In my previous article I had discussed MPLS security. You can read my previous post ‘MPLS Security: What makes MPLS networks secure?‘ before reading this.
I had discussed about “Address Space and Routing Separation”. In this article, I will discuss about the other aspects of MPLS Security.
2. MPLS Core Structure Security & Protection from Unwanted Information Disclosure
Though I don’t often consider this has a serious vulnerability but it is a good practice not to disclose the network topologies. This ensures that the attacker has limited information about the network, making it difficult for him to guess the addressing system of the network. This limits an attackers capabilities to attack the network.
The internet and interface to the MPLS runs on BGP, so there is no need to reveal any internal details of the network. During communication only the address of the PE router is known to the CE router. Even this can be avoided by static routing. (discussed above) This ensures complete secrecy of the MPLS core architecture and addressing.
However the VPNs advertise their routes to the MPLS core. This has to be performed for accessibility across the cloud. We can consider it as a security issue, but this is one of the inherited technological limitations. However we also need to note that:
- The exact interfaces are not advertised but the network, ensures abstraction
- Even in the traditional ATM and FR systems, the client VPN routes are visible from the core.
VPNs where shared Internet is used, NAT function can be used to further abstract the client end network. Only the provider end router facing the internet is advertised over the internet.
So the MPLS core is secure when it comes to revealing internal network.
In IP spoofing attacks, the attacker replaces the source or destination IP. A similar spoofing attack can be performed in the MPLS network by spoofing the labels. However the PE routers are configured to reject any packet from the CE router with a label. This is done for security reasons to prevent a spoofing attack.
IP address spoofing is still possible in MPLS network. But as discussed in the earlier sections, IP address separation in the MPLS network between the VPNs is strict and secure. So it is not possible for a packet to travel from one VPN to another by IP spoofing. MPLS can be used to attack within the same network but it cannot be used to attack a different network.
4. Protection from other Attacks:
There still remains some possibilities to attack the MPLS network. The basic ways the MPLS network can be attacked is:
- Attack the PE routers
- Attack the signalling mechanism in the MPLS routing
For an attacker to attack the MPLS network, he needs to know the IP address of the network resource. As discussed earlier the internal addresses of the MPLS network is never revealed. So now the attacker needs to guess the IP address of the network resource it intends to attack. Again the address separation of MPLS prevents the attack. The incoming packets from the attacker is labelled changing its address and it remains within the VPN. So this prevents, an external attacker to reach the internal router.
However, there is an exception, the peer interface of the Provider End (PE) router.
In between VPN and the MPLS core routing can be configured in two ways:
- Static: The PE routers have the static routes to the networks behind CE, and the CE routers are configured statically to point the PE routers. Now they can be configured to point to an interface of the CE router or the IP address of the PE router.
- Dynamic: Routing protocols like OSPF, RIP, BGP are used to exchange routing information between PE and CE routers.
For security reasons, static routing is secure, as the CE router need not know any of the internal IP address of the MPLS core network, not even the PE router. However configuring static routing is difficult from the network configuration point of view.
In dynamic routing the CE knows at least the RID and peer IP address of the PE router. Thus there is a potential destination for attacks. To minimize such attacks Access Control Lists (ACLs) are configured to control access to PE router of the PE/CE interface.
This set up can be misused for DoS, however it is secure from unauthorised access. To ensure high security routing protocols in PE routers should be configured in the following ways:
- Use ACL to ensure that routing communication originates only from CE router and not from elsewhere.
- Use MD5 authentication for routing protocols, to prevent packet spoofing from other parts of the customer network.
- Configures all security parameters in the routing protocols wherever possible.
So to conclude, I would say it is not possible (at least not so easy) to intrude from one VPN to another, and MPLS core too is secure from any attacks. However, it is still possible to attack the PE routers for DoS which can impact the services on the VPN and the network. Hence it is very important to secure the PE and CE routers. DoS attacks can also be traced to its origin if MD5 digest is used in all the routing protocols in CE/PE routers.