Got a lot to learn my boi.
MPLS requires dedicated hardware on both ends, with service with Telecoms. Some companies use fiber or cable which can not use MPLS, so there you go. Employing VPN tunneling is the 2nd best option for companies in joint relationships. If two companies use MPLS and break up, someone is going to have to pay the severance fee.
MPLS is most often used between home office and branch offices in decent locations where it is available. Or if they are desperate enough, multiple T1s meet their speed requirements.
We had mpls in China and encrypted it because well China.
I think it was mostly done due to cost. I have seen a lot of schools just plugging their layer-2 switches directly into the provider’s layer-3 CPE, which ends up being super cheap for them. It makes me panic thinking about trying to troubleshoot issues without access to site’s layer-3 infrastructure, but maybe that’s just because I’ve never tried it.
I’ve always encrypted traffic over MPLS because (a) I know how to configure it, (b) I’m already tunneling because I want to control the routing, and (c) it’s effectively free at the line speeds I was running. In only one case did I consider not encrypting because we relocated our most data-heavy users across the street from head office and that cost us a lot of money to get routers that supported IPsec at an acceptable rate, but management had backed themselves into a corner so the money was cheap compared to accepting the mistake and moving a different group instead.
Orgs I’ve worked and deployed setups at still encrypted for reasons
But I can see the other side of the argument others have commented involving trust etc.
However depending on the org that trust can sometimes be not enough or the data is of a specific nature or at a level that shouldn’t be unencrypted regardless.
You’re buying a private network… You’re provider is responsible if it’s not. That’s why
-
You’ve got a contract with your MPLS provider. If they somehow mess up your path isolation, you can take it out of their hide.
-
If you’re still going with MPLS over a site-to-site VPN despite the difference in cost, there’s a pretty good chance you’re spanning layer 2 and/or have a need for jumbo frames where carriers just won’t support a high enough MTU to avoid fragmentation. Either way, not in a great position to start stuffing even more things into headers.
Larger organizations should encrypt all communications. Googlers say “F*** you” to NSA, company encrypts internal network - Ars Technica
You’re right, it’s stupid, and it’s sloppy.
This basicaly, your threat actor is different.
On Internet your concern is everyone.
Om private its generally your MPLS provider (who really dont care about your private data and dont have mamy ways to male money by doing so. And gov, which in australia at least need a wiretap request via police before anything happens.
This. MPLS for most companies replaced T1 / T3 circuits and frame relay services that weren’t encrypted. The argument at the time is that if you trusted your carrier to with your non-encrypted traffic using older services, you could trust it with MPLS. IIRC, the usual approach when requiring encryption was to use IPSec.
Just to clarify something, it is no potentially, it is 100%. I work in a SP, and it isn’t just because the SP wants to do it, it is because it has to do it.
That and the names used at the time. These types of connections were referred to as “private line” verses the “public internet.” I remember some people actually thought MPLS stood for Metro Private Line Service. Some companies marketed it as that. https://www.lumen.com/en-us/networking/private-line-metro.html
You can macsec nicely with EoMPLS. But from the comments here I can see most people have sold their souls to sdwan.
Also, even on-net traffic should be encrypted at the application layer. As you mentioned, with endpoint authentication, whether by IPsec or MPLS/trusting service provider circuits, encrypting payloads is less important.
To add to this, anything I care about on the MPLS is is encrypted anyways. RDP? PCoIP? outlook? Web servers? That shit is all encrypted now.
That’s a good point, I didn’t consider that.
“VPN” you mean Encryption. Encrypting over MPLS is not insane and highly recommended in my eyes. I’d say 90% of my customers encrypt over MPLS, but due to cost and performance, often tempted to unencrypted if they can get away with it… rarely though.
Confidentiality, Integrity & Availability is important to all customers. Every customer has some crown-jewels that would cost them money or their competitive edge if it leaked out. How much $$$ a customer is willing to invest to near-enforce/guarantee is up to the company… but risk is risk… and sleeping at night is important for everyone in the organisational food chain. MPLS vs Internet are still both an untrusted/semi-trusted segment as 3rd parties have access to the packets, and can screw something up without audit, without transparency, nor any accountability. MPLS within many countries is just a route on a VPN (VRF) traversing the same ISP router so unclassified and untrained engineers from all sorts of countries and backgrounds with the ability to interrupt the Confidentiality, Integrity & Availability of your business.
Routing screwups happen to the best of us, and VPN (VRF) leaking happens in all Telcos that I know of, even if it’s just Telco management tools, shared RADIUS server leaking, shared APN services, and other Telco leaks within your MPLS VPN… MPLS is NOT a security mechanism - In my books it’s the security equivalent to an Open SSID with MAC Whitelisting by a 3rd party… (similar anyway)
Now days, WAN technologies are starting to auto-encrypt. There is no excuse to not encrypt over every and any circuit that isn’t dark, and even dark fibre encryption I would encourage due to easy and non-disruptive cheap tap technology.
Honestly all traffic crossing your internal network should be encrypted anyway, especially if it contains data that isn’t public. Basic tenet of Zero Trust is that you assume the attacker is on your network.
Voip traffic is generally unencrypted UDP traffic anyway, so that’s not really a change between SD-WAN and MPLS.