Re: [Anima] MACsec as an alternative to L3-tunnels
Toerless Eckert <tte@cs.fau.de> Mon, 29 July 2019 22:09 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E2F3120090 for <anima@ietfa.amsl.com>; Mon, 29 Jul 2019 15:09:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5_2k5LRjO9Zd for <anima@ietfa.amsl.com>; Mon, 29 Jul 2019 15:09:27 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D169112004E for <anima@ietf.org>; Mon, 29 Jul 2019 15:09:26 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id D88EA548002; Tue, 30 Jul 2019 00:09:21 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id BDB4F440041; Tue, 30 Jul 2019 00:09:21 +0200 (CEST)
Date: Tue, 30 Jul 2019 00:09:21 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Message-ID: <20190729220921.j4y5oqtoj4hkfekg@faui48f.informatik.uni-erlangen.de>
References: <DM6PR11MB3385255D58A133B186AA547EDBC60@DM6PR11MB3385.namprd11.prod.outlook.com> <20190724214603.llrersvrcgb4hy7p@faui48f.informatik.uni-erlangen.de> <20190724220015.sfzqxcozq4khc6ut@faui48f.informatik.uni-erlangen.de> <6709.1564009422@dooku.sandelman.ca> <20190725143632.5fktdhifgmtyx2gk@faui48f.informatik.uni-erlangen.de> <27695.1564184021@dooku.sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <27695.1564184021@dooku.sandelman.ca>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/uzpfLP_RhqzPdiqJ4qpjUpDSfdA>
Subject: Re: [Anima] MACsec as an alternative to L3-tunnels
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2019 22:09:28 -0000
On Fri, Jul 26, 2019 at 07:33:41PM -0400, Michael Richardson wrote: > > Toerless Eckert <tte@cs.fau.de> wrote: > > First of all, there is obviously an ability to filter out packets > > NOT to encrypt. Otherwise you would have a lot of problems negotiating > > the encryption keys. To the best of knowledge, what MUST be supported > > in ethernet chips is such filtering based on ethertype because thats > > whats being used also in 802.1x, the basic security architecture. See > > ACP draft section A.10.2 > > Yes, but the key management packets can be packets that are "special" > at the MACsec level. My point was that the "special at MACsec level" propoerty that can expected to be supported by MACsec capacle MIC chips is ethertype and hopefully VLAN tag. But i don't think nothing else. > > Secondly, i was told (and this is where i have not tried to validate), > > that MacSec should equally be able to utilize multiple keypairs, > > probably mapped by VLAN or ethertype. But the question of course is > > whether you want/can expect that MACsec MIC chips have that feature. > > The people in the line behind me did not agree. Hmm... Don't remember if anyone else stated that there can be one one keypair. As i said in the other mail, both a single and a douple keypair solution are possible to build, i just think it would be nicer if ACP can be separately encrypted from data-plane, but as long as ACP is responsible to manage the encryption key, it can equally encrypt both ACP and data-plane. Its just that right now, ACP is not optimized for fast reconvergence, so a data-plane could converge faster and then it might still need to wait for ACP. But thats solely a matter of routing protocol and aliveness parameters of ACP/data-plane. Cheers toerless
- [Anima] FWD: ACME for devices side meeting Toerless Eckert
- [Anima] BRSKI<->ACME use case (was: Re: FWD: ACME… Toerless Eckert
- [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Brian E Carpenter