The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2002-Aug> msg00001



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

Secure MPLS

  • From: Ben Black <ben@layer8.net>
  • Date: Thu, 1 Aug 2002 00:52:51 -0700
  • Cc: "'Andrew G. Malis'" <Andy.Malis@vivacenetworks.com>, Ron Bonica <Ronald.P.Bonica@wcom.com>, Tissa Senevirathne <tsenevir@hotmail.com>, "'mpls@UU.NET'" <mpls@UU.NET>
  • User-Agent: Mutt/1.3.99i

What do those customers do currently for security of those links?


Ben

On Wed, Jul 31, 2002 at 02:50:04PM -0600, Black, Stephen wrote:
> To a point I agree with Ron also... but there are other considerations to
> look at... Such as government/corporate clients who need to have an ISP
> guarantee that their links are secure (i.e. a link between FBI and CIA, or a
> link from Intel in CA to Intel in NY). There are also military networks that
> might want to implement a secure form of MPLS. Granted this is a very small
> piece of the pie but it should be worth putting some effort into. As a
> client I'd rather have a combination of layers that incorporates security
> rather than a higher layer where the lower layers can be compromised without
> my knowledge. Just running IPSEC and a firewall is like putting all your
> eggs in one basket. Let the politicians worry about the escrow and seizure.
> 
> Steve
> 
> 
> -----Original Message-----
> From: Andrew G. Malis [mailto:Andy.Malis@vivacenetworks.com]
> Sent: Wednesday, July 31, 2002 12:39 PM
> To: Ron Bonica
> Cc: Tissa Senevirathne; mpls@UU.NET
> Subject: RE: Secure MPLS
> 
> 
> I agree with Ron.  From the end user point of view, some problems with 
> service provider encryption are that the tail circuits from the customer 
> premise to the service provider are unprotected (which the obvious place to 
> place a covert wiretap); the encryption keys are the property of the 
> service provider, not the end user; and the keys could be subject to 
> government escrow or seizure depending on where you are in the world.  This 
> is certainly the case in the US (see http://www.fcc.gov/calea/ ).
> 
> Cheers,
> Andy
> 
> ------
> 
> At 7/30/2002 02:22 PM -0400, Ron Bonica wrote:
> >Tissa,
> >
> >Given that the upper layers are capable of encryption using mechanisms like
> >IPSEC, why would a service provider want to encrypt the contents of an MPLS
> >LSP?
> >
> >Wouldn't you want to push the encryption function higher in the protocol
> >stack and closer to the network edges?
> >
> >                                                     Ron
>