Re: [mpls] Poll to see if we have consensus to adopt draft-farrelll-mpls-opportunistic-encrypt as an MPLS wg document
Eric C Rosen <erosen@juniper.net> Mon, 29 June 2015 19:05 UTC
Return-Path: <erosen@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98B931A00E0 for <mpls@ietfa.amsl.com>; Mon, 29 Jun 2015 12:05:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j7jDiZvu0X3x for <mpls@ietfa.amsl.com>; Mon, 29 Jun 2015 12:05:48 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0789.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::789]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D49CB1A00DD for <mpls@ietf.org>; Mon, 29 Jun 2015 12:05:47 -0700 (PDT)
Authentication-Results: tools.ietf.org; dkim=none (message not signed) header.d=none;
Received: from [172.29.33.80] (66.129.241.14) by BY1PR0501MB1096.namprd05.prod.outlook.com (10.160.103.142) with Microsoft SMTP Server (TLS) id 15.1.201.16; Mon, 29 Jun 2015 19:05:27 +0000
Message-ID: <559196F1.90006@juniper.net>
Date: Mon, 29 Jun 2015 15:05:21 -0400
From: Eric C Rosen <erosen@juniper.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Loa Andersson <loa@pi.nu>, "mpls@ietf.org" <mpls@ietf.org>, "draft-farrelll-mpls-opportunistic-encrypt@tools.ietf.org" <draft-farrelll-mpls-opportunistic-encrypt@tools.ietf.org>
References: <55828B69.3070603@pi.nu> <55880C91.507@juniper.net> <559129C8.7000407@cs.tcd.ie>
In-Reply-To: <559129C8.7000407@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [66.129.241.14]
X-ClientProxiedBy: BN3PR0401CA0023.namprd04.prod.outlook.com (25.162.159.161) To BY1PR0501MB1096.namprd05.prod.outlook.com (25.160.103.142)
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1096; 2:0+ijMVeXS+C6H4d3ZTssZBkXPQ664YsLx3ZKHqgf9DpH/8t+AfzH/xTg6Emwjt1G; 3:2MRbB2GIZtuOqzZ4BU7JS+TzbhJwvNmSvAnBVCTErxK4cuNpNSnvGKBAdoULDWw6hjBhctItsnWcnuWxpCasLierqTAgNRgJpyWOvixA7529X1w6tVve/933EpwbVZKeUTBWI3zChuSbKCJ6pAXNgw==; 25:8NHXJBdsWWWcewjUknZWzppnuTeYoa7CNPIrOQ/XdB5GxovioVHrDvG4ZrAfjVQ/4HV1K6jHM881mMzyotHpru4MSAJQqWtL4TD8Bl/M0L2ar0aX/CcvkKVc7OycQ+gh3grWATeI8pvJOngVYQGybgxnOHZDKhZLwHoBlqlLLpCb2QXYB3UbrJ/sjng08LaD8242JDX0gAtuzvHH2AyO6XLxY7bkWJrdLrIFQCYnXTmhIl3xHJnfFb0weVhxkfALTzYt34x4AchgwPCLuiXA1g==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0501MB1096;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1096; 20:Wq6t0BI4neNqdme+KgUH8AOve5Alq9f8AO90DyqwTsOno18CFDDCr4q9ZvY1rDK0DRR9u8+a4HoIHZCk2KX7stIcxYOpi1GbUGbu0+3Fd/3jQoC7OyedlZj4WG2chSb2VD8r3DtPAtx2pHBO7mhLnL7bz0CJ4hBP49z+TrBjfKCoj8udHh6n0gW5epzQ9vprY6DkRg0T+UNRa/wlFkkAGlbOz2DMkQmmxiBIxkwHjc/IN1BMBLPRZ1SJ5Zp2aooUnprdJr2+HM4CRyoOdNIkqr0eid6KxfQkc6V+IxW8F3XmnvdaRw+4onqF25Kt4UpMFHnaf0rJlLQHcIIiAMr9nZB0+79DMGX93gp2Y5EKjFvOkyJFEZ46VdUBC7k8dFpaqVItU7YuxhRhlQOSzXfvERw+bkXj0/PKuMTROnCE0N3bUQgOzM+1/Ykor3j4w+7tBuzXvbaM/mDg9qMAa+tJPEm4s0o5JekYkbs5vHt+TPKPOp62cod7SVQN1xW10Ef1; 4:Fxu3wffRu1tP46KwFGWpUj4U1v6p0L5EAE+OlqPlLaCpHtgkJ7hRs5xjzKiZ7SZfj+uGnMMMXiepx/xnkD9rajZ1w05kFLYSuoyKeF+0NbJNwTdtWV1pqWj33vJ0u7ZnJwkHc2maQfayHZ+/Zaaz72fo/Xle0LENM1++mnmUcfT0J0pjHfudEcKA1xraDF1HUqU1bVGBjBtZ1sFuWcrWtZw9/lK6rAQAFs3bWh7aA6dqs/WwcAnYxoM/vU5GYc7H46on4ZITiI5LilQ1qq+qm38hE+3arH2kWqHZwK4tJVc=
X-Microsoft-Antispam-PRVS: <BY1PR0501MB109649C941FABD656FE51635D4AA0@BY1PR0501MB1096.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY1PR0501MB1096; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0501MB1096;
X-Forefront-PRVS: 0622A98CD5
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6049001)(6009001)(24454002)(51444003)(377454003)(479174004)(5001770100001)(189998001)(47776003)(66066001)(5001920100001)(65956001)(92566002)(4001350100001)(42186005)(36756003)(2201001)(86362001)(87976001)(76176999)(2950100001)(54356999)(64126003)(50986999)(65816999)(83506001)(50466002)(40100003)(23676002)(46102003)(62966003)(33656002)(77096005)(77156002)(2501003)(5001960100002)(122386002)(230783001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0501MB1096; H:[172.29.33.80]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;BY1PR0501MB1096;23:xa62ZxJEWvxZLUH1HMb8m7q1heTzsxgVlwUpYD28pZy/oFyW/thpeZsEYhl5HxWPSImu+MO0I3meGe4UwlslZt+yVQVNKGT9GvXZsi6yTbyyLRwWi37vSOsrHHzN6Cg3/MV3z8j3mctLIKIkyR7PLmAG5Wnhsr+87fgqD9K7ZbADLC500hrmXP1bogIHbKnGlL7RibIEP8AzKE+U+scOYS7CTts54FUaSeLwwFYg4PhPHivbASImOZNBdK8jY1WSQPw1IGHH4f29iNYUJpsBgy2WZf3gQMM790u/yPvkj1RBOI4slXvsCSXfcNXH1KT4BmHWnI/IEy/b+/4H0SJgyEwowWo/8IcbntaRQfyqxVPREV/zOcOlQgrMgLiO2cZm+0Vw9jnnHbdOvUWL1Hpfa8UTUW56rp0BcXvlYXiAYGWRLfT3lwSRUd8Jqao7PhjGrwjzqUtXbX8rvoEP+13IqqW4K3i86pN9dzwMDFO/N8qqUiqWZ/w6AUw91ASw3Rb5rlK8Y5PqoPFh0pbRUWSVBQNIgJQEVOYVnwJcQ2SvLJG8K/zfsR9e1PDFLzGAsvcBp9VOTJvftHupIjng82kDuE+AM7pXFo/Etpjwg7bTnqUBRfFHnQYA69qNG/DZpqlV4g/jH6ovFBycb2CKtvWWfCQJlPuwcBXJqhAjdKxQXIJZYHTDJ41Vo+RuRKSNiuaqGJejKAxmo8MQWeL2r3vpEG7dgyO6tlGg6O0nf9N0mVnab14zK9GpQC+69+bUcbtafTlIYyfNVQboXcBIlOpB9XSIShXWbOxWXDDvgwQ6QUGQ9TcpW3EhogbDXAOoklsbiZo2qZdiHPyl/u1imR2xxvTzkQzmmMSTHKsY8M3RJt+BubxCq0pftOjZ484jraEAcMsvZmun11cRlrc0OfjPzPY+UzKySUTCu/zA13Jzwz+Wv1o2gM4pNI1rpkGs5ApUiNRjiTxkcpoVCB2C4beuIAiEa+DK2VIuTFmERAOZvaKmB0rr7x8jyti0oMW5VlJ8
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1096; 5:8m0aBfD/lDs6WThMdh/xrFfQOYbXYGwtRGVjKhmKW+tTE4MfAqYqmwu9LCfjLP7QO5vwV+L9RcA5Q9QnWyxgg1zlezxuK/DKueDfHbLJ8ZgDFOJa7/Z3H9OR9hJhTeI7ZDzYUzkNmtKDbTnSlz2/vA==; 24:rLbawBW383+WUiHqhDzGqrX0lczv5cA/nKRxt8LT8el1rBYm/gIK7nIW1Wxg05FF0eJRKm0LyMoKuhsLgedrTFXH5LhFFH3dq26qWVii7ZU=; 20:ekW++jT5PloVhDPx4DRco6LsRHJ4KgBUPMiMNwL/UHJsm+h3oeZtlNJyhZezbTq8/GeCyheng0UTHx33j5z6mg==
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Jun 2015 19:05:27.1118 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0501MB1096
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/F_h6UYWrm9qC2XenoDJ5o3eOui0>
Cc: "mpls-chairs@tools.ietf.org" <mpls-chairs@tools.ietf.org>
Subject: Re: [mpls] Poll to see if we have consensus to adopt draft-farrelll-mpls-opportunistic-encrypt as an MPLS wg document
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2015 19:05:50 -0000
On 6/29/2015 7:19 AM, Stephen Farrell wrote: > What we're doing here I think is documenting a security > mechanism for this layer for use in cases when this layer turns out > to be what someone wants to use. That sounds like a solution in search of a problem. My point is that between the applicability restrictions (no MP2P) and the excessive granularity (security state per label), it's hard to see that this is a reasonable approach. Even if you brought it to PALS and renamed it to be "pseudowire security", the need to have security state per pseudowire seems like a problem. >> The draft would really benefit from having some worked out examples of >> how MPLS security would work in various VPN deployment scenarios, > Again, I think that the above would be done building on top of this > scheme, but not as part of this scheme. But I admit that I don't myself > understand those deployment scenarios enough to be certain of that. First design the hammer, then figure out later whether we need to pound any nails? I'd have thought that before the WG adopts the draft, there should be some clue as to how the proposed MPLS security mechanism would be applied to most of the uses of MPLS. When asked about how it might work in various common deployment scenarios, I don't think it's appropriate to say "first we need to design the mechanisms, later on we'll figure out how to use them to actually solve problems". > Why would layer 2 [security] be simpler? If you mean because it already exists > and can be used that's fine, but I'd be interested if there were some > way in which MACsec were substantively simpler. No impact to MPLS, fixed and unchanging granularity (per-link rather than per-LSP), reduced state (no constantly changing nonce per label, no key per label) simplified data flow (security processing cleanly separated from network layer processing), not to mention simplified key distribution. I'm having trouble seeing what hop-by-hop MPLS security adds except more complexity.
- [mpls] Poll to see if we have consensus to adopt … Loa Andersson
- Re: [mpls] Poll to see if we have consensus to ad… Alexander Vainshtein
- Re: [mpls] Poll to see if we have consensus to ad… Adrian Farrel
- Re: [mpls] Poll to see if we have consensus to ad… Andrew G. Malis
- Re: [mpls] Poll to see if we have consensus to ad… Stephen Farrell
- Re: [mpls] Poll to see if we have consensus to ad… Gregory Mirsky
- Re: [mpls] Poll to see if we have consensus to ad… Eric C Rosen
- Re: [mpls] Poll to see if we have consensus to ad… Stephen Farrell
- Re: [mpls] Poll to see if we have consensus to ad… Eric C Rosen
- Re: [mpls] Poll to see if we have consensus to ad… Stephen Farrell
- Re: [mpls] Poll to see if we have consensus to ad… Adrian Farrel
- Re: [mpls] Poll to see if we have consensus to ad… Eric C Rosen
- Re: [mpls] Poll to see if we have consensus to ad… Stephen Farrell
- Re: [mpls] Poll to see if we have consensus to ad… Loa Andersson