IETF Logo Mail Archive

Re: [perpass] Fwd: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt

Paul Wouters <paul@cypherpunks.ca> Fri, 10 January 2014 23:48 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E40FB1ACC8A for <perpass@ietfa.amsl.com>; Fri, 10 Jan 2014 15:48:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUt35V5cy-bJ for <perpass@ietfa.amsl.com>; Fri, 10 Jan 2014 15:48:35 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id F2EF11AD8C4 for <perpass@ietf.org>; Fri, 10 Jan 2014 15:48:33 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D73A0800A1; Fri, 10 Jan 2014 18:48:22 -0500 (EST)
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s0ANmLbU020857; Fri, 10 Jan 2014 18:48:22 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Fri, 10 Jan 2014 18:48:21 -0500
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <52D06D63.7070900@cs.tcd.ie>
Message-ID: <alpine.LFD.2.10.1401101843020.18879@bofh.nohats.ca>
References: <mailman.42.1389384009.839.perpass@ietf.org> <52D062BB.1030906@gmail.com> <52D06D63.7070900@cs.tcd.ie>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, perpass@ietf.org
Subject: Re: [perpass] Fwd: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 23:48:37 -0000

On Fri, 10 Jan 2014, Stephen Farrell wrote:

>> - I understand MPLS traffic is often protected at a higher layer by
>> IPsec. If we had a good opportunistic solution for IKE/IPsec, it could
>> also cover this use case. And we know people are working on such
>> solutions. [Here, that's me and my little turf war].
>
> I think opportunistic IPsec could certainly help yes. I'm not
> sure if this use-case is being considered in that work.

Any non host-host case is very hard, as there is no way to verify any
claims for random subnets of the internet. AFAIK, no good methods exist
that any OE IPsec could use for auto-configuration. There is quite a
difference between "here is plaintext from you to Bob, encrypt it" and
"here is plaintext from you to Bob at 8.8.8.0/24, encrypt to Mallory".

> However, my understanding of MPLS is that basically neither IPsec
> nor layer 2 crypto are used in many or possibly most cases.

I was probably naively hoping that people would consider MPLS as much
"outside" their network as the rest of the internet, and already have
deployed static IPsec between those networks. But I guess not....

Paul

v2.30.2 | Report a Bug | By Email | System Status