Re: [mpls] FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Hi Eric,

On 01/09/2014 05:34 PM, Eric Rosen wrote:
>> wondering whether anything could be done to help protect against various
>> types of bulk surveillance achieved by tapping entire links
> 
> Aren't there link layer encryption schemes that protect the confidentiality
> of all traffic on the link?  I don't see why one would want an MPLS-specific
> protocol for  "single hop" encryption.

Are those widely used? I'd be interested to know. If not, then
this tool as another tool in the toolbox may be of use.

And those don't address the end-end (or edge-edge) cases, right?

> I also don't understand the need for MPLS-specific "end-end" (probably
> "edge-edge" is what is meant) encryption, as one can always send traffic
> via IPsec.  

My understanding is that not all traffic being sent in an LSP is
IP, is that wrong? (I'm told end-end is right also for an LSP, but
am happy to admit my ignorance of terminology here.)

> So, just what is the unsolved problem addressed by this draft?  (I was going
> to ask whether RFC 5566 is relevant at all, but first it would be good to
> get a clear statement of the scenarios that are being addressed.)

I guess I'd refer to draft-farrell-perpass-attack and
draft-barnes-pervasive-problem. I realise you're not a big
fan of at least the first one there.

> BTW, most of the draft seems to be about encryption and/or key distribution,
> which of course is out of scope for this WG.  Surely the security ADs will
> not tolerate having the MPLS WG invent new key distribution protocols.

Heh. This one is happy. The other was was too when he had a read
of this. If the draft looks like its attractive and useful then we
can figure out how to process it so its handled properly. (I also
forwarded Adrian's note to the perpass list - this might also be
useful as a template for how to add OE to other protocols.) But
we'll for sure get the right review.

Cheers,
S.


>