IETF Logo Mail Archive

Re: [perpass] encrypted PPP

Paul Wouters <paul@cypherpunks.ca> Fri, 06 September 2013 16:25 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB4BF21F9B8C for <perpass@ietfa.amsl.com>; Fri, 6 Sep 2013 09:25:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Level:
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UVfv9wU1rDZN for <perpass@ietfa.amsl.com>; Fri, 6 Sep 2013 09:25:08 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id C726A21E8063 for <perpass@ietf.org>; Fri, 6 Sep 2013 09:25:07 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3cWkdC23s2zC3r; Fri, 6 Sep 2013 12:25:03 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 7OCTFT01-PLj; Fri, 6 Sep 2013 12:25:02 -0400 (EDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by mx.nohats.ca (Postfix) with ESMTP; Fri, 6 Sep 2013 12:25:02 -0400 (EDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id 8D3B2848E3; Fri, 6 Sep 2013 12:25:02 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6E97E848E2; Fri, 6 Sep 2013 12:25:02 -0400 (EDT)
Date: Fri, 06 Sep 2013 12:25:02 -0400
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Nick Thomas <nick@lupine.me.uk>
In-Reply-To: <5229A06F.5070800@lupine.me.uk>
Message-ID: <alpine.LFD.2.10.1309061221240.25570@bofh.nohats.ca>
References: <5229A06F.5070800@lupine.me.uk>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: perpass@ietf.org
Subject: Re: [perpass] encrypted PPP
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2013 16:25:14 -0000

On Fri, 6 Sep 2013, Nick Thomas wrote:

[ note, using "EU" for "end user" is _very_ confusing ]

> PPP gets a lot of use still, especially between EUs and access ISPs,
> where it's generally not encrypted. RFC1968 exists, but doesn't actually
> seem useful any more.
>
> I'm envisioning a PPP enhancement where EU and ISP can exchange public
> keys beforehand, out-of-band if necessary, but it's all extremely fuzzy
> at the moment. My access ISP, who I have considerable trust in, has no
> real control over the infrastructure between my house and their access
> node near London - all that's BT-operated, and they just get to
> terminate PPP over it.

Any ISP that does not trust the last-mile providers should offer their
customers VPN access via IPsec. Actually, they should offer it
regardless so their users can use a VPN to connect to the ISPs
infrastructure when the user is roaming on his laptop/phone as well.

There is no "ppp encryption" the ISP can add, because the last-mile
provider usually terminates the PPP(OE) session. They need to add
encryption on the resulting IP layer, not below it.

Paul

v2.23.0 | Report a Bug | By Email