On Fri, 10 Jan 2014, Stephen Farrell wrote:
- I understand MPLS traffic is often protected at a higher layer by
IPsec. If we had a good opportunistic solution for IKE/IPsec, it could
also cover this use case. And we know people are working on such
solutions. [Here, that's me and my little turf war].
I think opportunistic IPsec could certainly help yes. I'm not
sure if this use-case is being considered in that work.
Any non host-host case is very hard, as there is no way to verify any
claims for random subnets of the internet. AFAIK, no good methods exist
that any OE IPsec could use for auto-configuration. There is quite a
difference between "here is plaintext from you to Bob, encrypt it" and
"here is plaintext from you to Bob at 8.8.8.0/24, encrypt to Mallory".
However, my understanding of MPLS is that basically neither IPsec
nor layer 2 crypto are used in many or possibly most cases.
I was probably naively hoping that people would consider MPLS as much
"outside" their network as the rest of the internet, and already have
deployed static IPsec between those networks. But I guess not....
Paul
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
