Re: [mpls] FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt

[Mark Tinka <mark.tinka@seacom.mu>]

On Thursday, January 09, 2014 04:16:03 PM Adrian Farrel 
wrote:

> TBD
> Some people have noted that per hop encryption/decryption
> might be an issue. Others have countered that ETH h/w
> can already handle MACsec at line rate. e2e encryption
> seems (to me) to be less likely to be an issue.

Optical vendors have started supporting encryption at the 
DWDM level. I haven't implemented such myself, so can't 
really qualify its stability in the field, but those 
chipsets are limited in their service flexibility.

Vendors generally bias ASIC development toward supporting 
line rate for Ethernet and upper Layer 3 protocols at line 
rate, with a reasonable amount of trade-off.

I'm not sure whether this could signal for them to develop 
even more expensive ASIC's, or have a separate ASIC handling 
the encryption, either along with the MPLS forwarding or in 
parallel.

My concern is data plane complexity and line card cost. But, 
obviously, this could be out of scope of this I-D, to a 
great extent. My concerns are just operational.

> AFAIK, none. The I-D doesn't touch the control plane.

Key exchange is inband, yes?

> The point of OE is that there is no key management on a
> global level. It is, of course, still relatively rare
> that LSPs cross distinct routing domains, but when they
> do, this need not have any impact on OE.

Again, because key exchange is inband?

> This is covered in the document (although maybe not in
> enough detail?). Transit nodes (and so domains) do not
> need to be aware of the encryption which is below the
> top labels and potentially below the entropy label. End
> nodes that do not support will, erm, not support :-)

Given LSP's can interconnect various nodes in the same 
domain in any number of ways, OE would require all MPLS 
nodes support it in unison, to avoid global domain traffic 
drops, yes?

Mark.