Theodore Ts'o wrote: > On Mon, Jan 13, 2014 at 11:53:26AM -0500, Stephen Kent wrote: >> >It helps against some attacks, but it doesn't help for others, right? >> >After all, if you are a US national, you might not trust that the >> >Chinese Telecom won't pass your traffic to the MSS. (Or if you are a >> >German national, that AT&T won't decrypto your traffic and then pass >> >it off to the NSA...) >> yep. IPsec, under the control of a subscriber, offers more protection, >> in princple. > > Or put another way, MPLS-mediated encryption violates the end-to-end > principle. It also allows ISP's to violate net neutrality principles > as well (i.e., by allowing them to do deep packet inspection and then > prioritizing some traffic over others). > > - Ted
On the other hand, encryption occurring at the MPLS layer in the ISP in no way prevents someone from using IPsec for traffic that ISP carries - in fact, there are cases (ISP wishes to prevent parties from eavedropping without the ISP's signoff while customer wishes to prevent eavesdropping period; possibly others) where the incentives would naturally support the deployment of both. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
