Re: [mpls] FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt

["Adrian Farrel" <adrian@olddog.co.uk>]

Hi Mark,

Thanks for the rapid response.

I leave some of your questions for wider discussion and just respond to a few of
them...

> As an operator, my rather high level concerns are:
> 
> 	- What impact does this have on linear data plane
> 	  throughput?

TBD
Some people have noted that per hop encryption/decryption might be an issue.
Others have countered that ETH h/w can already handle MACsec at line rate.
e2e encryption seems (to me) to be less likely to be an issue.

> 	- What impact does this have on data plane
> 	  operational complexity?
> 
> 	- What impact does this have on the control plane.

AFAIK, none. The I-D doesn't touch the control plane.

> 	- How efficient is key management on a global level,
> 	  and what is the practical impact to day-to-day
> 	  operations, for situations where MPLS paths cross
> 	  distinct routing domains?

The point of OE is that there is no key management on a global level.
It is, of course, still relatively rare that LSPs cross distinct routing
domains, but when they do, this need not have any impact on OE.

> 	- What kind of backward compatibility is there for
> 	  domains that do not participate, or for nodes
> 	  within the same domain that do not participate, as
> 	  this has an impact on overall domain capability
> 	  (i.e., cost).

This is covered in the document (although maybe not in enough detail?).
Transit nodes (and so domains) do not need to be aware of the encryption which
is below the top labels and potentially below the entropy label.
End nodes that do not support will, erm, not support :-)

Thanks for the early thoughts and I encourage an in-depth read and some more
pontifications.

Adrian