Teacher explained today that Full Mesh VPN topology comes with an additional cost per connection. I then asked him “Why? Aren’t VPNs used as an alternative to buying multiple leased lines?”. He then told me that you’d still want to use a VPN across the leased line.
Thinking about it, I understand that this would add extra security, but how often is it really done? Is there any downside to this?
Back in 2013, it was learned that the government was tapping into leased lines between Google server farms. After that Google decided to encrypt all traffic across leased lines. https://www.theverge.com/2013/10/30/5046958/nsa-secretly-taps-into-google-yahoo-networks-to-collect-information
depends on company and need. keep in mind that those leased lines through the carriers lines are “private” in so far as the traffic wont goto other clients of the carrier. The carrier is likely using some sort of tunneling/overlay/VRF/MPLS (not necessarily encryped) service over their own network, and possibly another carriers network who they have an agreement with (its not uncommon to have a local carrier deliver the last mile to a site if the carrier you are contracted with does not have presence there). so while your data will likely never be seen by another customer, your still running over some one elses lines and equipment (the carrier).
if your business requires that data be encrypted due to policy or compliance reasons, then you might still want/need to encrypt the traffic even across those leased lines. keep in mind also, that many applications may also be encrypting the data from host to host as well already. how ever, adding site to site encryption can also mask who is talking to who, not just the payload.
reasons you may not want to do it is the added costs to do so. on modern equipment, running that ipsec or ipsec over GRE is probably not a big deal, but it could depend on the equipment your using. Also consider the added management that may be involved. if you have many sites on an MPLS network, you will either need to built all those tunnels between each site or use a VPN technology like DMVPN if you want full mesh. if going the former, you can start running into the exponential scaling issue, where as you add more sites, you now have that many more tunnels you need to build on ever other site. if going the later, you need equipment that can run such a VPN protocol, which may be more expensive.
you also have MTU to consider as well. for instance, a GRE tunnel is going to have to have a lower MTU than the path its running over (because your encapsulating the full packet with in another packet). so if you have MTU requirements, this may impact that. this can really depend on the carrier. standard MTU is 1500, but you can purchase leased lines with higher MTU. But this is certainly something you may have to consider as well.
In my experience it’s pretty rare unless he is referring to SD-WAN which typically runs VPNs over the top of the various underlay connections.
Contrary to what the other two commenters said, I’ve only ever used private MPLS and also dark fiber with encryption. IPSec tunnels over private MPLS and MACSec over fiber. This is for unclassified data.
Edit: Downsides - crypto throughout is expensive and also MTU and MSS fuckery
It does depend on your organization, as your data on the leased lines are clear text, since these go over a 3rd party vendor’s equipment they can, compromise the data that is flowing through their network. So organizations that will do this, will have either proprietary information, or other sensitive information, such as financials or personal information, might need to be transferred in an encrypted form.
Though the only area that I know of that does this as common place is within certain areas of the government, such as the military, law enforcement, foreign embassies and such, and this is mainly because they often transmit information that is highly sensitive, either to national security, or an individuals security.
The downside is mentioned below but want to reiterate - cost of equipment, cost of additional bandwidth and cost of managing (which is payroll costs).
As a service provider, I cringed any time a customer would mention they were going to use VPN across their new MPLS network we were installing. All I could do was cross my fingers the network admins knew what they were doing. Usually they did not.
Worst were small banks back in the T1 days. They’d scream the network was slow during business hours. Well with a single T1 at a branch, yes you are maxing out the bandwidth. Turn off the encryption to see if that overhead going away helps any. It would but they’d scream they can’t keep it that way and pass audits. Meanwhile, they were running Win98 on their ATMs. SMH.
That’s less of an issue with fiber bandwidth more of a commodity now. (Well not the Win98 part.)
Now like everything else in networking, SDWAN is changing this too. MPLS is declining in usage due to SDWAN being more cost effective and inherent resiliency. SDWAN uses VPN connections to a hub site or mesh design typically over public internet connections. Encrypting data that will be subsequently encrypted again creates occasional issues.
And as someone pointed out, standard MTU size is 1500 bytes. But every service provider I have worked for or with can go with exceptions. Just plan and communicate that ahead of time so it can be approved and provisioned prior to turning up service.
Most places I’ve worked with never use VPNs across a private leased line. Data could be intercepted with the right tools but in reality unless you’re transferring top secret military documents I don’t see Russian spies trying to tap into a leased fiber line. VPNs are used if a leased line is too expensive or not available.
If you don’t own and control 100% of the path and equipment, encrypt it. In some cases, encrypt it even if you do.
There are a lot of decent answers, which all boil down to “can you guarantee the security of the entire run and/or any nodes it passes through?”
If the answer is no, then encrypt.
Even if it’s a literal point-to-point connection, technically unless you can walk eyes-on the entire run to ensure there are no 3rd party taps then you can’t guarantee it’s not being snooped.
No-one really uses ‘leased lines’ as a WAN technology any more. People either use MPLS or IPsec VPNs over the Internet. It’s increasingly common to encrypt using IPsec over MPLS too, so the provider can’t see your data.
In either case there’s no real cost (besides configuration complexity) to implement a full mesh at low scale, but if you have a large WAN with (say) 1,000 sites, then the branch site routers are unlikely to be able to handle a full mesh because of the number of tunnels. This is where technologies such as DMVPN and AD-VPN come in, to build a partial mesh on the fly as sites communicate with one another.
Government: “Why buy the cow when you can get the milk for free”
Google: “Encrypt the traffic so we can SELL the information”