An MPLS VPN service offering allows a service provider to utilize its Layer 3 backbone to provide a common infrastructure that customers can share, supporting the paradigm of “Build Once and Sell Many.” To facilitate such a service, the service provider must rely on the inherent security capabilities that were built into MPLS from day one of its inception. These capabilities have been previously explained in Volume 1 of MPLS and VPN Architectures; however, it is appropriate to revisit some of them so that we can evaluate MPLS from a security perspective. These inherent security capabilities can be categorized as follows:
Address space and routing separation
No visibility of the core network
Resistance to label spoofing ...