Re: MPLS Security

["Paulo Pereira" <pjp () paulo-pereira net>]

----- Original Message -----
From: "Enno Rey" <erey () ernw de>
To: <full-disclosure () lists netsys com>
Sent: Friday, November 28, 2003 13:51
Subject: Re: [Full-disclosure] MPLS Security


> Hi,
>
> On Fri, Nov 28, 2003 at 09:57:31AM +0100, Magnus Eriksson wrote:
> > IndianZ wrote:
> >
> > > After deep-searching Google and other search engines I only found 2
> > > articles about MPLS Security (SANS and CISCO). Is that really all (or
is
> > > this kind of information closed to the public)?
> > >
> > > Does anybody know more about MPLS Vulnerabilities and what to/how to
> > > pentest in a MPLS architecture? Any input about tools, hints and tricks
is
> > > welcome...
> > I haven't heard of any vuln. specifically for MPLS.
>
> some months ago I put up an MPLS risk analysis table during a project.
> I can't publish it yet (as there are sensitive customer data in it) but
will do so in the near future (anonymized).
> These are the URLs I used in the reference; by them you should be able get
a rough overview of the 'security aspects' of MPLS.
> thanks,
>
> --
> Enno Rey
>
> ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg
> Tel. +49 6221 480390 - Fax 6221 419008 - Mobil +49 173 6745902
> www.ernw.de - PGP E5CB 9505 EA06 6380 6F12  DE3E 624E 1334 326B B70C
>
>
> ----------
> [1] NSA Guide: http://nsa1.conxion.com/cisco/guides/cis-2.pdf
> [2]: Secure IOS Template:
http://www.cymru.com/Documents/secure-ios-template.html
> [3]: Cisco Dokument ?Improving Security on Cisco Routers?:
http://www.cisco.com/warp/public/707/21.html
> [4]: Cisco Dokument ?Security of the MPLS Architecture?:
ftp://ftp-eng.cisco.com/cons/isp/security/MPLS-Security/mxinf-ds.pdf
> [5] Juniper Dokument ?JUNOS Router Security?:
http://www.juniper.net/solutions/literature/app_note/350013.pdf
> [6] BT Dokument ?Carrier requirements of core IP routers 2002?:
http://www.btexact.com/docimages/42267/42267.pdf
> [7] Cisco Networkers Session SEC-370 (2001) ?Understanding MPLS/VPN
Security Issues?:
ftp://ftp-eng.cisco.com/cons/isp/security/MPLS-Security/SEC-370-mpls-securit
y.pdf
> [8] Cisco Dokument ?LS MPLS/VPN Security Considerations?:
ftp://ftp-eng.cisco.com/cons/isp/security/MPLS-Security/MPLS-Sec-V1.pdf
> [9] MPLS LDP Inbound Label Binding Filtering:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guid
e09186a00801b23a2.html
> [10] VRF maximum routes:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guid
e09186a0080087b1f.html
> [11] Cisco Dokument ?Key Management von Routing-Protokollen?:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr
_c/ipcprt2/1cfindep.htm#1001635
> [12] Cisco Dokument ?BGP maximum-prefix?:
http://www.cisco.com/en/US/tech/tk365/tk80/technologies_configuration_exampl
e09186a008010a28a.shtml
> [13] Cisco ISP Essentials:
www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip
> [14] http://www.netw3.com/documents/Protecting_Network_Infrastructure.htm
> [15]
http://www.blackhat.com/presentations/bh-europe-01/fischbach/bh-europe-01-fi
schbach.ppt
>

Hi,

There are two parts of MPLS than can be potentially vulnerable, on one side
there is the forwarding plane and on the other side there is the control
plane.

On the forwarding plane you should be looking for things like what happens
if a router receives a labeled packet in a interface configured as a CE
link. Does it forward it according to the Label Information Base or it will
be dropped? If it uses the LIB then you can potentially hop between VPNs.

With regards to control plane, you should look at the security of LDP, BGP
(for VPNs) and RSVP (for TE).

Example, is LDP enabled on CE interfaces, if it is, can you establish a LDP
session and inject labels?

This is my idea of the kinds of things that need to be checked when
accessing MPLS implementations.

Paulo Pereira

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html