Re: [mpls] FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt
Mark Tinka <mark.tinka@seacom.mu> Thu, 09 January 2014 14:47 UTC
Return-Path: <mark.tinka@seacom.mu>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94C171AE378 for <mpls@ietfa.amsl.com>; Thu, 9 Jan 2014 06:47:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.589
X-Spam-Level:
X-Spam-Status: No, score=-1.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HOST_MISMATCH_COM=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6hAbiWgx6rm for <mpls@ietfa.amsl.com>; Thu, 9 Jan 2014 06:47:16 -0800 (PST)
Received: from the-host.seacom.mu (ge-0.ln-01-jnb.za.seacomnet.com [41.87.104.245]) by ietfa.amsl.com (Postfix) with ESMTP id 983CB1AE37B for <mpls@ietf.org>; Thu, 9 Jan 2014 06:47:15 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=the-host.localnet) by the-host.seacom.mu with esmtp (Exim 4.80.1) (envelope-from <mark.tinka@seacom.mu>) id 1W1Gsi-0004Tq-KC; Thu, 09 Jan 2014 16:46:48 +0200
From: Mark Tinka <mark.tinka@seacom.mu>
Organization: SEACOM
To: adrian@olddog.co.uk
Date: Thu, 09 Jan 2014 16:46:44 +0200
User-Agent: KMail/1.13.6 (Linux/2.6.37.6-24-desktop; KDE/4.6.0; i686; ; )
References: <20140109114335.11656.57445.idtracker@ietfa.amsl.com> <201401091514.32953.mark.tinka@seacom.mu> <022b01cf0d45$5566f8f0$0034ead0$@olddog.co.uk>
In-Reply-To: <022b01cf0d45$5566f8f0$0034ead0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2929368.IMDybXLlaT"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
Message-Id: <201401091646.48102.mark.tinka@seacom.mu>
Cc: mpls@ietf.org, stephen.farrell@cs.tcd.ie
Subject: Re: [mpls] FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mark.tinka@seacom.mu
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 14:47:18 -0000
On Thursday, January 09, 2014 04:16:03 PM Adrian Farrel wrote: > TBD > Some people have noted that per hop encryption/decryption > might be an issue. Others have countered that ETH h/w > can already handle MACsec at line rate. e2e encryption > seems (to me) to be less likely to be an issue. Optical vendors have started supporting encryption at the DWDM level. I haven't implemented such myself, so can't really qualify its stability in the field, but those chipsets are limited in their service flexibility. Vendors generally bias ASIC development toward supporting line rate for Ethernet and upper Layer 3 protocols at line rate, with a reasonable amount of trade-off. I'm not sure whether this could signal for them to develop even more expensive ASIC's, or have a separate ASIC handling the encryption, either along with the MPLS forwarding or in parallel. My concern is data plane complexity and line card cost. But, obviously, this could be out of scope of this I-D, to a great extent. My concerns are just operational. > AFAIK, none. The I-D doesn't touch the control plane. Key exchange is inband, yes? > The point of OE is that there is no key management on a > global level. It is, of course, still relatively rare > that LSPs cross distinct routing domains, but when they > do, this need not have any impact on OE. Again, because key exchange is inband? > This is covered in the document (although maybe not in > enough detail?). Transit nodes (and so domains) do not > need to be aware of the encryption which is below the > top labels and potentially below the entropy label. End > nodes that do not support will, erm, not support :-) Given LSP's can interconnect various nodes in the same domain in any number of ways, OE would require all MPLS nodes support it in unison, to avoid global domain traffic drops, yes? Mark.
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Eric Rosen
- [mpls] FW: I-D Action: draft-farrelll-mpls-opport… Adrian Farrel
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Mark Tinka
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Adrian Farrel
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Stephen Farrell
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Mark Tinka
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Adrian Farrel
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Eric Rosen
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Stephen Farrell
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Andrew G. Malis
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Mark Tinka
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Mark Tinka
- Re: [mpls] FW: I-D Action: draft-farrelll-mpls-op… Mark Tinka