IETF Logo Mail Archive

Re: [perpass] Fwd: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 11 January 2014 18:19 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 391171AE0C0 for <perpass@ietfa.amsl.com>; Sat, 11 Jan 2014 10:19:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JmeXhwjUecMh for <perpass@ietfa.amsl.com>; Sat, 11 Jan 2014 10:19:28 -0800 (PST)
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ietfa.amsl.com (Postfix) with ESMTP id 7E6431AE0BB for <perpass@ietf.org>; Sat, 11 Jan 2014 10:19:28 -0800 (PST)
Received: by mail-ee0-f54.google.com with SMTP id e51so2021381eek.41 for <perpass@ietf.org>; Sat, 11 Jan 2014 10:18:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=gpPzal2/LOld2nt5k7TGafqBQH5mcAB+XnmzRQzrYRo=; b=mK7KHwc1zqv0C+MfSPfrjJ6vnRcTMlzjSsSG+ol0gKNX43en+BW6Q5E5HjxSv1XZCk yJYK56GMrNiPOB2QQBF7Xe1ujqVe6txgHpwmJchKdKBJjix82wGpua9i559kWOxeHANX 7mnNf3Dnuz2L2yKBSLI2psP5hYKVi9BXkxPLECZKXCzy8ZjUMtVPFb3NNPUYytbE9xIH gHosN9ZA+uRSfCPzzFkWvM0C3fCdf2A7HPpgZ9PkhX7rEKThTR/EmWw9/qtWW83iJOUd iVFONXftx4/Jb7o/DpqsAb+kQpjCIN5hQtPZL1qTbyD9PmrJeOyRRuAue7DN7GKG/vE9 3LGw==
X-Received: by 10.14.32.132 with SMTP id o4mr17566409eea.14.1389464322798; Sat, 11 Jan 2014 10:18:42 -0800 (PST)
Received: from [10.0.0.9] (cablep-219-63-169.cablep.bezeqint.net. [62.219.63.169]) by mx.google.com with ESMTPSA id j46sm24775519eew.18.2014.01.11.10.18.41 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 11 Jan 2014 10:18:42 -0800 (PST)
Message-ID: <52D18B01.4040903@gmail.com>
Date: Sat, 11 Jan 2014 20:18:41 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Paul Wouters <paul@cypherpunks.ca>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <mailman.42.1389384009.839.perpass@ietf.org> <52D062BB.1030906@gmail.com> <52D06D63.7070900@cs.tcd.ie> <alpine.LFD.2.10.1401101843020.18879@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1401101843020.18879@bofh.nohats.ca>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: perpass@ietf.org
Subject: Re: [perpass] Fwd: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2014 18:19:30 -0000

> On Fri, 10 Jan 2014, Stephen Farrell wrote:
>
>>> - I understand MPLS traffic is often protected at a higher layer by
>>> IPsec. If we had a good opportunistic solution for IKE/IPsec, it could
>>> also cover this use case. And we know people are working on such
>>> solutions. [Here, that's me and my little turf war].
>>
>> I think opportunistic IPsec could certainly help yes. I'm not
>> sure if this use-case is being considered in that work.
>
> Any non host-host case is very hard, as there is no way to verify any
> claims for random subnets of the internet. AFAIK, no good methods exist
> that any OE IPsec could use for auto-configuration. There is quite a
> difference between "here is plaintext from you to Bob, encrypt it" and
> "here is plaintext from you to Bob at 8.8.8.0/24, encrypt to Mallory".
>
This is different from the normal IPsec OE scenario, and as a result may 
be easier to solve:
- The MPLS peer is already willing to send any traffic from the private 
network to the other peer, which it sincerely hopes is not a MITM.
- Each peer is typically running on an edge router (I believe) and so 
has much more awareness of the network than your typical IPsec OE peer. 
They will actually have the BGP information.

Thanks,
	Yaron

v2.30.2 | Report a Bug | By Email | System Status