YOU ARE AT:FundamentalsMPLS Security Is MPLS Secure?

MPLS Security Is MPLS Secure?

Multi-Protocol Label Switching is a traffic routing mechanism within telecom networks. It allows each customer’s data to be kept separate from other data streams through the use of specific labels that direct packets along pre-determined paths through the network. But is MPLS secure?

The generally accepted answer is yes. MPLS security does have potential vulnerabilities, but they are largely theoretical – with the exception of flaws due to misconfiguration.
MPLS Privacy vs. MPLS Security
Some argue that rather than being truly secure, MPLS is private. There is no inherent encryption within MPLS. It is, simply, a traffic routing mechanism that creates the feel of private lines by directing packets based on predetermined labeled paths within the network – but it still allows shared network elements. The Provider Edge (PE) network element, for example, may be shared between multiple customers.
MPLS security is founded on the premise that the network core is secure, according to network professional Ivan Pepelnjak, chief technology advisor for NIL Data Communications Ltd. Most service providers concentrate on providing security from “outside” attacks, meaning the Internet or connected VPNs. This is a common baseline for designing protection, compared to an “inside” attack, because “if an attacker has logical or physical access to the core network … any network can be attacked with access from the inside,” according to a Cisco Systems white paper on MPLS security. (1)
“Let’s put it this way: first, you have to remember that is someone breaks into your network core, then nothing is secure,” Pepelnjak said. “Most of the service provider networks are designed with the assumption that the core is secure, and no one can get in there.”
However, if an intruder managed to gain access to the core network, the lack of inherent encryption would mean the intruder could collect data and analyze it. What might come out of that analysis depends on how well the customers have protected themselves.
“Some customers might not care. Some customers might care for regulatory reasons, and so they could implement some simple form of encryption,” Pepelnjak said. “Some people are really concerned, because if you are a high-value target, you want to protect yourself. But in most cases, the problem is on the side of the customer, and the solution is on the side of the customer.”
Enterprises who rely on MPLS can choose to encrypt their data before it leaves their site, which would solve the issue of the lack of encryption abilities within the MPLS network itself.
According to a Black Hat presentation by Enno Rey of security firm ERNW, other attacks on MPLS networks could include attempts to insert pre-labeled traffic from a Customer Edge (CE) device or from the Internet. However, PE devices are supposed to reject labeled packets from CE devices as untrusted – the PE device is where MPLS labels are applied to packet. Testers were also unable to inject labeled traffic from the Internet, although Rey noted that the attack is possible under certain conditions.
Cisco’s white paper noted that in order to maintain good security for an MPLS system, “the internal structure of the MPLS core network (provider edge (PE) and provider (P) elements) should not be visible to outside networks (Internet or any connected VPN). Although a breach of this requirement does not lead to a security problem, many [service providers] feel this is advantageous if the internal addressing and network structure remains hidden to the outside world. A strong argument is that denial-of-service attacks against a core router, for example, are much easier to carry out if an attacker knows the address. Where addresses are not known, they can be guessed, but with this limited visibility, attacks become more difficult.”
Rey’s presentation outlined the fact that many pieces would need to fall into place for an MPLS security breach to take place.
“There are a lot of if’s,” Pepelnjak acknowledged. “This is purely hypothetical. But there have been other pure hypotheticals, and they were purely hypothetical until someone pulled it off.
“This thing is pretty well designed, and pretty well implemented,” Pepelnjak went on to say. “So the claims that it is as secure as frame relay are true – with the obvious gotcha that if you misconfigure something, you have a problem.”
 
Additional sources:
1. Security of the MPLS Architecture. http://www.cisco.com/en/US/products/ps6822/products_white_paper09186a00800a85c5.shtml#wp28489

ABOUT AUTHOR