PCI DSS requirements are dictated by whether the network is considered public or private for Multiprotocol Label Switching (MPLS) networks, which are mostly used to provide communication between different physical locations, such as data centers or branch offices.
PCI SSC, participating organizations, and card brands have stated that MPLS (Multiprotocol Label Switching) can be a private network according to its configuration. That is, cardholder data transmitted over a private MPLS network does not need to be encrypted.
Unlike previous telecommunications solutions such as frame relay and ATM, MPLS is compatible with Internet Protocol (IP). By definition, when packets enter an MPLS-based network, Label Edge Routers (LERs) give them a label (identifier).
These tags contain information based on routing table entry and refer to the IP header field (source IP address), Layer 4 socket number information, and differentiated service.
After this classification is completed and matched, different packets are assigned to the corresponding Tagged Key Paths (LSPs), and Tag Key Routers (LSRs) place the outgoing tags in the packets.
MPLS uses IP header information to route traffic correctly. Basically, MPLS is no different from layer 3 IP switching/routing using VLANs on a much larger scale.
Because MPLS is protocol sensitive, it allows AT&T, Verizon, IT, and similar carriers to automatically reroute packets to avoid network congestion, interruptions, and other issues that can affect network performance.
Carriers can redirect packets on their own networks and redirect packets to other carrier’s MPLS networks if needed. The routing process happens automatically, depending on how your MPLS network is defined.
IEEE 802.1q can be used to secure MPLS networks. 802.1q is the definition for tagging VLAN traffic to separate traffic on the same VLAN.
Contracts for the MPLS service typically contain clauses stating that the MPLS network will be private, i.e., one customer cannot access another customer’s network. However, if an operator redirects your MPLS traffic to another carrier’s MPLS network for any reason, there is probably no guarantee that your traffic will remain private.
Now that we understand what MPLS is and how it works, what impact can an organization have on PCI compliance? The response to the question depends on whether there is a public or a private MPLS network.
PCI SSC published a FAQ (#1045) regarding the use of MPLS in May 2014. The Council’s response regarding the MPLS is as follows:
When the MPLS transmits cardholder data, is it considered a private or public network?
It depends on the particular provider and configuration whether an MPLS network can be considered a private network. Before concluding if the MPLS network can be presumed to be private, the implementation will need to be checked to determine if the MPLS network provides access to the Internet or other untrusted networks.
If the MPLS network includes publicly available IP addresses or otherwise provides access to the Internet, the “untrusted” or public network can need to be considered.
There is no need to encrypt transfers of cardholder data over this network in compliance with PCI DSS Requirement 4.1 if the MPLS network is determined to be private. However, if there are Internet exposure points or a shared link, the MPLS network can be considered unreliable or public, and PCI DSS requirement 4.1 will apply.
PCI DSS still covers MPLS networks that have been validated to be private. As with all covered private networks, the MPLS network and associated devices must meet applicable PCI DSS requirements.
Just because the MPLS network is “private” does not mean it is outside the PCI DSS scope. According to the PCI DSS requirement 4.1, you do not need to encrypt the traffic passing over a “private” network. But all other PCI controls are still valid!
So even if you are using a public MPLS provider and decide not to encrypt data before it hits the provider’s equipment, the entire network will be in the PCI DSS scope.
The provider’s systems to manage this network will also be covered, as all traffic passing through it, including potentially your unencrypted card numbers, can be intercepted.
It is sporadic for a telecommunications company to commit to PCI DSS Compliance due to scale and cost, so it would be wise to consider encrypting sensitive data before leaving your domain seriously.
Is MPLS encrypted?
Briefly, there is no native encryption in MPLS. Simply put, MPLS is a traffic routing mechanism that creates the feel of a private line by routing packets within the network according to predetermined labeled routes but still allows shared network elements. For example, the Provider Edge (PE) network element can be shared among multiple customers.
MPLS security is based on the idea that the network core is secure. Most service provider networks are designed to assume that the core is secure and that no one can get into it. Most service providers focus on securing against “outside” attacks, which means the Internet or connected VPNs.
However, if an attacker gained access to the core network, the intruder might gather and analyze data due to the lack of native encryption. What can emerge from this analysis depends on how well customers protect themselves.
