@jake - re: access to hardware
Part 1:
Both BGP and MPLS messages are transmitted over the same public network backbone that internet packets are. Ergo: forge those control messages=control IP routing.
BGP is more exposed because it runs over TCP, while MPLS is reputedly a "layer 2.5" protocol. However, if you are able to tap into the fiber, you essentially have access down to the physical (layer 1) layer.
Here in Silly Valley, we were reminded a few days ago about just how exposed a carrier's infrastructure often is when someone severed 2 separate fiber rings in the San Jose area (one ATT, one Sprint), bringing down all sorts of communications for about 12 hours.
Part2:
After reading one of the referenced papers, 2 points stand out. A) They are discussing MPLS *VPNs* - which actually are running over layer 3. This implies that *physical* network access is not required, only access to the data stream. (various ways of achieving that)
B) The authors state certain background assumptions, including "Assumes attacker has access to traffic path (in core)". I note that this does not necessarily imply "access to physical hardware", only access to the "traffic path". Once again, there are ways to achieve this that do not require access to a physical router/etc.
Note that many of the vulnerabilities revolve around the use of MD5 for authentication (for BGP, over which some of these MPLS packets are traveling), which of course is now known to be crackable.