While the RFC 2547 architecture is very secure, real deployments are usually quite complex. Increasing complexity, however, for example in the various Inter-AS scenarios, is usually a challenge for security. Not all security problems can be solved with features on a single router: the overall design of a network must be secure, on all layers.

This chapter discussed various network design options and discussed their implications for security. For example, Internet connectivity can be provided in various ways, with different security levels. DoS attacks are an increasing concern as well, and an MPLS VPN design must take this into consideration. When connecting several service providers' networks to provide VPN capabilities across them, new challenges arise: not all available architectures are suitable for a secure deployment today.

The practical examples in this chapter show that it is important to consider security at the time of designing the network because some design decisions can make an entire network insecure. However, when properly designed and secured, an MPLS VPN network can provide a secure service.