The MPLS Privacy Debate Continues

Wednesday, December 21, 2011

PCI Guru


At this year’s PCI Community Meeting the issue of whether or not MPLS is private came up again. 

I was in one of the Open Forums when the topic of MPLS and whether it was private came up.  This is not a new issue as it has come up before and I have also discussed it in two previous postings.

The reason it came up was that a former network engineer wanted to understand from the PCI SSC technical representatives how they justify MPLS being private.  What ensued was an excellent discussion regarding the architecture of MPLS and the PCI SSC’s rationale for considering it private. 

For those of you not familiar with MPLS, in a nutshell, MPLS is just a larger IP network used to route customers’ network traffic over an IP network.

What the network engineer brought up was the fact that an MPLS network is no different from any other IP network with spanning tree and other architectural issues that hardly make MPLS private.  They also brought up the fact that even with Frame Relay and other older telephony technologies, those circuits are also being sent over MPLS by the carriers. 

Given that at some point MPLS traffic has to technically co-mingle with other customers’ network traffic, how can the PCI SSC stick to its claim that MPLS is private?  The answer provided was a bit disconcerting to some in the room.  But for those of us with an understanding of the engineering issues related to MPLS, it was expected.

The group present was told that MPLS is considered private because the carriers consider it private and it is sold as a private network service.  A lot of people in the room gasped and the next question asked was, “Isn’t that a lot like saying trust me?”  As the PCI SSC representative continued to explain, there really is not another way to work with MPLS.

Is it possible to breach data in an MPLS network?  Yes.  Can it be easily accomplished?  Not really.  The attacker would have to have access to a carrier’s core switch and have a port or two in promiscuous mode to gather all of the packets flowing through that switch. 

As a result, organizations need to accept the risk presented by MPLS.  The unfortunate fact is that most organizations do not even know there is a risk however slight it might be. 

At the end of this discussion, the PCI SSC person recommended that, if an organization is concerned about the privacy of MPLS, then they should encrypt their data over the MPLS network.

So, there you are.  If you think MPLS is not private, then encrypt your data.  Hopefully this issue is resolved.

Other relevant posts:

Cross-posted from PCI Guru

Possibly Related Articles:
Information Security
Encryption Privacy Compliance Network Security PCI SSC Data Management MPLS
Post Rating I Like this!
Yinal Ozkan This is a paradoxical case to measure the security literacy of the large enterprise shops:
If you ask if they are okay with sharing the network infrastructure with 3rd parties, and allowing their "data in transit" to traverse shared networks in clear, they will respond with no, if you ask "Do you use MPLS? the answer is yes..

To have more fun, ask them about data at rest and cloud infrastructure providers.

I think this is a good indicator that large enterprises will move to shared services when the price and the service is right. Security is just another excuse at the moment.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.