IETF Logo Mail Archive

Re: [mpls] Poll to see if we have consensus to adopt draft-farrelll-mpls-opportunistic-encrypt as an MPLS wg document

Eric C Rosen <erosen@juniper.net> Mon, 22 June 2015 13:24 UTC

Return-Path: <erosen@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A2C11A8AB7 for <mpls@ietfa.amsl.com>; Mon, 22 Jun 2015 06:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xM2Mhvfj88ig for <mpls@ietfa.amsl.com>; Mon, 22 Jun 2015 06:24:43 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0104.outbound.protection.outlook.com [65.55.169.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEE3F1A8AB6 for <mpls@ietf.org>; Mon, 22 Jun 2015 06:24:42 -0700 (PDT)
Received: from DM2PR0501MB1103.namprd05.prod.outlook.com (10.160.245.13) by DM2PR0501MB1328.namprd05.prod.outlook.com (10.160.130.16) with Microsoft SMTP Server (TLS) id 15.1.195.15; Mon, 22 Jun 2015 13:24:41 +0000
Authentication-Results: tools.ietf.org; dkim=none (message not signed) header.d=none;
Received: from [172.29.34.216] (66.129.241.11) by DM2PR0501MB1103.namprd05.prod.outlook.com (10.160.245.13) with Microsoft SMTP Server (TLS) id 15.1.190.14; Mon, 22 Jun 2015 13:24:39 +0000
Message-ID: <55880C91.507@juniper.net>
Date: Mon, 22 Jun 2015 09:24:33 -0400
From: Eric C Rosen <erosen@juniper.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Loa Andersson <loa@pi.nu>, "mpls@ietf.org" <mpls@ietf.org>, "draft-farrelll-mpls-opportunistic-encrypt@tools.ietf.org" <draft-farrelll-mpls-opportunistic-encrypt@tools.ietf.org>
References: <55828B69.3070603@pi.nu>
In-Reply-To: <55828B69.3070603@pi.nu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [66.129.241.11]
X-ClientProxiedBy: BLUPR0401CA0021.namprd04.prod.outlook.com (25.162.114.159) To DM2PR0501MB1103.namprd05.prod.outlook.com (25.160.245.13)
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0501MB1103; 2:pJg/QKg06C5Ed14xx4lsF654W3n5A9DS0fF6R+TtRoJnW+Hgtk994sv7aTu66/Jb; 2:wFO7W2QDx5euuoP+gz6TOKePvYlMgk+1tIq0MG9MH0wTHQ3uzGhothKz9inhQ4mzLthlN+VMhINZcHs5w9UYz58Sl73XVaYFd49g5fFT659SELreYtbjgw8eyZ8r8ifYUZq13HalpTDxhWEzLyOsMA==; 6:r9Xy3VZAYm/1p3hGqkDvuHVTVcnvA0oTBzyU8PfDzzq0AZJqA2Zffe3kEpzDRucKvcdOoyDHiowtaG8aExGBA95dIUjMg0cEC7b9BKt5b7G6dwZPhakAO9Rd3Kn9hYRsfPreaz7DnMLP62cHZbwyUuHJe0x29hMCoZobo09A5tlDnoEmLablby7AFRYpBYBNFwtz4sq/w8I5avFBfflIQqgjRT34LjPUSeODIu7IZZ+Dko+DQGR1YyO9Qi6YRMtqY9h8l/Vv5dj+aR1GdqWsyvPi5vfDNtlW6EylvKMxkv8axtIeCHJPjVIpfh7SfrTYGfPNHmCFbRUgb1WUoGkGnfNGUjtZ3ft6s4pFK2ZCfr66lg9QXPndK4dPUy7svVt/0EUuufCKBK9GSmsY/5BXkvcPBQVUb5lk5CJbmH8+bBmXt/vDf2Kr0WcLSWLiW8/J0g2rojlt5yn7/6A6EiNuNTGmWArzsoDbyaAG5jv5oD8V+8E01pPCzux1mOel0TAs
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0501MB1103; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0501MB1328;
X-Microsoft-Antispam-PRVS: <DM2PR0501MB1103C6688E801050B09B8D5FD4A10@DM2PR0501MB1103.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(520004)(5005006)(3002001); SRVR:DM2PR0501MB1103; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0501MB1103;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0501MB1103; 3:6fKDWxdiwQs4+a3G43HLWZxTtcVwJtppfqGmw/jt0wGV9XpKRu8yVOPR5i8Y0erSfP6uiF9809Ku1eErs1Sa7He1sYP56J2H8JoWipxtWr+foKs3YLWeRDrny/Bxtv1xJAAQFb+A1hx536Tzd2h7GGNtg5sRs6whBKn4ulrONSk8u8LRL61jNbEA9Rw8xXqM1ExDMynriyZu6X5toQryT83aSOpKuUIKUsXCdtgHm9kD+/XZqdzHKHvmnIBL2GlaM8jBlvgsW0vQTjoqIbPPR/L1pPp+IBb0pP3IGoELERBtlmgZfSJc2dfESOe3uQ9X
