...I haven't heard of any vuln. specifically for MPLS. I think your best shot is attacking the PE routers. If you have access to the media which MPLS packet traverses, sniffing traffic is a breeze with any descent sniffer. Breaking out of a MPLS VPN which is configured properly is most likely almost impossibe without access to PE routers. Standard tools to audit Cisco/other vendors routers can be used. Especially Cisco is more likely to have management access open on customer interfaces, since Cisco ACLs are a pain in the ass to apply and maintain. Junipers are alot easier (all router access is forwarded to loopback and only loopback filters will need to be filtered). Ciscos have this feature on later IOS and high-end boxes, but many SP have yet to deploy them. Magnus _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: MPLS Security Cupps, James (Dec 01)
- <Possible follow-ups>
- Re: MPLS Security Nicolas FISCHBACH (Dec 02)