MPLS – The Most Secure without Encryption

Leave a Comment / Uncategorized / By /
Post Views: 791

Let’s just start right out and say: contrary to the scare tactics made by some, that MPLS traffic has been exposed by the providers that operate MPLS, there has never been any validated evidence that such a breach has indeed ever occurred, other than some alleged errors in configuration.

MPLS operates between L2 and L3 by inserting a Label (or set thereof). Forwarding decisions are then made based on the fixed size label. This makes it ultra fast, not introducing some delays by encrypting already encrypted traffic. Most L5 enterprise and personal traffic today is encrypted in the Internet (HTTPS, QUIC, SSH, TLS etc.). That said, there are exceptions:

1. Legacy Web Traffic

Arguably this type of traffic simply should not be allowed by anyone operating on the public Internet today.

  • HTTP (port 80): While most major websites now force HTTPS, there are still smaller sites, IoT dashboards, or legacy systems that serve content over unencrypted HTTP.
  • Redirect leaks: Sometimes initial connections (e.g., captive portals in hotels, airports) start in HTTP.
2. Email Protocols
  • SMTP, POP3, IMAP: Many servers and clients still use plaintext or opportunistic TLS (STARTTLS), which can be downgraded or intercepted.
  • Email metadata: Even when encrypted in transit, headers (sender, recipient, subject, routing) are visible to intermediaries.
3. DNS (Domain Name System)
  • Traditional DNS (UDP/53, TCP/53) is still widely unencrypted.
  • While DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) adoption is growing, most resolvers and ISPs still see plaintext queries.
4. VoIP & Messaging
  • SIP signaling often goes unencrypted (SIP over UDP/TCP 5060).
  • RTP (voice/video streams) are still commonly unencrypted unless explicitly configured with SRTP.
  • Some legacy SMS-over-IP and chat protocols still transmit in plaintext.
5. IoT and Embedded Devices
  • Many IoT devices use unencrypted HTTP APIs, MQTT without TLS, or proprietary protocols that lack encryption.
  • Smart home gadgets, cameras, and industrial control systems often default to plaintext for convenience and low costs.
6. Industrial & OT Protocols

These protocols generally run in closed systems/networks.

  • SCADA/ICS protocols such as Modbus, DNP3, BACnet, Profinet, S7, etc. are traditionally unencrypted.
  • Increasingly being wrapped in VPNs or TLS tunnels, but still widely seen in plaintext on OT networks.
7. Other Legacy Applications

Who is running any of these unencrypted?

  • FTP (plaintext credentials and data).
  • Telnet (plaintext remote access).
  • NNTP/IRC (still around in hobbyist circles, often unencrypted).
  • SNMP v1/v2c (community strings in cleartext).

MPLS and Security by Design

  • MPLS was never designed with an encryption technology included, and it does not preclude carrying encrypted traffic.
  • Its security model is called “trusted core” — meaning if you trust your provider’s backbone, you trust the MPLS VPN.
  • MPLS VPNs (RFC 4364) isolate traffic using labels and VRFs, but they do not encrypt traffic like IPsec or TLS.
  • Because of this, MPLS is often described as “private, not encrypted.”

Are There Any Documented Incidents and What are the Risks?

While there have not been many publicly confirmed, large-scale breaches of MPLS networks (unlike Internet-facing systems), there have been security concerns and reported compromises:

  1. Insider Threats at Carriers
    • Since MPLS relies on the provider core being secure, a malicious insider with access to PE routers or VRFs could intercept or redirect traffic.
    • There have been isolated reports of provider employees misconfiguring or manipulating MPLS VPNs to gain access (though providers rarely publicize these events).
  2. Misconfiguration Leaks
    • Several well-documented cases exist where MPLS VPN misconfiguration (especially BGP/MPLS VPNs) caused traffic leakage between customers.
    • Example: Researchers in 2017 presented findings at Black Hat showing how misconfigured MPLS L3VPNs allowed “VPN hopping” between customers.
  3. State-Level Interception
    • Snowden disclosures (2013) suggested that intelligence agencies were able to tap MPLS provider backbones to intercept customer MPLS VPN traffic.
    • Because MPLS VPN traffic is not encrypted, once the core is compromised, all flows are visible.
  4. Carrier Outages and Hijacks
    • BGP/MPLS interactions have caused route leaks and hijacks (e.g., Pakistan Telecom/YouTube incident 2008, though not MPLS-specific).
    • MPLS itself wasn’t “breached,” but the control plane vulnerabilities in BGP exposed VPN customers.

MPLS is probably the most fastest, most deployed L3 and/or L2 secure non-encrypted core networking technology in use today, because of its inherent traffic isolation and operational maturity.

That said, in today’s threat landscape, “secure without encryption” is no longer considered enough. That’s why enterprises overlay MPLS with IPsec, HTTPS, QUIC, MACsec, or TLS if end-to-end confidentiality is required.

What are your thoughts?

Comments are welcomed below from registered users.  You can also leave comments at our Discord server

If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!

Tags: , , , , , , , ,

Leave a Comment

Scroll to Top