On Sep 6, 2013, at 11:25 AM, Paul Wouters <[email protected]> wrote:
> On Fri, 6 Sep 2013, Nick Thomas wrote: > > [ note, using "EU" for "end user" is _very_ confusing ] > >> PPP gets a lot of use still, especially between EUs and access ISPs, >> where it's generally not encrypted. RFC1968 exists, but doesn't actually >> seem useful any more. >> >> I'm envisioning a PPP enhancement where EU and ISP can exchange public >> keys beforehand, out-of-band if necessary, but it's all extremely fuzzy >> at the moment. My access ISP, who I have considerable trust in, has no >> real control over the infrastructure between my house and their access >> node near London - all that's BT-operated, and they just get to >> terminate PPP over it. > > Any ISP that does not trust the last-mile providers should offer their > customers VPN access via IPsec. Actually, they should offer it > regardless so their users can use a VPN to connect to the ISPs > infrastructure when the user is roaming on his laptop/phone as well. > > There is no "ppp encryption" the ISP can add, because the last-mile > provider usually terminates the PPP(OE) session. They need to add > encryption on the resulting IP layer, not below it. I concur completely, but might add that TLS-style VPNs (OpenVPN, for example) can be useful here too. But in either case, there's a significant opex cost for the ISP. This also means, probably, having VPN software in your router. And the code in your router is probably compromised by NSA, MSS, or both. -- Dean _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
