Mitigating Spoofing Attacks in MPLS-VPNs Using Label-Hopping
In certain models of inter-provider Multi-Protocol Label Switching (MPLS) based Virtual Private Networks (VPNs) spoofing attack against VPN sites is a key concern. For example, MPLS-based VPN inter-provider model "C" is not favoured, owing to security concerns in the dataplane, even though it can scale with respect to maintenance of routing state. Since, the inner labels associated with VPN sites are not encrypted during transmission, a man-in-the-middle attacker can spoof packets to a specific VPN site. In this paper, the authors propose a label-hopping technique which uses a set of randomized labels and a method for hopping amongst these labels using the payload of the packet.