Re: [PEN-TEST] Vulnerabilities within MPLS ??

["Ruscher, Mike" <Mike.Ruscher () CSE-CST GC CA>]

I had previously checked the MPLS documentation at the vendor sites, but as
expected, they rarely discuss vulnerabilities in a public forum.  Each
vendor will have their own implementation of MPLS with varying architectures
and it will be difficult to speak in general terms on MPLS issues.

Thanks to the informed people who have replied so quickly to my post. I am
pursuing the suggestions and once I collect some valuable information, I
will share it with you.

Mike Ruscher
Communications Security Establishment
mgruscher () cse-cst gc ca

> -----Original Message-----
> From: Sheldon Dubrowin [mailto:dubrowin () YAHOO COM]
> Sent: Thursday, January 04, 2001 1:27 PM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] Vulnerabilities within MPLS ??
>
>
> My understanding of QoS, I did QoS at BBN in a previous life,
> is that it only
> works within a provider's network.  MPLS is a form of QoS (Quality of
> Service).  MPLS will give preference up to a certain point
> (configured in the
> network) to packets with a "better" tag.  Once a packet
> reaches the edge it
> is no longer gauranteed better performance.  One of the
> issues in putting QoS
> into a large network is the fact that either you have to tag
> all the packets
> at the edge or you may end up giving preferential treatment
> to someone who
> isn't paying for it.
>
> Adding a VPN is just having VPN traffic (all/some? probably
> depends on the
> provider) being given preferential treat, or getting out of
> the routers more
> quickly than "regular" traffic.
>
>       Shel
>
> On Wed, Jan 03, 2001 at 04:42:50PM -0500, Ruscher, Mike wrote:
> > > I am searching for information on vulnerabilities in the
> Multi-protocol
> > > Label Switching (MPLS) protocol.  I have been unable to
> gather information
> > > by searching on the common search engines, as the
> majority of the hits are
> > > related to the RFC's.
> > >
> > > I have organized several questions to better understand
> the subject: Are
> > > there any big holes that could lead to a security
> compromise?  What is the
> > > difference between MPLS and MPLS VPN?  I realize that
> plain MPLS does not
> > > provide confidentiality, integrity, and authentication by
> itself unless it
> > > is used along with IPSec.  How is the route negotiated
> between the PE's
> > > (provider edge routers)?  Can the route negotiation be
> compromised in any
> > > manner?  What happens with traffic if one of the PE
> routers goes offline?
> > > I realize that these are difficult questions and the
> answers are likely to
> > > be lengthy. Any information will be greatly appreciated.
> > >
> > > Thanks
> > Mike Ruscher
> > Communications Security Establishment
> > mgruscher () cse-cst gc ca
> > >
>
> --
> --------------------------------------------------------------
> ---------
>   ,-~~-.___.    ._.
>  / |  '     \   | |"""""""""|         Sheldon M. Dubrowin
> (  )         0  | |         |
>  \_/-, ,----'   | |         |                 
>     ====        !_!--v---v--"
>     /  \-'~;      |""""""""|          dubrowin () yahoo com
>    /  __/~| ._-""||        |          www.shelnet.org
>  =(  _____|_|____||________|
> --------------------------------------------------------------
> ---------