The nature of the MPLS service should be that the PE interface facing you will only be attached to a VRF with your routes, so you will be protecting yourself from yourself. Depending on the provider there could be routing from their global space to your VRF, maybe for CE management. If you are sceptical, or have a good reason (Financial institution) you could ACL off the PE permitting only GRE traffic from the other CE sites. It will essentially come down to your companies internal Security Policy.
Are the CEs provider managed? Are your GRE tunnels created on the CE or one hop further in?
You are going the right path, alot of people assume mpls as security technology, but all you need is someone to screw up the RT and leak your routes or vi-verse, so depends how much you data is important to you,should dictate how much work you want to implement. as the previous person mentioned if you skeptical and want to protect your data from everyone then IPsec is your path. just be careful and make sure your ISP does not fragment your packet as IPsec add extra bytes.
Thanks for the useful advise regarding the fragmentation ... But really what I am looking for the industry's best practice when it comes to the CE-PE relationship, and till now I was not able to find one. If you have some kind of reference , please do let me know.
1. Introduction Internet security is important with the increasing
attacks that are happening every day. Many internet and browsing
security solutions exist, but some are not very easy to use or maybe the
question is how can I enable them? In this referen...
Cisco Software Manager Server API Guide This document describes the
programmatic interfaces, RESTful APIs, which are supported by Cisco
Software Manager Server (CSM Server). Overview CSM Server supports a set
of finite RESTful APIs. The first step to use ...
If you are using Cisco's new linux-based Cisco Software Manager server,
then you probably want to make sure there is a startup service for
it.I'll assume that you've already installed the CSM server on a
systemd-based linux system. The commands given belo...