MPLS security

[jlazzaro]

i've been having some heated debates regarding MPLS security with a few friends...

my stance: it's no different from any other FR/ATM transport. VRF separates customer traffic, 2 labels encapsulate/tunnel traffic, and its a private network with private addresses so no risk of public connectivity.

their stance: its still in clear text, so if someone has access to the carrier infrastructure they could read the packets. also, we are depending on the carrier to separate customer traffic, what if they have a misconfiguration on their end.

for those who have built MPLS infrastructures, was encryption even topic of discussion? other than truly secure/type 1 data, is there any reason to do so? i think paranoia is starting to take over ;x

 

[spidey07]

Never even considered. Doesn't need to be. You're exactly right, it's like any frame network just moved up a layer. Frame relay/ATM you had the same thing, a misconfiguration could allow your traffic to go where it wasn't intended and you have to be really specific to allow the VRFs to mingle.

Now I assume you're talking about encryption from customer end points? Not full blown encryption of the entire MPLS and every single VRF?

 

[cmetz]

There are two issues being intertwined.

The first is: what kind of transport is MPLS. It's basically son-of-ATM, where the parts of ATM that anyone cared about were in turn born from Frame Relay. So it is basically the same thing as ATM and FR from your perspective. It should not send your traffic where it's not supposed to, but can be misconfigured or attacked in the carrier network.

The second is: what level of security do you need when traversing a private network outside your physical security boundaries. Many folks require that all of their data that goes over outside lines be encrypted, be they a point-to-point circuit like a T1 or a virtual circuit on SONET/MPLS/ATM/FR, or a multipoint like MPLS/ATM/FR. Many folks use dynamic routing with authentication, PPP authentication, or the like to prevent circuits from turning up if the endpoint isn't a trusted endpoint. And many folks consider "private" lines from a telco to be good enough and don't do anything at all, and just trust that the telco will keep it private.

Your site and its security requirements will determine what is and isn't okay. It's a cost/benefit decision.

I have never actually seen telcos send traffic where it isn't supposed to go. That doesn't mean it's not a valid security threat, but I do think they really try to keep private circuits from crossing, certainly they seem to try at that harder than they try to keep them working. I have seen telcos cross-connect T1s to the wrong place though.

 

[freegeeks]

I worked for a telco and we offered a managed router service where ipsec on top of whatever layer 2 service was an option. There may not be a technical need but there is a business need to offer something like that.

 

[Cooky]

IMHO, MPLS by nature provides your own private network, and should be treated as very secure.

Some instances may call for encryption, such as PCI compliance.
Our security team told us wherever credit card & SSN traverse, we have to encrypt it, even if it's MPLS.

It also has something to do w/ how much you trust your carrier...if you're a global company who relies on carriers in foreign countries to back haul your MPLS network, do you feel comfortable that your trade secrets are going through their network in clear text?
I haven't looked into exactly how carrier-support-carrier within MPLS is done to determine if that's even a treat, but just a thought.

We had a similar debate within our organization.
Security team keeps bugging us about using telnet vs ssh.
Our initial response was it's not a big deal on a switched network.
They said what if one of us turned rogue, and set up a SPAM port to sniff sensitive data.
We said the company just has to pay us more to make sure that doesn't happen...