In principle, the position of a tunnel or VPN technology relative to the OSI stack defines its degree of transparency, exposure to attacks, probability for compromise, and method for accomplishing secrecy or privacy (see Table 11-1).
Dedicated physical circuits (copper, dark/lit fiber), (D)WDM[*], multiplexing (TDM)[**], SDH/SONET[***] circuits
ATM/Frame Relay/VLANs/L2TP/Layer 2 over MPLS (pseudo-wires), BGP/MPLS VPNs
IPSec crypto tunnel, BGP/MPLS VPNs
TCP/UDP user-space tunnel
> Layer 4
[*] (D)WDM = (dense) wavelength-division multiplexing
[**] TDM = Time-Division Multiplexing
[***] SDH/SONET = Synchronous Digital Hierarchy/Synchronous Optical Network
The data transmission technology has consequences such as in wireless networks. In this particular case, anybody can eavesdrop on a conversation over wireless realms. Fiber or high-security ducts (waveguides) cannot easily be compromised without notice. Sniffing becomes more difficult when large bandwidths are involved. Beyond Layer 3, the degree of hostility considerably increases because of internationally routed and thus reachable official IP addresses and transport layer ports. Below Layer 3, physical access to ATM, Frame Relay, MPLS edge routers, or Ethernet switch access ports is necessary to constitute real threats. Essentially, attacks against telco equipment can target either a link or a network element (SDH, ATM, Frame Relay) and are rarely heard of.
It is highly recommended that you read draft-behringer-mpls-security-06.txt, "Analysis of the Security of the MPLS Architecture" (http://www.ietf.org/internet-drafts/draft-behringer-mpls-security-06.txt), to get an idea about how MPLS VPN security compares to trusted Layer 2 VPNs such as ATM or Frame Relay.
Reasons for considering or deploying tunnels include the following:
Broadcast and multicast relay requirements
IPv6 over IPv4 transport (connecting isolated IPv6 realms)
Transport of private addresses (RFC 1918)
Transport of non-IP network layer protocols (Internetwork Packet Exchange, IPX)
Dynamic routing protocols
Mobile IP applications