X-Forefront-PRVS: 06157D541C
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(6049001)(50466002)(64126003)(83506001)(33656002)(66066001)(5001770100001)(65956001)(2501003)(40100003)(122386002)(77156002)(4001350100001)(5001960100002)(92566002)(230783001)(62966003)(2950100001)(65816999)(42186005)(76176999)(54356999)(50986999)(87976001)(77096005)(2201001)(86362001)(46102003)(189998001)(47776003)(36756003)(23746002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0501MB1103; H:[172.29.34.216]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0501MB1103; 9:rYAQPp0/gGbwWetgyOC81lxqkIVOF/GDjUjkcbT58e+QAzr9Xsn2ldA57TECXML2xNr4Zbj87qpOvQc0DLxg6cDcvib7T4hRbOr6CRwmrg7+x+RGkQEjLkgVC6TLp6h9plKrW34z2HXY4prXzr0eWwRPKaDR/Bj+Yc5xcZ8QAyk+dL2NHVBozzAObffoThOrdODMt60nCULgDWa4oRbvAH/uIicg0RCi/qA6DXutNzNnMMkW3GoVDt4slWpJIJs1oDg7DdseJlDzliu8LfUSDBFe7iwF9se05Ac1xdIOpu6fJp2mLRtGze04x5Z4iYp20B/bUGb8MDPN6rw2UxdhK6xuq5konzNolap9509mVqDtCELgR3euo14Vb6fyjfpVYizSCbB/D5n4PNRWkIW457LItaL1MszHSORZyUBN5mPnXyGO0EQMecsqRu18Rcq75s8WgGpnqRUNFMua4Q0So7nl6+t1Qye3IcIt8vN9MzPhODjI6SrY2SSyklHUTM9kNne+k7exSDf+YM+Ou55LJpwPkifBc+EvmnzbY6cUp76oGSbNQCFqHIAPWMSAaeDQFHBYeoUROBnQ/xSkqkVUnjWOTDjvPQASbwNoVxIrOOmZ4LW+hEpNBTe/7bEz1ZIQm0AwPgAkBlxXEDBGHFqkuq6c8hSqMIM7a3eYuvsiuoxI5KqeYHE7VCDASEr+3MdIDXXDJDnqtifqLPBZKYggTcYXhVhFW9bRr12Szd4RnWp/H/QcEVA5dHs/q/njbx9+d4P5mf8GFwXPkGonlxsQHoErFJpKndKC2PKLqAwBANHIE7eHM5wru/BT46enI1VZjl1AYUOk7wm+YKB0Y9IYUFHlvNFxlv0XTqLuyxvJqvo0LI1zE2WZhX4kYm1thHzl
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0501MB1103; 3:apauZu3YMjenvFPOm3pzx5czkggSQv9gy9kooCPkJywrDSiOr2VAz4pIbVl82m1lUTAHxpym6LN2WpIbYONox6lycR5hxeDtNDel0N4JVVzSXGb/9hXJ+VNhDvRrdHtNQzvrJs2Zfu3RI7thrUAF2g==; 10:NQPYKQcpCSmjVuvIXjpf1RKb1V1MHX7dNnD16r8v6kcd7utt2j82cbu508YHTLjd96ziv5XmloaPSsYEmziBWk2YhNAdGEaQXv6dYacmf7A=; 6:lWSiYGlKB3NPHqfAVtOlVOvWXYqwJv8FZtO6dLFkhq2sEWho/RWNMXuo2kXna4LU
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2015 13:24:39.3897 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0501MB1103
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0501MB1328; 2:pIQEgUmme8Ib1yLndLU8a6VdVqHb2U6sxUyGvxXuEbCkYQVqdRQqYUrWxZ6QpysG; 3:rHO0CS8520wVw1nKbOn9ZIx38w1K5Kcn7EAD9kFBKP/3tSgm2iVmmi3Ub8YuFZA3uS0/P//eTYPa2Dqn5u7bzjhs4T+CdulpeAJITG6CHcfg4GLgBG0gc+6wpczDy+vn8sm4d/x/ksIqKVVJRE/opg==; 23:pOFuegFqcDiqsys94bdD1Exr1zWiDJqiDe2M31JbFFuCxRl6qcEfNK1q+L6mmzQqSHjzzGRo+7nBrHqhoUcRwcwBe+EESmIZbzQqjk62ApPbI/pNWE79JXR91AfYhMIXXudgm362Aa0nHjGavN+0HyqIYqIsbUWJ3u/ATz6GMJRmPyQwcxq8uv0VIRhuHFbExLqlTcn7Cpb5vV5D/aFAPCODFjsM/AThNruCidDx2Nfg75YHRNs1Q9DLmDFxxqgO
X-OriginatorOrg: juniper.net
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/Npt4nrNJHSM7YSC9rXMmFafK16k>
Cc: "mpls-chairs@tools.ietf.org" <mpls-chairs@tools.ietf.org>
Subject: Re: [mpls] Poll to see if we have consensus to adopt draft-farrelll-mpls-opportunistic-encrypt as an MPLS wg document
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2015 13:24:44 -0000

