The Internet is usually positioned as the insecure part in any network deployment, thus threats are normally coming from the Internet. Although this view is completely correct, it is incomplete: in other parts of the Internet, there are other users that require security, and from their point of view, the threat also comes from "the Internet," which now includes their own network. For any given service provider network?MPLS or not?this means that there is a threat originating in this network toward the Internet.
Some service providers take the view that security is unidirectional and that they have to secure their part of the Internet, including their customers, against the rest of the Internet but not the other way round. There are at least two reasons why this attitude is inappropriate in the global Internet: First, the Internet is a global system and requires all participants to do their share in securing access to it. Second, more practically, an attack from a service provider's customer often affects the service provider network itself or other customers of that service provider. This can be observed where worms are spreading, with e-mail spam relays and many other security incidents.
For all these reasons, it is necessary that operators of networks connecting to the Internet also secure the Internet from their customers?for example, by applying source address spoofing prevention as described in RFC 2827 (BCP 38), "Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing."
In the specific context of MPLS VPNs, the threat originates from every VPN customer who has Internet connectivity through this MPLS VPN service. Customers who do not receive Internet connectivity from the MPLS provider may still be the source of security incidents through other paths, such as through other Internet service providers (ISPs). But this is outside the scope of this book.