Higher layer security has been the buzz for some time and how can you contend with numbers depicting web application attacks rank up to 75% of security issues. But what about the new fad everyone’s been jumping on board with MPLS, carrier Ethernet variations, or your carrier cloud implementation. The root of all is packaged into MPLS but really the BGP protocol base. I would almost make the analogy of MPLS/BGP to HTTP unlike HTTPS/SSL…to begin the debate
Sure providers are aware of the possibilities and continue to enhance the protocol with, for example,MPLS FI (Forwarding Infrastructure) but it was found to be exploitable with crafty coding as well.
And, like all other vulnerabilities, it can be discussed further at forum such as Black Hat Europeand ERNW
The one good thing about all this though, is the hacker needs to get into your network first (go figure) before being able to modify the bits and bytes which can turn your routing tables into mesh/mess.
Simply said it works like this, BGP is based on established trust and while MD5 can buy you a level of key security (but come on it’s only MD5 so a super computer not needed to crack); so packets leave with a forwarding label and egress provider edge route with VPN destination identities; thus intercept and use command line tools (mpls_tun) and bang way. You can change label information and reroute packets to authentication servers and malicious DNS, etc. And, did you say transparency models…then next up let’s talk Layer 2 exploits.
On a related note, carrier-based offering of VPN, either EVPN or EBP VPN is traditionally not encrypted though your traffic is tunnelled through the provider's network routers. Whereas, an implementation of IVPN or IP-VPN is not only tunnelled but encrypted often through an appliance or firewall (unlike a traditional Layer 3 router with EVPN).
RFC3031 MPLS | RFC 4364 BGP/MPLS IP VPN | RFC 2547 BGP/MPLS VPN
And, like all other vulnerabilities, it can be discussed further at forum such as Black Hat Europeand ERNW
The one good thing about all this though, is the hacker needs to get into your network first (go figure) before being able to modify the bits and bytes which can turn your routing tables into mesh/mess.
Simply said it works like this, BGP is based on established trust and while MD5 can buy you a level of key security (but come on it’s only MD5 so a super computer not needed to crack); so packets leave with a forwarding label and egress provider edge route with VPN destination identities; thus intercept and use command line tools (mpls_tun) and bang way. You can change label information and reroute packets to authentication servers and malicious DNS, etc. And, did you say transparency models…then next up let’s talk Layer 2 exploits.
On a related note, carrier-based offering of VPN, either EVPN or EBP VPN is traditionally not encrypted though your traffic is tunnelled through the provider's network routers. Whereas, an implementation of IVPN or IP-VPN is not only tunnelled but encrypted often through an appliance or firewall (unlike a traditional Layer 3 router with EVPN).
RFC3031 MPLS | RFC 4364 BGP/MPLS IP VPN | RFC 2547 BGP/MPLS VPN
No comments:
Post a Comment