A few days ago (the) Steve Bellowin sent an e-mail to the NANOG mailing list pointing to a FUD-full article describing upcoming release of MPLS hacking tools. Christian Koch quickly pointed out a similar presentation given by the same group @ Schmoocon and numerous respondents correctly stated these are old issues … if you’re interested in BGP and MPLS security, of course. Nicolas Fischbach even provided link to a 7 year old presentation describing numerous BGP/IGP/MPLS risks and attack vectors.
I went through the presentation and it does not describe anything we wouldn’t have known already. The capability to fake platform-wide MPLS labels has been known since the times MPLS (then known as Tag switching) was running mostly in PowerPoint. We’ve thus always recommended that the Service Providers should not run MPLS with their customers.
Carrier’s carrier architecture is a different story; it separates VRF labels from global labels.
The Carrier Ethernet attacks described in the presentation are also pretty obvious. If someone is brave enough to have a bridged solution spanning the globe (lots of people got burnt doing that 15 years ago, but obviously it’s best to learn from your own mistakes), he’s literally asking an intruder breaking into one of the sites to attack other sites with L2 techniques.
By now you might wonder why I’m writing this post. While the “All your packets are belong to us” presentation does not describe new vulnerabilities, it’s still a nice eye-opener for someone who thought SP MPLS infrastructure is absolutely secure (more about that in tomorrow’s post). It’s not and if you’re an enterprise network with high security requirements, you should take your own precautions, including running IPSec over SP MPLS network.