Re: [perpass] Fwd: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt
Stephen Kent <kent@bbn.com> Tue, 14 January 2014 00:19 UTC
Return-Path: <kent@bbn.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B93A91AE1DB for <perpass@ietfa.amsl.com>; Mon, 13 Jan 2014 16:19:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.739
X-Spam-Level:
X-Spam-Status: No, score=-4.739 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkfs9Bsz-Q6s for <perpass@ietfa.amsl.com>; Mon, 13 Jan 2014 16:19:09 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 2E3E21A8033 for <perpass@ietf.org>; Mon, 13 Jan 2014 16:19:09 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:44962 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1W2rib-000D0L-HR for perpass@ietf.org; Mon, 13 Jan 2014 19:18:57 -0500
Message-ID: <52D48271.8060007@bbn.com>
Date: Mon, 13 Jan 2014 19:18:57 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: perpass@ietf.org
References: <mailman.42.1389384009.839.perpass@ietf.org> <52D062BB.1030906@gmail.com> <52D06D63.7070900@cs.tcd.ie> <alpine.LFD.2.10.1401101843020.18879@bofh.nohats.ca> <52D18B01.4040903@gmail.com>
In-Reply-To: <52D18B01.4040903@gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [perpass] Fwd: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 00:19:12 -0000
Folks, >> On Fri, 10 Jan 2014, Stephen Farrell wrote: >> >>>> - I understand MPLS traffic is often protected at a higher layer by >>>> IPsec. If we had a good opportunistic solution for IKE/IPsec, it could >>>> also cover this use case. And we know people are working on such >>>> solutions. [Here, that's me and my little turf war]. >>> >>> I think opportunistic IPsec could certainly help yes. I'm not >>> sure if this use-case is being considered in that work. >> >> Any non host-host case is very hard, as there is no way to verify any >> claims for random subnets of the internet. AFAIK, no good methods exist >> that any OE IPsec could use for auto-configuration. There is quite a >> difference between "here is plaintext from you to Bob, encrypt it" and >> "here is plaintext from you to Bob at 8.8.8.0/24, encrypt to Mallory". >> > This is different from the normal IPsec OE scenario, and as a result > may be easier to solve: because it is different, I suggest that we not call it OE, which is clearly defined in RFC 4322. I suggest opportunistic keying (OK). > - The MPLS peer is already willing to send any traffic from the > private network to the other peer, which it sincerely hopes is not a > MITM. > - Each peer is typically running on an edge router (I believe) and so > has much more awareness of the network than your typical IPsec OE > peer. They will actually have the BGP information. I believe that the MPLS peers, as edge routers, are not under the control of the end users, as would more likely be the case for IPsec gateways operating at about the same point in the path. So, an important part of this discussion is that the administrative entities managing the encryption are ISPs, not subscribers. Thus the confidentiality afforded here is more of an ISP service than a subscriber-controlled service. Also, unless the MPLS path crosses AS boundaries (not yet common, I believe) this offers less protection than IPsec could. Steve
- [perpass] Fwd: FW: I-D Action: draft-farrelll-mpl… Stephen Farrell
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Watson Ladd
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Farrell
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Watson Ladd
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Yaron Sheffer
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Farrell
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Paul Wouters
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Leif Johansson
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Yaron Sheffer
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Kent
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Theodore Ts'o
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Kent
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Theodore Ts'o
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Kent
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Farrell
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Michael Richardson
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Alex Elsayed