As part of my work, I'm trying to figure out the security concerns of MPLS and here are my brain droppings on the same.
My networks guys insist that MPLS is private and therefore secure, but is it really. It is true that in general MPLS networks are considered private networks and do not require encryption. But this relies heavily on provider's configuration and implementation of the MPLS networks. If the provider MPLS network provides exposure to the internet either through the LSR or any other device, then it has to be deemed "untrusted". MPLS relies heavily on label switching and is just another specialized form of IP network. So how "private" the MPLS is completely dependent on how "private" has it been engineered to be. Though private addressing is used on the MPLS network, this is just private to the carrier and may not be private to the customer. And also, solely because private addressing is used, by no means warrants that this traffic does not come into contact with Internet or Internet traffic. It seems to be a fairly common practice to use carrier core routers using VRFs to forward both MPLS and Internet traffic on the same equipment. As a matter of fact, it is a fairly common practice to route ATM and Frame Relay networks over MPLS backbones.
Taking this into consideration, it would be prudent of a security engineer to look into the MPLS configs more closely and work with the carriers, in trying to understand how the carrier implements MPLs, and see if you can peer into their LSR configs. Its only a matter of time, before someone figures out a way to attack MPLS successfully via the public Internet, and then everyone will rush to respond to the situation. Ensuring encryption of your MPLs circuits will go a long way in keeping your company showing up on the front page.
My networks guys insist that MPLS is private and therefore secure, but is it really. It is true that in general MPLS networks are considered private networks and do not require encryption. But this relies heavily on provider's configuration and implementation of the MPLS networks. If the provider MPLS network provides exposure to the internet either through the LSR or any other device, then it has to be deemed "untrusted". MPLS relies heavily on label switching and is just another specialized form of IP network. So how "private" the MPLS is completely dependent on how "private" has it been engineered to be. Though private addressing is used on the MPLS network, this is just private to the carrier and may not be private to the customer. And also, solely because private addressing is used, by no means warrants that this traffic does not come into contact with Internet or Internet traffic. It seems to be a fairly common practice to use carrier core routers using VRFs to forward both MPLS and Internet traffic on the same equipment. As a matter of fact, it is a fairly common practice to route ATM and Frame Relay networks over MPLS backbones.
Taking this into consideration, it would be prudent of a security engineer to look into the MPLS configs more closely and work with the carriers, in trying to understand how the carrier implements MPLs, and see if you can peer into their LSR configs. Its only a matter of time, before someone figures out a way to attack MPLS successfully via the public Internet, and then everyone will rush to respond to the situation. Ensuring encryption of your MPLs circuits will go a long way in keeping your company showing up on the front page.