Wednesday, October 1, 2008

Cisco IOS MPLS VPN May Leak Information

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability.

This issue is triggered by a logic error when processing extended communities on the PE device.

This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

Workarounds

Customers running versions of Cisco IOS that support filtering of extended communities can prevent the corruption of the route target (RT) by applying a BGP route-map that removes RT entries on inbound BGP sessions.

The following configuration example applied in the ipv4 address family of a PE device removes extended communities from the CE router:

router bgp
address-family ipv4 vrf one
neighbor
remote-as
neighbor
activate neighbor
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
The following configuration example applied in the ipv6 address family of a PE device removes extended communities from the CE router:

router bgp
address-family ipv6 vrf one
neighbor
remote-as
neighbor
activate neighbor
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
Note: The capability of filtering extended communities is only available in certain 12.0S and 12.2S based Cisco IOS releases.

BGP session between the PE and the CE needs to cleared to make this configuration change effective.

People who read this post also read :



5 comments:

alex smith said...

I like the idea of using a vpn service, especially since WiFi is provided with my apartment and I don't want my landlord virtually snooping around. But which of the two is a better service? I like Witopia's price because I could afford to buy an account for each of my computers. How does HotspotVPN justify the higher price.

Also, I can't find any information on either as to the information they keep about my surfing habits, marketing data, etc. Why should I trust either of these companies more than my landlord, a hotel, or Starbucks?

Quintin T. said...

Connecting to a VPN is a very good idea if you'd want to have a secured connection.
vpn service

Len Sandler said...

Great tutorial, I needed this for my virtual office.
virtual office

virtual office malaysia said...

Thank you for sharing this news, it's better to be safe than sorry.

colocation chicago said...

You have done a good job in configuring the security of VPN network. Leaking information over the network is a very serious problem.