Encryption of MPLS

Trusted Advisor for IT & Telecommunications Sourcing

Encryption of MPLS networks

How companies make their MPLS secure

MPLS is considered a closed system, but the attack surface increases with cloud connections and external access. The encryption of MPLS data is therefore becoming increasingly relevant. The decisive factor is at which point in the network the encryption takes place and which type of transport is used.

In a nutshell:

Basic protection: MPLS is fundamentally secure, but requires additional encryption for external interfaces
Ethernet via MPLS: Data is transported via the Ethernet header and can be encrypted on layer 2
Transport and frame mode: Selection of the encryption type depending on the structure of the network and position of the secure switch
MPLS Interconnect: Connection of multiple MPLS clouds requires customized frame formats and payload encryption
IPSec integration: Useful for pure IP networks, but not sufficient for Carrier Ethernet structures

The right encryption solution protects connections, applications and data from physical access, manipulation and DDoS attacks.

The question: How secure is your MPLS network against unauthorized access and data loss?

Book a consultation

>20%
Savings

Learn more

99,99%
Availability

Learn more

24/7
Support

Contact

Encryption in MPLS networks is a sensitive issue and is becoming increasingly important. The otherwise closed MPLS networks have more and more points of contact with the Internet, be it through external employees, cloud connections or others. We briefly present various encryption mechanisms here. Basically, an MPLS network is secure. Why? It is a self-contained network operated by a provider and usually only has one point of contact with the public internet. This is usually either in the data center or in the company headquarters. However, even closed networks can become insecure due to physical access to computers or nodes. Encrypting MPLS traffic creates more security here. MPLS processes and transports a variety of different data. This also includes IP packets and Ethernet frames. Ethernet encryptors should support MPLS, but depending on the location of the encryptor, different support may be required

Ethernet via MPLS / VPLS

If Ethernet frames are transported via MPLS, the encryptor must leave the Ethernet header unencrypted, as the MPLS relies on the header information (MPLS header). Here, the requirements for MPLS are met in both transport and tunnel mode. Direct support is not necessary, only transparency. Two transport variants of Ethernet via MPLS can be used:

The original frame is encapsulated by the MPLS and the MPLS tag is placed in front of the payload (for different Layer 2 networks)
The MPLS tag is placed between the Ethernet header and the payload (only for a continuous Ethernet network)

MPLS Interconnect

When encrypting the connection of local MPLS clouds via a WAN, the secure switch (encryptor) must adapt to the frame format. Two frame variants are possible:

Ethernet frame with MPLS tag
Ethernet frame with MPLS tag, whereby the “original” frame is encapsulated and transmitted as payload

Between MPLS clouds

If you want to encrypt the connection between two local MPLS clouds via a provider MPLS cloud, it is necessary that the encryptor only encrypts the payload consisting of the encapsulated original frame. The exact requirements for the encryptor vary depending on the scenario and topology. An optimal solution for multipoint topologies is difficult to achieve.

IPSec as MPLS encryption

Securing with IPSec is also possible. However, this only makes sense if it is a pure IP network. If it is a Carrier Ethernet network solution, it does not offer sufficient security, as there is no encryption below Layer 3. Do you need advice on your MPLS network? Get in touch with us! Our experts will be happy to help you. With kind permission of Mr. Christoph Jaggi. You can find the original publication here. Remember

Book a consultation