Hiya, On 01/10/2014 09:14 PM, Yaron Sheffer wrote: > Hi Stephen, > > I haven't read the protocol yet (although I must say Sec. 4.3 worries > me, it reminds me of the renegotiation vulnerability), but: > > - I understand MPLS traffic is often protected at a higher layer by > IPsec. If we had a good opportunistic solution for IKE/IPsec, it could > also cover this use case. And we know people are working on such > solutions. [Here, that's me and my little turf war].
I think opportunistic IPsec could certainly help yes. I'm not sure if this use-case is being considered in that work. > - But even at layer 2, there are existing solutions like WPA or MacSec. > Can none of them be used (or extended) for this use case and do we > really have to develop both the bulk encryption and key exchange from > scratch? And that too. However, my understanding of MPLS is that basically neither IPsec nor layer 2 crypto are used in many or possibly most cases. My hope, (and I'd not put it stronger than that for now), is that this might be a another useful tool in the tool-box that could have a better chance of being deployed if we develop it with together with MPLS folks who'd like such a tool. Though I'm sure there'll be MPLS and other folks who hate the idea as well, we'll see. Overall, my goal is to get some crypto that's deployable for protecting MPLS traffic and I'm not fussed whether that means re-using a flavour of IPsec nor some L2 stuff from elsewhere, nor whether it turns out that we need to re-do some things in a way that works better for our "customers" as in the proposal here. Separately, if we (being the IETF as a whole), are going to end up adding opportunistic crypto to various protocols then I think we could do with some practice, and I'm happy to get beaten up offering up the 1st instance of text like that. But each time someone does that the questions you ask should also be asked. > Sorry to be such a spoilsport. You're not. Those are good questions and it'd not be the first time I'd barked up the wrong tree, if that's the case here which is quite possible. Cheers, S. > > Thanks, > Yaron > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
