Stephen Kent <[email protected]> wrote: > because it is different, I suggest that we not call it OE, which is > clearly defined in RFC 4322. I suggest opportunistic keying (OK).
I just want to say that rfc4322 (an *Informational*) rfc, defines: Opportunistic Encryption using the Internet Key Exchange which might be best called "OEIKEv1" key thing about OEIKEv1 is that it binds end points to IP addresses using reverse DNS, with some weakening where a node may speak for itself (only). It does *not* mandate that the phase2/CHILDSA be IPsec ESP. So, if you want to call it OEMPLS or something like that, I'd say it's just fine. Further if someone wants to write a mechanism for IKE(v2) that lets you key MPLS flows, and there is some way to bind MPLS flows to an IPv4 or IPv6 end point, then I think that one could leverage much of the work. I think that one could quite easily insert something in at the MPLS layer that would provide some token that could be cryptographically bound by IKE to prove that the two MPLS end points are connected to each other below the IP layer. What, exactly, I don't know.... I never built MPLS pusher/popper hardware, just parsing/switching ASIC. (14 years ago) I personally see no value in doing MPLS hop-by-hop encryption. Where MPLS is used within a single AS, whether one does hop-by-hop or label-push/label-pop encryption, it's all within the AS, and what is protecting against bent fiber attacks. Since it's all subject to national order to the ISP, so, in my opinion, what's the point. Where it would have value is to the end enterprise customer who is linking multiple sites together in a layer-2 fashion. In my experience, MPLS CPE equipment is not under the control (i.e. not trusted) by the end customer, so even doing entry/exit this way is suspect, since it's the ISP again. Further, many of the MPLS deployments to "enterprises" have often not even been about layer-2 connectivity --- they see layer-3 routers at each site, (usually two or three of them, with different VLAN tags). The MPLS part is pretty much just up-sale marketing... All of this effort would be better spent pushing IKEv1 and L2TP off the map, and making IPv6 + IPsec easier to setup. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] [email protected] http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <[email protected]>, Sandelman Software Works
pgpRPPaCrSFaV.pgp
Description: PGP signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
