Years ago when vendors were pushing the MPLS story to Service Providers, an “independent analyst” wrote a report claiming that MPLS-based VPNs offer security equivalent to Frame Relay networks (to find those reports, ask Google about “MPLS security equivalent to Frame Relay”). This might be true from the functional perspective (and it’s absolutely true that using IP does not make MPLS-based VPNs inherently insecure), but anyone believing these reports might become mightily upset when learning about BGP and MPLS security issues.
Before going any further, please note that exploiting the MPLS architecture as described in All your packets are belong to us presentation requires access to the core SP network, which means that the network (or network management station) has already been successfully penetrated.
A perfectly implemented MPLS VPN network running on equipment with no vulnerabilities is indeed at least as secure as a Frame Relay network … but it’s much easier to implement a secure Frame Relay network (well, it’s very hard not to, unless you’re clumsy enough to configure a customer port as NNI port) than deploying all security measures on PE routers. There are also a few other details that make the life of the MPLS VPN security gurus a bit harder:
- The only protocol running between a Frame Relay edge switch and a CE router is LMI. LMI is so simple it’s almost impossible to make it vulnerable. Protocols running between PE- and CE-routers are more complex.
- A Frame Relay switch cannot accept a layer-3 packet from the customer equipment. Any IP host can send packets address to the PE-router.
- Network management protocols in Frame Relay network are different from what the customers are using. MPLS VPN network uses the same management protocols as the customer’s equipment using the same layer-3 transport.
- IP requires multiple auxiliary protocols (ARP, ICMP …) to work correctly. Any one of these protocols can be used to cause a denial-of-service attack against a PE-router, sometimes even from an end-host. The only harm you could do to a Frame Relay switch is to send too many LMI packets from the CE-router.
Last but definitely not least, some Service Providers offer MPLS VPN services on the same equipment that offers Internet access through the global IP routing table. The PE-routers in these networks are significantly more exposed than the dedicated PE-routers.
Faced with all this, what can an end-user do? There are a few simple actions you can take:
- When transporting sensitive data across an MPLS VPN network, don’t rely on a third party (SP) to protect it. Use IPSec.
- When you’re concerned about reliability and/or uptime, use multiple service providers.
- Don’t believe that you can get exactly the same level of security when using a service that offers 100-times the bandwidth for one tenth of the price of the alternative.