I don't think we can tell yet whether this draft really provides a good 
basis for future work.  As such, it seems premature for the WG to adopt 
it.  I think there are several major issues that should be confronted first.

The draft seems heavily focused on P2P LSPs.  That wouldn't be a problem 
if it were about pseudowire security.  But it's a big problem if the 
draft is supposed to apply to MPLS generally.  There's a lot of MPLS out 
there that uses LDP or BGP (or even IGP) to bind labels to address 
prefixes, thereby creating MP2P LSPs.  If that's not going to be 
handled, I don't see how the draft can claim to be providing an MPLS 
security scheme.

Of course, it could be that MPLS is not the right layer for security; 
I'm not sure that any one security scheme is going to be suitable for 
all uses of MPLS.

The idea of applying security on a per-LSP basis doesn't really seem 
right either.  In VPN, with per-address-prefix labeling, there could be 
hundreds of thousands of LSPs.  I can see someone claiming that security 
needs to be provided on a VRF-to-VRF basis rather than on a PE-to-PE 
basis, but having security on a per-address-prefix basis seems like way 
too much granularity.  I can't really tell from the draft how it would 
be intended to apply to VPN, so I don't really know what the authors 
have in mind for securing VPNs.

The draft would really benefit from having some worked out examples of 
how MPLS security would work in various VPN deployment scenarios, 
including the following (and combinations thereof):

- Multi-AS VPN with "option b" interconnect

- Multi-AS VPN with "option c" interconnect

- VPN with per-address-prefix labels assigned by BGP

- VPN with per-VRF labels assigned by BGP

The multi-AS VPN cases are particularly interesting, because they make 
use (in different ways) of nested LSPs.  Someone who wants privacy for 
his VPN traffic will want security applied to the inner LSP (the one 
that goes from the ingress PE to the egress PE), not just to the outer 
LSPs (the ones that go from ingress PE to ASBR, etc.) but it's not clear 
whether any of the techniques in the draft can be used that way.

There are also cases where labels get assigned to anycast addresses.  I 
wonder how the security scheme would be applied to those cases.

There are other issues in the draft as well, such as whether 
MPLS-specific hop-by-hop security is really useful when one can use 
simpler layer 2 security schemes instead.  But right now my main concern 
is that the end-to-end scheme will turn out to have very limited 
applicability.

Working out some realistic examples would help us understand whether 
this is really the right way to proceed.

v2.23.0 | Report a Bug | By Email