MPLS and VPLS networks are assumed to be secure. But the fact is, unless you use encryption, there is always the slight potential of security issues. Your network shares the PE device with other customers. Enno Rey, a respected network security consultant, based in Germany, has run significant testing and presented this subject at conferences.
As you know, MPLS depends on network identifier bits and forwarding labels to provide your private virtual network. If someone were able to discover your route distinguisher bits and your (VRF) virtual routing and forwarding labels, they could, theoretically, penetrate your network. But this would have to be done from the network core, which means that the penetration would require an unsavory network employee, since the core is not readily accessible. This type of penetration could be done on a Frame Relay or ATM network, as well.
According to independent testing by Miercom, Cisco MPLS VPNs are secure: “It is impossible to insert “spoofed” labels into a Cisco MPLS network to gain access to a VPN or the MPLS core”. But realistically, nothing is impossible.
In testing by Enno Rey, he found the following:
- When Customer A tried to insert packets into Customer B’s VPN, the labeled packets are not accepted by the backbone routers from untrusted sources. This was proven to be true with Cisco routers.
- Injection of labeled traffic from the Internet, requires knowledge of the IP addresses and labels for the private network. But the attacker needs access to the Provider Edge Router, which is difficult to obtain. But these packets would be discarded as from an untrusted source. Again, this was tried through testing without success in penetration.
- Attack by modification of MP=iBGP sessions to establish an “incorrect VPN” is possible, but requires access to the core and the right tools. The attacker would need to intercept the initial MP-BGP exchange or withdraw VPN routes (BGP update with other NLRI) and insert new ones. This would be very difficult to accomplish.
- The easiest source of attack would be to modify labels in the core to insert packets into the VPN. Packets from one network can be sniffed and relabeled to belong to another network. But this requires access to the core and access to the core router.
While label modification and VPN crossing is possible, it is a one-way street. Only stateless attacks (like SNMP) or UDP-based worms could be used. These attacks would be undetected. But such attacks would need to be carried out by a carrier employee, since they require access to the core. So an MPLS network is as secure as frame relay or ATM. The difference: the world has changed from the legacy days.
What is the biggest risk to an MPLS network? Employee infiltration. This is where your internal network policies count.
You can learn more about Enno Rey and his network security firm at http://www.ernw.de/content/e15/e26/index_eng.html
