Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Vulnerabilities within MPLS ??

From: Tom Vandepoel <tom.vandepoel () UBIZEN COM>
Date: Thu, 8 Feb 2001 13:16:22 +0100
Simon Jenner wrote:


MPLS is not only for QoS it provides layer 2 type services in the layer 3
environment (QoS, CoS, Traffic engineered paths etc) . If using Ethernet or
PoS then a label is inserted between layer 2 and layer 3 protocols, if using
ATM then the label is inserted into the ATM header.  The MPLS label is used
to forward the packet to the next hop.  MPLS was not designed as a VPN
protocol, however it does support features that allow VPNs (stacks of
labels).  The VPNs are primarily created by the ability for the PE (Provider


IMHO the term VPN is being misused by ISP's. VPN's are not only about
traffic separation; this traffic is passing over a public infrastructure
and needs to be protected by strong encryption/authentication.

Traffic separation through MPLS will help, but I wouldn't trust my
internal corporate WAN traffic on it without encapsulating it in IPsec
first.


edge or Label Edge router (LER)) being able to run Virtual Routers.  VR's
allow multiple independent routing tables to be held on a single device.
The security is gained by only being able to use a certain routing table.

As you stated vendor implementations are different and therefore have
different security strengths.  I have attempted some simple penetration
tests on a Cisco router running VRs with no luck in breaking it (it was a
simple test though)



Have you tried injecting spoofed MPLS frames into the network?
Obviously, this would require some coding, but it could be done. Take
your IP packet, wrap around an MPLS header and try to find out if you
can jump 'VPN's.
You'd have to know which flow labels to slap on, but maybe they're
predictable.

Anyone done any research in this area?

Tom.

--
Tom Vandepoel                 Ubizen
Sr. Security Engineer         We Secure e-Business
Phone   +32 16 28 70 00       http://www.ubizen.com
Fax     +32 16 28 71 00       http://www.securitywatch.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: