Hi,
the title basically says all.
If you have an MPLS network, do you trust your network provider enough or do you not trust anyone and encrypt everything anyway?
One of my customers have en encrypted MPLS network. This is provided by the Network provider. But, on each sites the customers has some (very) strong encryption physical devices. The context : very sensitive data and No trust.
As long as you have the processing power there’s no reason to not
Just out of curiosity, why are you still using MPLS? Haven’t seen in active in years at this point…
So, putting VPN on top of MPLS more or less defeats the purpose of having MPLS. If that is your goal here, SDWAN with cheap internet circuits and controlled least cost routing is the way to go. While under contract Layer SDWAN above the MPLS so you maintain the mesh, and where you dont need the leased line low latency, pull the contracts out and replace them with DIA’s as the terms expire. But you will lose your CoS fine tuning abilities.
Today I consider MPLS to be a legacy way of doing things. We all want the security and MPLS does not really offer the same contractual agreement with SLA when you throw VPNs on top. You have a VPN that is acting up and not honoring inside and outside DIFFSERV markings correctly? Good luck getting your MPLS ISP to support you…
Bank auditors will ding financial institutions that don’t encrypt traffic going over an MPLS network (or any other WAN medium).
From the SP Perspective, it’s trivial to snoop on customer WAN traffic with fiber taps or an ERSPAN session configured on a router.
No but I believe we should do
I don’t trust anything I don’t have complete control over. Even if I do have complete control over everything, you never know when something could be compromised. Encrypt everything all the time.
VoIP no, everything else yes
Frankly… I promote zero trust… so each connection is encrypted where possible regardless of network.
I don’t trust our own network or a VPN… we’ll not entirely. Where possible and reasonable each connection is its own thing. Why risk lateral movement?
I encrypt all my traffic to the MPLS endpoints via site to site IPSEC.
We bought a company years ago that had an MPLS network. It was not encrypted, nor was the provider exactly a competent one, so trusting that it was properly segmented was a stretch. We quickly set up IPSEC tunnels to ensure the traffic was encrypted. The way the routers and MPLS were set up their phone traffic still went directly over the MPLS and was prioritized by QoS.
We ripped out that MPLS for an SDWAN deployment as soon as the contract was up. 10x the bandwidth for 1/10th the price using carriers who actually knew what the hell they were doing. We got better latency between locations over that SDWAN from a mishmash of carriers than we got with the MPLS…if that’s any indication of how crap their MPLS provider was…
Why MPLS when you can SD Wan
If I have to encrypt it anyway, I might as well switch to internet connections.
Friendly reminder that you don’t need tunneling to use IPsec.
Usually we deliver VPLS over MPLS.
That’s not encrypted though.
I would encrypt with WireGuard between sites. But leave VoIP traffic out of it.
We do but we plan to get rid of the MPLS layer. We’d rather have multiple internet lines including mobile data backup and run the tunnel through the best available line.
MPLS (as it is implemented) has no benefits worth the extra cost for us.
If the traffic isn’t already using something like SSL, then yes.
The last MPLS connection I had from the provider for multiple sites was obviously a private network because each endpoint gateway was like 172.16.2.1 and 1.1 or something and trace route between the two had no hops but we still setup a VPN tunnel between the sites with firewall rules.
QoS wasn’t an issue nor was VoIP but this was ten years ago and the links were only 100mbit