Hi Phillip, On Tue, 2013-11-05 at 10:01 -0500, Phillip Hallam-Baker wrote: > > > One of the handicaps we are working under is that the IETF is > historically the ARPANET 'End to End' working group and we define the > Internet stack from the IP layer up. > > > Some problems can't be addressed at the IP layer, in particular it is > impossible to address traffic analysis efficiently or pervasively. Tor > is very good at what it does but Tor can't support three billion users > doing streaming video under any imaginable circumstances. > > > A much better option would be to tell every network vendor that they > have to build full speed encryption/decryption capability into every > link adapter and exchange encrypted data all the time the fiber is > lit. The protocol for establishing the link layer encryption need not > be very fancy. It arguably does not even need to be proof against a > man in the middle attack since any man in the middle is going to be > forced to drink the whole fire hose.
there are vendors selling transponder type bitstream encrypters. It's relatively easy to apply bitstream crypto at the bitstream layer, as I understand it. (How this holds for 100G serial stream, I don't know. Many 100G transceivers utilize 4x25G or 10x10G serialisation and muxing techniques, and how encryption/keying/timing would work here I'm not sure...) I would be very vary of proprietary encryption protocols however. Interoperable and openly standardized (though not bastardized), AES-type encryption would provide some safety. Key management, obviously is an issue, as well. Otherwise, I've been talking about this myself. At the optical transceiver level, it would be relatively straightforward to insert a crypt/decrypt layer. Technical difficulties are to manage this on highspeed links, where integrated DWDM transceivers are using all available, or more, of the power budget of the various transceiver form factors. The further away from the core you are, the cheaper it will be to do crypt/decrypt. OTOH, core links have more paying customers behind them, so the economics are different here. Router-to-router encryption would... definitely help. My 2c. <snip> /M
signature.asc
Description: This is a digitally signed message part
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
