| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: pjp at paulo-pereira.net (Paulo Pereira) Subject: MPLS Security ----- Original Message ----- From: "Enno Rey" <erey@...w.de> To: <full-disclosure@...ts.netsys.com> Sent: Friday, November 28, 2003 13:51 Subject: Re: [Full-Disclosure] MPLS Security > Hi, > > On Fri, Nov 28, 2003 at 09:57:31AM +0100, Magnus Eriksson wrote: > > IndianZ wrote: > > > > >After deep-searching Google and other search engines I only found 2 > > >articles about MPLS Security (SANS and CISCO). Is that really all (or is > > >this kind of information closed to the public)? > > > > > >Does anybody know more about MPLS Vulnerabilities and what to/how to > > >pentest in a MPLS architecture? Any input about tools, hints and tricks is > > >welcome... > > I haven't heard of any vuln. specifically for MPLS. > > some months ago I put up an MPLS risk analysis table during a project. > I can't publish it yet (as there are sensitive customer data in it) but will do so in the near future (anonymized). > These are the URLs I used in the reference; by them you should be able get a rough overview of the 'security aspects' of MPLS. > > thanks, > > -- > Enno Rey > > ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg > Tel. +49 6221 480390 - Fax 6221 419008 - Mobil +49 173 6745902 > www.ernw.de - PGP E5CB 9505 EA06 6380 6F12 DE3E 624E 1334 326B B70C > > > ---------- > [1] NSA Guide: http://nsa1.conxion.com/cisco/guides/cis-2.pdf > [2]: Secure IOS Template: http://www.cymru.com/Documents/secure-ios-template.html > [3]: Cisco Dokument ?Improving Security on Cisco Routers?: http://www.cisco.com/warp/public/707/21.html > [4]: Cisco Dokument ?Security of the MPLS Architecture?: ftp://ftp-eng.cisco.com/cons/isp/security/MPLS-Security/mxinf-ds.pdf > [5] Juniper Dokument ?JUNOS Router Security?: http://www.juniper.net/solutions/literature/app_note/350013.pdf > [6] BT Dokument ?Carrier requirements of core IP routers 2002?: http://www.btexact.com/docimages/42267/42267.pdf > [7] Cisco Networkers Session SEC-370 (2001) ?Understanding MPLS/VPN Security Issues?: ftp://ftp-eng.cisco.com/cons/isp/security/MPLS-Security/SEC-370-mpls-securit y.pdf > [8] Cisco Dokument ?LS MPLS/VPN Security Considerations?: ftp://ftp-eng.cisco.com/cons/isp/security/MPLS-Security/MPLS-Sec-V1.pdf > [9] MPLS LDP Inbound Label Binding Filtering: http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guid e09186a00801b23a2.html > [10] VRF maximum routes: http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guid e09186a0080087b1f.html > [11] Cisco Dokument ?Key Management von Routing-Protokollen?: > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr _c/ipcprt2/1cfindep.htm#1001635 > [12] Cisco Dokument ?BGP maximum-prefix?: http://www.cisco.com/en/US/tech/tk365/tk80/technologies_configuration_exampl e09186a008010a28a.shtml > [13] Cisco ISP Essentials: www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip > [14] http://www.netw3.com/documents/Protecting_Network_Infrastructure.htm > [15] http://www.blackhat.com/presentations/bh-europe-01/fischbach/bh-europe-01-fi schbach.ppt > Hi, There are two parts of MPLS than can be potentially vulnerable, on one side there is the forwarding plane and on the other side there is the control plane. On the forwarding plane you should be looking for things like what happens if a router receives a labeled packet in a interface configured as a CE link. Does it forward it according to the Label Information Base or it will be dropped? If it uses the LIB then you can potentially hop between VPNs. With regards to control plane, you should look at the security of LDP, BGP (for VPNs) and RSVP (for TE). Example, is LDP enabled on CE interfaces, if it is, can you establish a LDP session and inject labels? This is my idea of the kinds of things that need to be checked when accessing MPLS implementations. Paulo Pereira
Powered by blists - more mailing lists