In discussions about MPLS security, a number of questions typically arise that are outside the scope of the MPLS architecture. This means these issues have nothing to do with the standards and cannot, therefore, be controlled by the architecture. The following list describes these issues and explains why they are outside the scope of the architecture.
Protection against misconfiguration or operational mistakes? The standards describe the architecture. This whole chapter examined MPLS VPNs based on this architecture. This architecture can also be misapplied, leading to security issues. Here's an example: As long as the PE is configured correctly according to the standard, the solution is secure. However, any operator could misconfigure a PE, breaking the security. This is not an architectural issue, but an operational issue. These problems are discussed in Chapter 8, "Secure Operation and Maintenance of an MPLS Core."
VPN data confidentiality, integrity, and origin authentication? There is no guarantee to VPN users that packets do not get read or corrupted when in transit over the MPLS core. MPLS as such does not provide any of the above services. It is important to understand that a service provider has the technical possibility to sniff VPN data, and VPN users can either choose to trust the service provider(s) not to use their data inappropriately, or they can encrypt the traffic over the MPLS core, for example with IPsec, as described in Chapter 6, "How IPsec Complements MPLS."
Attacks from the Internet through an MPLS backbone? If the MPLS backbone provides an Internet access to a VPN, attacks from the Internet into this VPN are outside the scope of MPLS. The task of the MPLS core is to forward packets from the Internet to the VPN and vice versa. This includes potential attacks. It is, however, within the scope of MPLS security to make sure that an attack against a given VPN does not affect other VPNs or the core itself. (This is discussed in Chapter 4.) Also outside the scope of the MPLS architecture is any kind of firewalling required for such cases.
Customer network security? Every attack that originates in a customer VPN and terminates in that same VPN is outside the scope of MPLS security. The MPLS VPN architecture forwards packets between VPN sites; it is not concerned with the nature of these packets, which could also be attack packets. This also includes IP spoofing within a VPN.
When discussing the security of MPLS VPN networks, take care to maintain a balanced view of the overall risks to a customer. For example, it is in relative terms close to irrelevant to argue about chances of an attacker sniffing a core line, if the customer network has unsecured wireless access points; it is also not important to worry about a service provider misconfiguring a PE, when attackers have uncontrolled physical access to hosts in an enterprise. Security is a question of balance: there is no point in putting extra secure locks on the door of your house if the windows are left open.