Re: [Strint-attendees] Fwd: New Version Notification for draft-iab-strint-report-00.txt

Stewart Bryant <> Fri, 02 May 2014 11:31 UTC

Return-Path: <>
Received: from ( []) by (Postfix) with ESMTP id 4E3B3486D8 for <>; Fri, 2 May 2014 04:31:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3314; q=dns/txt; s=iport; t=1399030312; x=1400239912; h=message-id:date:from:reply-to:mime-version:to:subject: references:in-reply-to; bh=DVqBSg4OJ/pYdSoaCbVf7eiyiSzL8Yvc4DcUBtgRLeE=; b=E/RcHBp0UYap1ZhHvmaj0gS7e7Fw/KZeMiO39ETV1jInNaGLNr1LIOel Cv9HiZNXvBnXpD5KoLkBj8nHNRoA0BFtuS+pJ/7X2ZopM0HIbgHFTB7dr Y+T1gTtGD0XGjeVmGRPxa+8XWZuqnfIt8bs/IMTQpMvXw4Ttf/Gp3tRsE U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjUFABOBY1OQ/khR/2dsb2JhbABagwaJarwJgRAWdIImAQEEdwERCwQdFg8JAwIBAgFFBgEMCAEBiD2rNp4aF45ZhDkEmTCSb4F1gUA
X-IronPort-AV: E=Sophos; i="4.97,972,1389744000"; d="scan'208,217"; a="35223405"
Received: from ([]) by with ESMTP; 02 May 2014 11:31:50 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id s42BVni3011018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 May 2014 11:31:49 GMT
Received: from STBRYANT-M-R010.CISCO.COM (localhost []) by (8.14.4+Sun/8.8.8) with ESMTP id s42BVlaY000660; Fri, 2 May 2014 12:31:48 +0100 (BST)
Message-ID: <>
Date: Fri, 02 May 2014 12:31:52 +0100
From: Stewart Bryant <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Stephen Farrell <>, "" <>
References: <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------060600090902080906010500"
Subject: Re: [Strint-attendees] Fwd: New Version Notification for draft-iab-strint-report-00.txt
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: STRINT Workshop Discussion List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 May 2014 11:31:51 -0000

    We also discussed the idea of encrypting traffic from CE to CE as
    part of a L3VPN or such.  This could allow hiding of addresses,
    including source, and headers.  From my further conversation with Ron
    Bonica, some customers already do encryption (though not hiding the
    source address) like this.  So, I'm not sure this is very practically
    useful as an enhancement except for encouraging deployment and use.

    Finally, we discussed whether it would be useful to have a means of
    communicating where and what layers are doing encryption on an
    application's traffic path.  The initial idea of augmenting ICMP has
    some issues (not visible to application, ICMP packets frequently
    filtered) as well as potential work (determining how to trust the
    report of encryption).  It would be interesting to understand if such
    communication is actually needed and what the requirements would be.

The use of the first person in the above paras is confusing.
The post-hoc discussion with Ron needs some further though
and clarification, and his concerns may be addressable so we should
not dismiss the idea that VPNs could usefully increase their opacity.

The second para probably ought to be rephrased to be less of a 
discussion of a discussion.

- Stewart