OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tom Vandepoel (tom.vandepoelUBIZEN.COM)
Date: Thu Feb 08 2001 - 06:16:22 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Simon Jenner wrote:
    >
    > MPLS is not only for QoS it provides layer 2 type services in the layer 3
    > environment (QoS, CoS, Traffic engineered paths etc) . If using Ethernet or
    > PoS then a label is inserted between layer 2 and layer 3 protocols, if using
    > ATM then the label is inserted into the ATM header. The MPLS label is used
    > to forward the packet to the next hop. MPLS was not designed as a VPN
    > protocol, however it does support features that allow VPNs (stacks of
    > labels). The VPNs are primarily created by the ability for the PE (Provider

    IMHO the term VPN is being misused by ISP's. VPN's are not only about
    traffic separation; this traffic is passing over a public infrastructure
    and needs to be protected by strong encryption/authentication.

    Traffic separation through MPLS will help, but I wouldn't trust my
    internal corporate WAN traffic on it without encapsulating it in IPsec
    first.

    > edge or Label Edge router (LER)) being able to run Virtual Routers. VR's
    > allow multiple independent routing tables to be held on a single device.
    > The security is gained by only being able to use a certain routing table.
    >
    > As you stated vendor implementations are different and therefore have
    > different security strengths. I have attempted some simple penetration
    > tests on a Cisco router running VRs with no luck in breaking it (it was a
    > simple test though)
    >

    Have you tried injecting spoofed MPLS frames into the network?
    Obviously, this would require some coding, but it could be done. Take
    your IP packet, wrap around an MPLS header and try to find out if you
    can jump 'VPN's.
    You'd have to know which flow labels to slap on, but maybe they're
    predictable.

    Anyone done any research in this area?

    Tom. 

    --
Tom Vandepoel                 Ubizen
Sr. Security Engineer         We Secure e-Business
Phone   +32 16 28 70 00       http://www.ubizen.com
Fax     +32 16 28 71 00       http://www.securitywatch.com