The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Secure MPLS
To a point I agree with Ron also... but there are other considerations to look at... Such as government/corporate clients who need to have an ISP guarantee that their links are secure (i.e. a link between FBI and CIA, or a link from Intel in CA to Intel in NY). There are also military networks that might want to implement a secure form of MPLS. Granted this is a very small piece of the pie but it should be worth putting some effort into. As a client I'd rather have a combination of layers that incorporates security rather than a higher layer where the lower layers can be compromised without my knowledge. Just running IPSEC and a firewall is like putting all your eggs in one basket. Let the politicians worry about the escrow and seizure. Steve -----Original Message----- From: Andrew G. Malis [mailto:Andy.Malis@vivacenetworks.com] Sent: Wednesday, July 31, 2002 12:39 PM To: Ron Bonica Cc: Tissa Senevirathne; mpls@UU.NET Subject: RE: Secure MPLS I agree with Ron. From the end user point of view, some problems with service provider encryption are that the tail circuits from the customer premise to the service provider are unprotected (which the obvious place to place a covert wiretap); the encryption keys are the property of the service provider, not the end user; and the keys could be subject to government escrow or seizure depending on where you are in the world. This is certainly the case in the US (see http://www.fcc.gov/calea/ ). Cheers, Andy ------ At 7/30/2002 02:22 PM -0400, Ron Bonica wrote: >Tissa, > >Given that the upper layers are capable of encryption using mechanisms like >IPSEC, why would a service provider want to encrypt the contents of an MPLS >LSP? > >Wouldn't you want to push the encryption function higher in the protocol >stack and closer to the network edges? > > Ron |
|