Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MPSL

Can anyone tell me some of the vulnerabilities of running MPLS between remote locations without using the site to site VPN?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: MPSL

Bart

It really comes down to how much you trust the provider of the MPLS network. Just as with frame-relay/ATM you are relying on the provider to

1) not make a mistake in the configuration so that your traffic becomes visible to other companies

2) not to look at your traffic. Any provider has the ability to do this but if they did they would soon find they weren't getting much business :-).

It also depends on the security level of the company you work for. A lot of enterprises will accept MPLS without encryption but then again if you work for the Ministry of Defence or the equivalent in your country you might well decide the data you are dealing with is sensitive enough to need encryption.

Always bear in mind that MPLS/ATM/frame-relay, even dedicated P2P links are vulnerable to a provider.

Jon

Blue

Re: MPSL

Hi:

Well, what you are doing is basically outsourcing your L3 domain to a provider. It gives you less leverage over the routing environment - ie, path selection, failover and redundancy.

Given today's robust service provider networks and the ubiquity of enterprise customers who rely on MPLS, I wouldn't be too concerned about these issues.

Security, however, is an issue that is [sort of] hotly discussed and debated in network security circles. Proponents of MPLS VPNs swear by its impenetrable and incorruptible routing architecture due to its ability to leverage ipv4 routing extensions which allow them to isolate routing instances across the MPLS backbone.

On the other hand, the skeptics cite the fact that MPLS VPNs are an extension of L3 domains and consist of IP addresses, which leave them vulnerable to typical DoS attacks and spoofing. Moreover, legacy site-to-site VPNs use IPSec encryption, which affords maximum security that MPLS alone can never match.

Some time back I read this pretty good article from Cisco.

Check it out.

Please rate all helpful posts.

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp31759

HTH

Victor

4 REPLIES
Hall of Fame Super Blue

Re: MPSL

Bart

It really comes down to how much you trust the provider of the MPLS network. Just as with frame-relay/ATM you are relying on the provider to

1) not make a mistake in the configuration so that your traffic becomes visible to other companies

2) not to look at your traffic. Any provider has the ability to do this but if they did they would soon find they weren't getting much business :-).

It also depends on the security level of the company you work for. A lot of enterprises will accept MPLS without encryption but then again if you work for the Ministry of Defence or the equivalent in your country you might well decide the data you are dealing with is sensitive enough to need encryption.

Always bear in mind that MPLS/ATM/frame-relay, even dedicated P2P links are vulnerable to a provider.

Jon

New Member

Re: MPSL

Thanks Jon for the fast response. Lately whenever I hear of MPLS, there is talk of encryption so I was wondering if there are any companies that are running MPLS without the encryption. Thanks

Super Bronze

Re: MPSL

I work with a large client that uses at least two independent international MPLS WANs without using encryption. (I.e. so there's at least one company that does.)

BTW, with them, the question does arise from time-to-time about using VPN encryption across the MPLS cloud. I try to remind them there are more likely other security risks that might need to be addressed first. Further, security has costs which needs to be compared to probably risk of loss.

When you compare cost with risk of loss, general VPN encryption across MPLS often isn't justified. If there's just some data that's very sensitive, send it as an encrypted file (which also helps protect it across the LAN).

Today with wireless everywhere, your security risk might be higher with someone attaching their own AP to your LAN rather than a security breach within a provider's MPLS cloud.

Blue

Re: MPSL

Hi:

Well, what you are doing is basically outsourcing your L3 domain to a provider. It gives you less leverage over the routing environment - ie, path selection, failover and redundancy.

Given today's robust service provider networks and the ubiquity of enterprise customers who rely on MPLS, I wouldn't be too concerned about these issues.

Security, however, is an issue that is [sort of] hotly discussed and debated in network security circles. Proponents of MPLS VPNs swear by its impenetrable and incorruptible routing architecture due to its ability to leverage ipv4 routing extensions which allow them to isolate routing instances across the MPLS backbone.

On the other hand, the skeptics cite the fact that MPLS VPNs are an extension of L3 domains and consist of IP addresses, which leave them vulnerable to typical DoS attacks and spoofing. Moreover, legacy site-to-site VPNs use IPSec encryption, which affords maximum security that MPLS alone can never match.

Some time back I read this pretty good article from Cisco.

Check it out.

Please rate all helpful posts.

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp31759

HTH

Victor

170
Views
0
Helpful
4
Replies