Again, MPLS itself does not provide encryption, but MPLS is a virtual private network and is separated from the public Internet. Therefore, MPLS can be considered a secure mode of transport, but organizations that still rely on MPLS may choose to encrypt their data before it leaves their site, solving the lack of encryption capabilities within the MPLS network itself.
What are the Security Risks and Impact of Using MPLS on PCI Compliance?
Carriers run multiple customer MPLS networks using large layer 3 switches and many VLANs. Traffic from multiple customers can be aggregated on a single VLAN or their individual VLANs.
Regardless, VLAN access controls need to be understood and properly managed, and maintained, just like your own network. Under network segmentation rules, appropriate controls must be in place to ensure that VLANs and access to them are truly separate.
- The operator and anyone with access to the organization’s network can read packets in the MPLS network.
- Depending on the MPLS architecture, there are potential risks that the carrier may misconfigure the MPLS network and cause packets to pass through a route.
- IP spoofing and similar attacks can be used to infiltrate the 802.1q protocol, so it is not an absolute assurance that your traffic will remain secure on the operator’s network.
Remember, public or shared MPLS networks are not just your data streams. Many customer data streams are managed and segregated. Note that under the MPLS, the carrier’s controls in this area should also be evaluated for PCI compliance.
Since the carrier is only an extension of the customer network, the carrier must be made aware of PCI or other sensitive network traffic to take appropriate measures to secure the data flow.
The carrier can secure the data stream by separating it from other customers’ traffic and not rerouting it to another carrier’s network. If the carrier is aware of PCI data traffic, it is also responsible for complying with PCI DSS requirements to ensure that the traffic remains confidential and secure.
Many organizations encrypt their network traffic in response to the risks presented by MPLS. However, the encryption breaks the MPLS point because once the data stream has been encrypted, MPLS can no longer access IP headers. There is currently an IEEE working group developing a new encryption standard that will make IP packet headers readable while encrypting the packet’s payload, thus allowing MPLS to route packets without accessing the data contained in those packets.
As a result, MPLS may or may not be private. It all depends on how the carrier implements this or how you deal with the carrier. As a customer, you should discuss your network security and privacy needs with your carrier in detail so that they can meet your needs and understand their potential liabilities.
Generally, MPLS networks are considered “private” networks and do not require encryption. However, the MPLS network to be private depends on the particular provider or configuration. If IP addresses are public and access the Internet via the MPLS network, LSR, or other devices, they should be carefully scrutinized as they are likely to be considered “unreliable.”
You should review the implementation and determine whether IP addresses are public. The MPLS network is open to the Internet before concluding that the MPLS network is considered private.
If you cannot obtain assurance that IP addresses are not public, the entire network must be in the PCI scope. For encrypted transmissions, this requirement is intended to apply to an external third-party transmission over an open, public network outside of an internal network. This requirement does not apply to transmissions over an internal network protected by facade-facing firewalls, as it is not considered a public network.
The parameters that you can use to determine an MPLS network’s privacy are:
- How is the MPLS network structured?
- Does LSR make direct contact with the Internet?
The first question, how the MPLS network is configured, is a problem for many network administrators and carriers. MPLS is just a private IP network, specifying how the network is designed and how private it is.
IP addressing should not be relied upon as the only criterion for whether an MPLS network is private. Even if the IP addressing in the MPLS network is RFC 1918 compliant, if the subnet is not the same as the network connected to the network, the network must be looked at to verify that it is private.
If the MPLS network address is an ARIN registered address block belonging to the carrier, the exclusivity of the network is correct. Such a network will be operator-specific but can be anything other than private to the operator’s customers’ traffic.
The second question is, the use of private addressing in the MPLS network does not mean that it is not in contact with the Internet or Internet traffic. It is impossible to determine whether it will come into contact with the Internet unless you have visibility into the entire network and the network rules.
Of course, the carrier must be willing to show you the MPLS network configuration and share other information about MPLS networks for the answers to all these questions. However, it is sometimes not easy to have such a candid conversation about an operator’s network.
MPLS is an IP-only wide area network, and because it uses IP, it can have several vulnerabilities, such as IP networks. Not only MPLS networks, but carriers also route most ATM and Frame Relay networks over MPLS backbones. So, not using MPLS does not mean you are immune to the risks of MPLS.