72 Chapter 3: MPLS Security Analysis
In CsC Layer 2, as in the Inter-AS architecture, security is paramount for any critical
interface. Therefore, we repeat this warning:
NOTE Never connect PEs and CEs over a shared Layer 2 infrastructure such as an Internet
Exchange Point (IXP). Use a private connection, or at least a private VLAN.
The Carrier’s Carrier architecture provides a secure way to operate multilevel VPNs,
assuming correct implementation and operation. It is the backbone carrier that assigns and
polices policy for the customer carrier, as the customer carrier does for its customers. On
both levels the “customer” has no way to break the VPN separation of the level above.
On both levels the lower level needs to trust the upper level to correctly implement and
operate the network. For the end customer, this trust is transitive: the customer needs to trust
the customer carrier, and implicitly also the backbone carrier.
Security Issues Not Addressed
by the MPLS Architecture
In discussions about MPLS security, a number of questions typically arise that are
outside the scope of the MPLS architecture. This means these issues have nothing to
do with the standards and cannot, therefore, be controlled by the architecture. The
following list describes these issues and explains why they are outside the scope of
the architecture.
Protection against misconfiguration or operational mistakes—The standards
describe the architecture. This whole chapter examined MPLS VPNs based on this
architecture. This architecture can also be misapplied, leading to security issues. Here’s
an example: As long as the PE is configured correctly according to the standard,
the solution is secure. However, any operator could misconfigure a PE, breaking the
security. This is not an architectural issue, but an operational issue. These problems are
discussed in Chapter 8, “Secure Operation and Maintenance of an MPLS Core.
VPN data confidentiality, integrity, and origin authentication—There is no
guarantee to VPN users that packets do not get read or corrupted when in transit over
the MPLS core. MPLS as such does not provide any of the above services. It is
important to understand that a service provider has the technical possibility to sniff
VPN data, and VPN users can either choose to trust the service provider(s) not to use
their data inappropriately, or they can encrypt the traffic over the MPLS core, for
example with IPsec, as described in Chapter 6, “How IPsec Complements MPLS.
Attacks from the Internet through an MPLS backbone—If the MPLS backbone
provides an Internet access to a VPN, attacks from the Internet into this VPN are

Get MPLS VPN Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.