> > >It helps against some attacks, but it doesn't help for others, right? > > >After all, if you are a US national, you might not trust that the > > >Chinese Telecom won't pass your traffic to the MSS. (Or if you are a > > >German national, that AT&T won't decrypto your traffic and then pass > > >it off to the NSA...) > > yep. IPsec, under the control of a subscriber, offers more protection, > > in princple. > > Or put another way, MPLS-mediated encryption violates the end-to-end > principle. It also allows ISP's to violate net neutrality principles > as well (i.e., by allowing them to do deep packet inspection and then > prioritizing some traffic over others).
Two things here (probably wandering into a minefield, but that's my ball that rolled in): 1. "Allows" the ISP to do DPI? Nothing allows DPI apart from regulators, morals, or encryption of the pieces that might be deeply inspected. You might as well say that not shooting elephants allows ISPs to do DPI! So, I think what you are saying is that not doing IPsec on your (IP) traffic allows the ISP to do DPI. But doing MPLS encryption also stops transit nodes from doing DPI, but it does not stop edge (i.e., MPLS end) nodes from doing DPI. In some deployments (carrier's carrier, MPLS-based enterprise over ISP) the traffic may already be MPLS, and so MPLS encryption might be what is available. 2. I think the end-to-end principle may already have been somewhat diluted by the introduction of edges, and the deployment of tunnels. I am guessing that you mean that the responsibility for securing traffic lies with the originator/consumer of the traffic. And that is largely fine, but again runs into VPN type discussions. Adrian _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
