Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

All your packets are belong to us

Information on the talk can be found on the HAR2009 Wiki. The talk was limited by the time slot. Some information on the MPLS Layer 2 VPN was rushed, so there is limited information. I’d suggest checking out the slides once they’re posted (not currently listed in the program)

Main focus of the talk will be on

  • BGP
  • MPLS
  • Carrier Ethernet


Works over and relies on TCP/IP
Harder to spoof as it uses TCP (not a UDP, fire and forget packet)
No multicasting

BGP Trust model is based on manual configuration (or by script). This is referred to as “Intra Operator Trust”. Due to the manual basis of updates it is prone to human error (see AS7007 incident and Youtube/Pakistan).

“Once you’re a member of the “global BGP community” you might perform all sorts of nasty stuff” Pilsov / Kapela 2008

BGP Security isn’t based within the protocol itself, but relies on the security measures of TCP. This includes the use of the “generic MD5 signature option” (RFC 2385). Currently there is a working group looking at the TCP Auth options. Use of MD5 keys isn’t always used in large installs due to the complexity of management.

Tools (including live demos)

  • bgp_cli
  • bgp_md5crack


MPLS is defined in RFC3031 and is used in provider backbones to label traffic. Packets can carry multiple labels.

Both MPLS Layer 3 VPNs (RFC4364) and MPLS Layer 2 VPNs (RFC) will be discussed as they can be found in most large organizations.

MPLS Layer 3 VPNs

Comparable to Frame Relay/ATM in some respects
Highly “virtual” technology

During transport 2 labels are used.

  • First: Identifies the ‘egress PE’ / Route
  • Second: Identifies the customer/particular VPN

Due to the infrastructure, it is possible for multiple customers to use the same IP address space.

Once an attacker is inside the MPLS, they can do almost anything they want. The design of the technology prevents attack from outside of the network. Inside the network, there are not additional security restrictions.

POC attack tool for MPLS redirection – mps_redirect

The command-line tool edits the VPN labels of packets to redirect all traffic for the victim network to the attackers network.

MPLS labels are transmiitted in clear-text across the network. By sitting in the datapath it’s possible to rewrite the MPLS labels and communicate between VPNs.

This attack allows systems to be spoofed at the MPLS level. Examples, are replacing your DNS or LDAP server with attacker versions.

POC attack tool for MPLS injection – mps_tun

Creates a TUN interface that allows the attacker to inject packets into the VPN tunnel (use your favourite attack tools through the TUN interface).

60-80% of providers would allow complete control over an MPLS end-point. This would enable an attacker to perform these attacks.

Mitigation – Authenticate everything, Implement “borders of trust” that encrypt/decrypt all inbound traffic on a site level

MPLS Layer 2 VPNs

These networks expose the VPNs to current layer 2 threats, such as ARP spoofing across the VPNs. Most yersnia style attacks will also work in the MPLS-Cloud.

The presenters are running a workshop (full MPLS lab setup) at FuWaR village at 14:30 today

Update: Some of the tools and presentation can be downloaded on the ERNW.DE website, the presentation from BlackHat europe appears to be the most modern on the site.

Comments are closed.

%d bloggers like this: