IETF Logo Mail Archive

Re: [mpls] Poll to see if we have consensus to adopt draft-farrelll-mpls-opportunistic-encrypt as an MPLS wg document

Eric C Rosen <erosen@juniper.net> Mon, 29 June 2015 19:05 UTC

Return-Path: <erosen@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98B931A00E0 for <mpls@ietfa.amsl.com>; Mon, 29 Jun 2015 12:05:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j7jDiZvu0X3x for <mpls@ietfa.amsl.com>; Mon, 29 Jun 2015 12:05:48 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0789.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::789]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D49CB1A00DD for <mpls@ietf.org>; Mon, 29 Jun 2015 12:05:47 -0700 (PDT)
Authentication-Results: tools.ietf.org; dkim=none (message not signed) header.d=none;
Received: from [172.29.33.80] (66.129.241.14) by BY1PR0501MB1096.namprd05.prod.outlook.com (10.160.103.142) with Microsoft SMTP Server (TLS) id 15.1.201.16; Mon, 29 Jun 2015 19:05:27 +0000
Message-ID: <559196F1.90006@juniper.net>
Date: Mon, 29 Jun 2015 15:05:21 -0400
From: Eric C Rosen <erosen@juniper.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Loa Andersson <loa@pi.nu>, "mpls@ietf.org" <mpls@ietf.org>, "draft-farrelll-mpls-opportunistic-encrypt@tools.ietf.org" <draft-farrelll-mpls-opportunistic-encrypt@tools.ietf.org>
References: <55828B69.3070603@pi.nu> <55880C91.507@juniper.net> <559129C8.7000407@cs.tcd.ie>
In-Reply-To: <559129C8.7000407@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [66.129.241.14]
X-ClientProxiedBy: BN3PR0401CA0023.namprd04.prod.outlook.com (25.162.159.161) To BY1PR0501MB1096.namprd05.prod.outlook.com (25.160.103.142)
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1096; 2:0+ijMVeXS+C6H4d3ZTssZBkXPQ664YsLx3ZKHqgf9DpH/8t+AfzH/xTg6Emwjt1G; 3:2MRbB2GIZtuOqzZ4BU7JS+TzbhJwvNmSvAnBVCTErxK4cuNpNSnvGKBAdoULDWw6hjBhctItsnWcnuWxpCasLierqTAgNRgJpyWOvixA7529X1w6tVve/933EpwbVZKeUTBWI3zChuSbKCJ6pAXNgw==; 25:8NHXJBdsWWWcewjUknZWzppnuTeYoa7CNPIrOQ/XdB5GxovioVHrDvG4ZrAfjVQ/4HV1K6jHM881mMzyotHpru4MSAJQqWtL4TD8Bl/M0L2ar0aX/CcvkKVc7OycQ+gh3grWATeI8pvJOngVYQGybgxnOHZDKhZLwHoBlqlLLpCb2QXYB3UbrJ/sjng08LaD8242JDX0gAtuzvHH2AyO6XLxY7bkWJrdLrIFQCYnXTmhIl3xHJnfFb0weVhxkfALTzYt34x4AchgwPCLuiXA1g==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0501MB1096;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1096; 20:Wq6t0BI4neNqdme+KgUH8AOve5Alq9f8AO90DyqwTsOno18CFDDCr4q9ZvY1rDK0DRR9u8+a4HoIHZCk2KX7stIcxYOpi1GbUGbu0+3Fd/3jQoC7OyedlZj4WG2chSb2VD8r3DtPAtx2pHBO7mhLnL7bz0CJ4hBP49z+TrBjfKCoj8udHh6n0gW5epzQ9vprY6DkRg0T+UNRa/wlFkkAGlbOz2DMkQmmxiBIxkwHjc/IN1BMBLPRZ1SJ5Zp2aooUnprdJr2+HM4CRyoOdNIkqr0eid6KxfQkc6V+IxW8F3XmnvdaRw+4onqF25Kt4UpMFHnaf0rJlLQHcIIiAMr9nZB0+79DMGX93gp2Y5EKjFvOkyJFEZ46VdUBC7k8dFpaqVItU7YuxhRhlQOSzXfvERw+bkXj0/PKuMTROnCE0N3bUQgOzM+1/Ykor3j4w+7tBuzXvbaM/mDg9qMAa+tJPEm4s0o5JekYkbs5vHt+TPKPOp62cod7SVQN1xW10Ef1; 4:Fxu3wffRu1tP46KwFGWpUj4U1v6p0L5EAE+OlqPlLaCpHtgkJ7hRs5xjzKiZ7SZfj+uGnMMMXiepx/xnkD9rajZ1w05kFLYSuoyKeF+0NbJNwTdtWV1pqWj33vJ0u7ZnJwkHc2maQfayHZ+/Zaaz72fo/Xle0LENM1++mnmUcfT0J0pjHfudEcKA1xraDF1HUqU1bVGBjBtZ1sFuWcrWtZw9/lK6rAQAFs3bWh7aA6dqs/WwcAnYxoM/vU5GYc7H46on4ZITiI5LilQ1qq+qm38hE+3arH2kWqHZwK4tJVc=
X-Microsoft-Antispam-PRVS: <BY1PR0501MB109649C941FABD656FE51635D4AA0@BY1PR0501MB1096.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY1PR0501MB1096; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0501MB1096;
X-Forefront-PRVS: 0622A98CD5
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6049001)(6009001)(24454002)(51444003)(377454003)(479174004)(5001770100001)(189998001)(47776003)(66066001)(5001920100001)(65956001)(92566002)(4001350100001)(42186005)(36756003)(2201001)(86362001)(87976001)(76176999)(2950100001)(54356999)(64126003)(50986999)(65816999)(83506001)(50466002)(40100003)(23676002)(46102003)(62966003)(33656002)(77096005)(77156002)(2501003)(5001960100002)(122386002)(230783001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0501MB1096; H:[172.29.33.80]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;BY1PR0501MB1096;23:xa62ZxJEWvxZLUH1HMb8m7q1heTzsxgVlwUpYD28pZy/oFyW/thpeZsEYhl5HxWPSImu+MO0I3meGe4UwlslZt+yVQVNKGT9GvXZsi6yTbyyLRwWi37vSOsrHHzN6Cg3/MV3z8j3mctLIKIkyR7PLmAG5Wnhsr+87fgqD9K7ZbADLC500hrmXP1bogIHbKnGlL7RibIEP8AzKE+U+scOYS7CTts54FUaSeLwwFYg4PhPHivbASImOZNBdK8jY1WSQPw1IGHH4f29iNYUJpsBgy2WZf3gQMM790u/yPvkj1RBOI4slXvsCSXfcNXH1KT4BmHWnI/IEy/b+/4H0SJgyEwowWo/8IcbntaRQfyqxVPREV/zOcOlQgrMgLiO2cZm+0Vw9jnnHbdOvUWL1Hpfa8UTUW56rp0BcXvlYXiAYGWRLfT3lwSRUd8Jqao7PhjGrwjzqUtXbX8rvoEP+13IqqW4K3i86pN9dzwMDFO/N8qqUiqWZ/w6AUw91ASw3Rb5rlK8Y5PqoPFh0pbRUWSVBQNIgJQEVOYVnwJcQ2SvLJG8K/zfsR9e1PDFLzGAsvcBp9VOTJvftHupIjng82kDuE+AM7pXFo/Etpjwg7bTnqUBRfFHnQYA69qNG/DZpqlV4g/jH6ovFBycb2CKtvWWfCQJlPuwcBXJqhAjdKxQXIJZYHTDJ41Vo+RuRKSNiuaqGJejKAxmo8MQWeL2r3vpEG7dgyO6tlGg6O0nf9N0mVnab14zK9GpQC+69+bUcbtafTlIYyfNVQboXcBIlOpB9XSIShXWbOxWXDDvgwQ6QUGQ9TcpW3EhogbDXAOoklsbiZo2qZdiHPyl/u1imR2xxvTzkQzmmMSTHKsY8M3RJt+BubxCq0pftOjZ484jraEAcMsvZmun11cRlrc0OfjPzPY+UzKySUTCu/zA13Jzwz+Wv1o2gM4pNI1rpkGs5ApUiNRjiTxkcpoVCB2C4beuIAiEa+DK2VIuTFmERAOZvaKmB0rr7x8jyti0oMW5VlJ8
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1096; 5:8m0aBfD/lDs6WThMdh/xrFfQOYbXYGwtRGVjKhmKW+tTE4MfAqYqmwu9LCfjLP7QO5vwV+L9RcA5Q9QnWyxgg1zlezxuK/DKueDfHbLJ8ZgDFOJa7/Z3H9OR9hJhTeI7ZDzYUzkNmtKDbTnSlz2/vA==; 24:rLbawBW383+WUiHqhDzGqrX0lczv5cA/nKRxt8LT8el1rBYm/gIK7nIW1Wxg05FF0eJRKm0LyMoKuhsLgedrTFXH5LhFFH3dq26qWVii7ZU=; 20:ekW++jT5PloVhDPx4DRco6LsRHJ4KgBUPMiMNwL/UHJsm+h3oeZtlNJyhZezbTq8/GeCyheng0UTHx33j5z6mg==
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Jun 2015 19:05:27.1118 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0501MB1096
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/F_h6UYWrm9qC2XenoDJ5o3eOui0>
Cc: "mpls-chairs@tools.ietf.org" <mpls-chairs@tools.ietf.org>
Subject: Re: [mpls] Poll to see if we have consensus to adopt draft-farrelll-mpls-opportunistic-encrypt as an MPLS wg document
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2015 19:05:50 -0000

On 6/29/2015 7:19 AM, Stephen Farrell wrote:
> What we're doing here I think is documenting a security
> mechanism for this layer for use in cases when this layer turns out
> to be what someone wants to use.

That sounds like a solution in search of a problem.

My point is that between the applicability restrictions (no MP2P) and 
the excessive granularity (security state per label), it's hard to see 
that this is a reasonable approach.  Even if you brought it to PALS and 
renamed it to be "pseudowire security", the need to have security state 
per pseudowire seems like a problem.

>> The draft would really benefit from having some worked out examples of
>> how MPLS security would work in various VPN deployment scenarios,

> Again, I think that the above would be done building on top of this
> scheme, but not as part of this scheme. But I admit that I don't myself
> understand those deployment scenarios enough to be certain of that.

First design the hammer, then figure out later whether we need to pound 
any nails?

I'd have thought that before the WG adopts the draft, there should be 
some clue as to how the proposed MPLS security mechanism would be 
applied to most of the uses of MPLS.  When asked about how it might work 
in various common deployment scenarios, I don't think it's appropriate 
to say "first we need to design the mechanisms, later on we'll figure 
out how to use them to actually solve problems".

> Why would layer 2 [security] be simpler? If you mean because it already exists
> and can be used that's fine, but I'd be interested if there were some
> way in which MACsec were substantively simpler.

No impact to MPLS, fixed and unchanging granularity (per-link rather 
than per-LSP), reduced state (no constantly changing nonce per label, no 
key per label) simplified data flow (security processing cleanly 
separated from network layer processing), not to mention simplified key 
distribution.  I'm having trouble seeing what hop-by-hop MPLS security 
adds except more complexity.

v2.23.0 | Report a Bug | By Email