Layer 3 MPLS VPNs are exceptionally flexible. Various weird and wonderful topologies can be created by the masterful tweaking of route targets, while the use of BGP to carry routing information means that absolutely bespoke policies can be applied. BGP is also far more scalable than any other protocol and has the brilliant notion of route reflectors, meaning that adding another node into even a very large network requires configuration in just a few locations.

Unfortunately  flexibility and complexity are the enemies of security and that is certainly true here. Any moderately sized MPLS network will use BGP route reflectors and  every peer needs to be defined in the route reflector's configuration so not just anyone can connect up to them. Unfortunately  once you have a peering (i.e. if you hijack an existing PE anywhere in the network) then you really do have the keys to the city.
(Permalink)