MYTH: MPLS is Private
“We use a private network” is often stated as the reason for not protecting data as it travels over 3rd party networks.
But is MPLS really private?
MPLS is technically a VPN or a Virtual Private Network, meaning it’s not actually private - it only mimics privacy by logically separating data with labels.
More importantly - even if MPLS were private, is privacy the equivalent of security?
The answer is no.
FACT: MPLS is a Shared Service
There is nothing private about it.
The labels generated by MPLS logically segment user traffic but they are used only for forwarding purposes. Traffic from thousands of different customers and users (including traffic from other carriers and the Internet) traverse a common set of backbone routers in rapid succession.
Each router in an MPLS network performs “label swapping.” The new label is used by the next router for forwarding purposes. At any given moment traffic from competitors and other provider networks flows across a common infrastructure.
Customer Edge (CE) routers are assigned to individual customers, but Provider Edge (PE) and Provider backbone (P) routers are shared.
In other words, only the router in your office is “private” - the very next router your traffic hits (and all the routers after it) are shared by multiple users.
MYTH: MPLS is Secure
There is a common misconception that MPLS provides some level of security.
The truth is that MPLS offers-
• No protection against misconfigurations
• Human and machine errors as well as OS bugs can result in MPLS traffic being misrouted.
• No protection from attacks within the core
• MPLS is vulnerable to all the traditional WAN attack vectors.
• No protection or detection of sniffing/snooping
• It is impossible to detect if someone is siphoning or replicating data - there is no “alarm” that goes off if data is being stolen.
• No Data Security
• The data is left in the clear and can be accessed, replicated, or used by anyone who gains access to it.
FACT: MPLS has no Inherent Security
The illustration above shows the components of an MPLS header. Note the absence of any security measures within the header itself.
• The Label Value provides forwarding information used by the routers.
• Traffic Class (TC) bits are used to provide services such traffic prioritization.
• The Stacking bit (S) allows multiple labels to be used.
• TTL is a “time to live” marker to allow packets to expire.
None of these mechanisms provide security.
Also note that the original IP packet is unchanged, which means with MPLS your data traverses a shared network in the clear.
MYTH: Encryption Breaks MPLS
IPsec VPNs are typically used protect data on MPLS networks. While they do provide excellent security, they also mask many of the features service providers offer, including:
• Class of Service
• Netflow/J-Flow
• Network Address Translation (NAT)
• Policy based routing
Other traditional issues with IPsec tunnels include:
• Forces any-to-any networks to become point-to-point connections
• Requires complex configurations, which are expensive to operate and manage
• Is not VoIP or Video compatible (due to increased latency)
• Slows/breaks Multicast
• Breaks load balancing
• Often requires router/OS upgrades
• Hides application information required for troubleshooting
FACT: Group Encryption is Transparent to MPLS
Group Encryption allows security administrators to create encryption policies that match the existing network topology and application flows - without creating tunnels.
By maintaining the original headers, Group Encryption allows you to retain all of the benefits (including layer 4 services) of MPLS, while providing the highest level of data protection.
MYTH: Encryption Kills Performance
Latency has traditionally been one of the major drawbacks of encryption.
Even with an accelerator card in place there can be as much as an 80% drop in performance on a WAN link while encrypting. No amount of cryptographic acceleration can help because encryption is not the only cause of latency. Other contributors are massive policy maps and the associated look-ups that get created when an any-to-any network is relegated into point-to-point relationships.
Latency can also be caused by the repeated passing of packets through the router backplane.
FACT: You Can Encrypt MPLS Without Impacting Quality or Performance
Group Encryption does not impact network performance
Because Group Encryption does not impact the underlying infrastructure or impose point-to-point connections, any topology can be secured without modifications.
• Full mesh networks can be encrypted while preserving Layer-4 services
• VoIP can be encrypted without impacting call quality
• Dual carrier networks can be secured without impacting SLAs
• Load balanced networks can be secured without impacting high availability
Encrypt latency sensitive application such as Voice and Video
Because the complexity of tunnels and the latencyinducing policy look-ups are avoided, voice and video can be secured without hampering quality.
MYTH: Encryption is Expensive
Encryption is not expensive - encryption with traditional IPsec tunnels is expensive!
It can take as many as 15 minutes to set up a VPN tunnel.
That may not sound like much but consider this:
• A 50 node network would take 36,750 minutes to figure all the IPsec tunnels. That’s 600 hours of work just to set it up.
• All of those tunnels create policy maps that can significantly choke router throughput.
• A typical 1Gbps link can cost $3k a month and you could get as little as 240Mbps throughput, even with a standard accelerator card. You could be wasting thousands of dollars per month per site.
• If you have to add or drop a site, it’s another 300 hours of work every time!
All of this complexity also creates additional vulnerabilities in the network.
FACT: Group Encryption Has a Low Total Cost of Ownership (TCO)
With tunnel-less Group Encryption, policies are created using drag and drop functionality. You can secure a large full mesh network with a single policy that takes only minutes to set up and manage, even for very large networks.
Policy and encryption key refreshes can be set up to take place at regular intervals or with the click of a button. Performance is maintained because the massive policy look ups that choke router performance are avoided. In some cases, WAN acceleration can be avoided because there is nothing impeding performance.
