MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker ： JET 3,1’2004

Introduction From BTexact Technologies

What is Threats ? Observation, modification, or deletion of PPVPN user data Replay of MPLS/VPN user data Injection of non-authentic data into a MPLS/VPN Traffic pattern analysis on MPLS/VPN traffic Disruption of MPLS/VPN connectivity Degradation of MPLS/VPN service quality

Threats sources The MPLSVPN service provider or persons working for it Other persons who obtain physical access to a service provider site Persons within the organization which is the MPLS/VPN user with respect to a particular MPLS/VPN Persons within an organization that is a separate MPLS/VPN user of the same service provider Others i.e. attackers from the Internet at large.

Security Threats - Data Plane MPLS/VPN Spoofing and Replay Unauthorized Observation/Modification/Deletion DoS Traffic Pattern Analysis Impersonation

Insertion of Non-Authentic Data Traffic: Spoofing and Replay Spoofing : insertion into the VPN of packets that do not belong there Replay : copies of once-legitimate packets that have been recorded and replayed

Denial of Service Attacks on the MPLS/VPN Monopolize network resources and thus prevent other PPVPNs from accessing those resources Inserting an overwhelming quantity of non- authentic data Overwhelming the service provider's general (MPLS/VPN-independent) infrastructure with traffic Interfering with its operation

Unauthorized Observation/Modification/Deletion of Data Traffic “Sniffing" VPN packets Examining their contents Modifying the contents of packets in flight Causing packets in flight to be discarded Would typically occur on links in a compromised node

Traffic Pattern Analysis “Sniffing" VPN packets and examining aspects or meta-aspects of them Even are encrypted gain useful information the amount and timing of traffic packet sizes source and destination addresses etc.

Impersonation Disguises itself to appear as a legitimate entity

Security Threats - Control Plane SP’s Equipment Cross-connection of Traffic Between MPLS-VPNs DoS Routing Protocols Route Separation MPLS/VPN Address Space Separation

Denial of Service Attacks on the Network Infrastructure Against the mechanisms the service provider uses to provide MPLS/VPNs MPLS, LDP/BGP, IPsec, etc., Against the general infrastructure of the service provider Core routers Deny the otherwise-legitimate activities of another MPLS/VPN user

Attacks on the Service Provider Equipment Via Management Interfaces Reconfigure the equipment extract information (statistics, topology, etc.) Malicious entering of the systems Inadvertently as a consequence of inadequate inter-VPN isolation in a MPLS/VPN user self-management interface

Cross-connection of Traffic Between MPLS/VPNs This refers to the event where expected isolation between separate PPVPNs is breached This includes cases such as A site being connected into the "wrong" VPN Two or more VPNs being improperly merged together A point-to-point VPN connecting the wrong two points Any packet or frame being improperly delivered outside the VPN it is sent in Likelihood of being the result of service provider or equipment vendor error

Attacks Against MPLS/VPN Routing Protocols Routing protocols that are run by the service provider - LDP / BGP In layer 3 VPNs with dynamic routing this would typically relate to the distribution of per- VPN routes as well as backbone routes In layer 2 VPNs this would typically relate only to the distribution of backbone routes

Attacks on Route Separation keeping the per-VPN topology and reachability information for each PPVPN separate from, and unavailable to, any other PPVPN Reveal topology Addressing information about a MPLS/VPN Cause black hole routing or unintended cross-connection between MPLS/VPNs

Attacks on Address Space Separation In Layer 3 VPNs, the IP address spaces of different VPNs need to be kept separate In Layer 2 VPNs, the MAC address and VLAN spaces of different VPNs need to be kept separate Result in cross-connection between VPNs.

Defensive Techniques Cryptographic techniques Authentication Access Control techniques Use of Isolated Infrastructure Use of Aggregated Infrastructure Service Provider Quality Control Processes Deployment of Testable MPLS/VPN Service

Defense Philosophy Security threats can be addressed Provider's specific service offerings MPLS/VPN user should assess the value which these techniques add to the user's VPN requirements Nothing is ever 100% secure - most likely to occur and/or that have the most dire consequences To make the cost of a successful attack greater than what the adversary will be willing to expend

Cryptographic techniques Privacy traffic separation encryption Authentication Integrality Drawback Computational burden Complexity of the device configuration Incremental labor cost Packet lengths are typically increased traffic load fragmentation Other Devices

IPsec in MPLS/VPNs PE to PE (can’t be employed ) PE to CE - weaker links (pass the Internet) CE-to-CE (only use tunnel mode) Service Level Agreement (SLA) rather than analyzing the specific encryption techniques \

Encryption for device configuration and management Secure Shell (SSH) offers protection for TELNET [STD-8] or terminal-like connections to allow device configuration SNMP v3 [STD62] also provides encrypted and authenticated protection for SNMP- managed devices Transport Layer Security (TLS) (also known as Secure Sockets Layer or SSL) [RFC-2246]

Authentication Prevent Denial -of-Service attacks Malicious misconfiguration Cryptographic techniques – Cryptographic techniques shared secret keys one-time keys generated by accessory devices or software user-ID and password pairs public-private key systems do not protect against some types of denial of service attacks

Authentication issues VPN Member Authentication Management System Authentication auto- discovery Peer-to-peer Authentication

Access Control techniques packet-by-packet packet-flow-by-packet-flow Filtering Firewalls

Filtering Common for routers Filter Characteristics Stateless (In most cases ) Stateful (commonly done in firewalls ) Actions based on Filter Results Discard Set CoS Count packets and/or bytes Rate Limit - MPLS EXP field Forward and Copy

Firewalls passing between different trusted zones SP to SP, PE to CE passing between trusted zone and an untrusted zone Services threshold-driven denial-of-service attack protection virus scanning acting as a TCP connection proxy Advantage understanding of the topologies understanding of the threat model

Firewalls (conf) Within the MPLS/VPN framework, traffic typically is not allowed to pass between the various user VPNs Extranets - provide the services required for secure extranet implementation Protect the user VPNs and core network from the public Internet

vpn 2 My LAB Environment isp A isp B P router Linux MPLS Daemon vpn 1 HOST Linux For API WinXP For Microcode CE router Linux PE router Linux MPLS Daemon ixp1200 Frmo EE ixp1200

Next Presentation (3,8 ’ 2004) IXP1200 Linux How To MPLS for Linux Development