To effectively launch certain types of attacks, a hacker usually needs some knowledge about the network topology or hardware used. The technique that gathers this type of information is called reconnaissance. Reconnaissance on its own is, in many environments, not a threat, but the intelligence found by employing it is often used later to attack a system or network. So, the threat of reconnaissance attacks is mostly an indirect one: after the network has been scanned, this information is used subsequently for attacks.
Often reconnaissance attacks go undetected for considerable time because they have usually no impact on the network. At best, this type of activity may be seen in some log files, but often it is not found.
It is good current practice to make networks and devices as "stealth" as possible, to make gathering information harder for potential attackers.
In the MPLS context, the core is already, to a large extent, hidden to the outside, as is shown in Chapter 3. So by default, only the PE-peering addresses are visible from the outside. These interfaces should be protected with ACLs so that the PE router does not accept packets targeted to the core or send any response. This hides the core and makes reconnaissance from outside the network very difficult.
VPN-specific infrastructure ACLs, which prevent the PEs from being targeted from the VPN, can be complicated depending on the addressing scheme used for all the CE-PE links in a VPN. Each PE, on the interface to each CE of a VPN, needs a deny statement for all PE addresses reachable from that VPN. See Chapter 5, "Security Recommendations."
There are two exceptions to this overall rule:
MPLS traceroute? There is a feature to allow visibility of MPLS core routers in a traceroute, even though this is not possible by default in such a network. MPLS traceroute first became available in Cisco IOS Release 12.0(9)ST and 12.1(3)T, and is, by default, enabled. The command is mpls ip propagate-ttl.
By default, on a PE, the Time-To-Live (TTL) value is copied from an IP packet header to the MPLS packet header. Each PE and P router decrements the MPLS TTL value. If a packet expires within the core, an ICMP TTL-expired message is sent back to the originator. An MPLS traceroute shows internal PE and P routers and reveals important information about the network topology to a potential attacker.
Disable mpls ip propagate-ttl from the outside of the MPLS core. The keyword "forwarded" can be used when the feature is required from within the MPLS core but when it should not be available from outside the MPLS core.
Unprotected Internet on core routers? Many MPLS backbones provide Internet services and VPN services on the same core. By default, if the Internet runs on the global routing table, the core routers are visible to the Internet and can be seen, for example, with a traceroute. This enables relatively easy mapping of the core network from the outside. The recommendation is to block by default access from the Internet into the core. This topic is detailed in Chapter 5, "Security Recommendations."
Although reconnaissance is not a direct threat, it enables further attacks and should therefore be taken seriously. Also, depending on the way the reconnaissance is carried out, it might consume resources on the core routers, and in the worst case lead to a DoS attack against a core device. For all those reasons, an MPLS core should be operated as a "black box"?that is, without giving any information about itself to outsiders. The most effective way of doing this is by using infrastructure ACLs, described in detail in Chapter 5, "Security Recommendations," which block all access from the outside into the core.