A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
Packet-based computer network increasingly utilize label switching protocols for traffic engineering and other purposes. In a label switching network, label switching routers (LSRs) use Multi-Protocol Label Switching (MPLS) signaling protocols to establish label switched paths (LSPs). The LSRs utilize MPLS protocols to receive MPLS label mappings from downstream LSRs and to advertise MPLS label mappings to upstream LSRs. When an LSR receives an MPLS packet from an upstream router, it switches the MPLS label according to the information in its forwarding table and forwards the packet to the appropriate downstream LSR.
Conventional LSRs often assume that any given upstream LSR connected can be “trusted” to only send MPLS packets using labels that were actually advertised to the upstream LSR. However, this poses potential security vulnerability in that an LSR may receive an MPLS packet from a source other than an upstream LSR to which a label mapping has been advertised. In other words, a malicious source may “spoof” an upstream LSR by outputting MPLS packets in accordance with the corresponding label mapping for one or more LSPs. If a downstream LSR accepts the spoofed MPLS packets and label-switches the packets and forwards the packets to downstream LSRs, a security breach has occurred. The malicious source has successfully (or possibly inadvertently) injected MPLS packets into an LSP even though that LSP was not upwardly signaled to the source.
Detecting and preventing MPLS spoofing can be a difficult task, and conventional detection schemes for packet-based systems may be inadequate. For example, one conventional approach often applied in a packet-based network is simply to verify the source address of a received packet. However, there is typically no source address associated with a packet in the MPLS context.
Consequently, some LSRs attempt to prevent MPLS spoofing by verifying that a packet is received on an interface that has been enabled for MPLS. If MPLS is not enabled for that particular interface, the LSR drops the packet. However, this approach will not prevent security breaches when the spoofed MPLS traffic is received on MPLS-enabled interfaces, as may readily occur for interfaces between different service providers, or where MPLS is enabled on interfaces between service providers and customers.