Analysis of security threats to MPLS virtual private networks

Multiprotocol label switching (MPLS) based virtual private networking is one of the fastest-growing network technologies. It provides corporate and government customers with flexible, inexpensive “autobahns” that seamlessly connect multiple, geographically-dispersed sites, enabling voice, video, data and other high-bandwidth applications. The technology is also attractive to service providers because it enables them to flexibly provision resources for a variety of classes of service and applications with excellent quality of service at low cost. This paper analyzes the principal security threats to MPLS virtual private networks (VPNs). Because BGP is crucial to implementing MPLS VPNs, special attention is directed at the protocol and its multiprotocol extensions. This paper describes three classes of exploits on MPLS VPNs: route modification, traffic injection and denial-of-service attacks. It also discusses mitigation strategies that can be implemented by service providers and MPLS VPN customers.