Re: MPLS Encryption

[Steve McGhee <steve () mcgheemail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


if you want to use the same key for every device, why use a PKI?
why not symmetrical encryption? distribute the key to all and you're  
done.

sorry, no advice on a product, just wondering why the need for a PKI.

- --  
- -steve


 . --------------------
 . steve () mcgheemail com



On Dec 15, 2003, at 2:21 AM, Clive.Madden () barclayscapital com wrote:

> Hi Shawn, fully understand your response but maybe I should explain the
> environment and what I'm looking for. Dual carrier MPLS cloud with  
> RFC2547
> inter-connects between carriers with branch site connectivity to both
> clouds. The objective is to provide full encryption between sites with
> minimum complexity. We'd like to leave the original header in the  
> clear to
> leverage some of the carrier management features so only encrypting the
> payload is preferred. In addition to this we'd prefer not to have to  
> worry
> about managing SA negotiation between every encryption device. This  
> would
> require thousands based on the number of sites we have. So effectively  
> we'd
> like a product that could only do payload encryption which uses some  
> central
> PKI for key management (same keys of every device) and not have to  
> worry
> about the exchange between every encryption device. This way the key  
> to use
> is the same for all destination and the MPLS clouds could then route  
> based
> on the original header. This removes the complexity of having to manage
> thousands of tunnels/peers.
>
> Any idea on a product would be gratefully appreciated.
>
> Thanks again for your help.
> C.
>
> -----Original Message-----
> From: Shawn Jackson [mailto:sjackson () horizonusa com]
> Sent: 12 December 2003 17:09
> To: Madden, Clive: IT (LDN); security-basics () securityfocus com
> Subject: RE: MPLS Encryption
>
>
>
>         MPLS is used on switched networks to aid in routing, or static
> paths, of packets. MPLS in it 'true-to-life' form is just an additional
> header tagged to the packet at which the network equipment looks at.
>
>         What you will want is called IPSec ESP (Encrypted Security Payload).
> ESP is used to protect data but keeps the header in tact for  
> transmission on
> a standard network, i.e. PPTP. The technologies are not mutually  
> exclusive;
> you can use IPSec-ESP/AH with MPLS. Most end-nodes never see the MPLS
> header, seaming it's striped at the PE router. Any product that has  
> IPSec
> VPN will have ESP and AH (Authentication Header), but it depends on  
> what
> your trying to do. Are you trying to secure communications on a LAN?  
> Or are
> you trying to secure data in the Internet/Extranet? If you give the  
> group
> some specifics about your situation, I'm sure someone can help you  
> better
> then me.
>
> Shawn Jackson
> Systems Administrator
> Horizon USA
> 1190 Trademark Dr #107
> Reno NV 89521
> www.horizonusa.com
>
> Email: sjackson () horizonusa com
> Phone: (775) 858-2338
>        (800) 325-1199 x338
>
> -----Original Message-----
> From: Clive.Madden () barclayscapital com
> [mailto:Clive.Madden () barclayscapital com]
> Sent: Thursday, December 11, 2003 4:11 AM
> To: security-basics () securityfocus com
> Subject: MPLS Encryption
>
>
> Hello, I was wondering if you could help me. I saw an email from an
> gentleman called Hussein Ghazy back in June asking about payload  
> encryption
> over MPLS. I was wondering if you could recommend any products that  
> only do
> payload encryption and NOT header. Your help would be gratefully
> appreciated.
>
> Thanks!
> Clive Madden
>
>
> ----------------------------------------------------------------------- 
> -
> For more information about Barclays Capital, please
> visit our web site at http://www.barcap.com.
>
>
> Internet communications are not secure and therefore the Barclays
> Group does not accept legal responsibility for the contents of this
> message.  Although the Barclays Group operates anti-virus programmes,
> it does not accept responsibility for any damage whatsoever that is
> caused by viruses being passed.  Any views or opinions presented are
> solely those of the author and do not necessarily represent those of  
> the
>
> Barclays Group.  Replies to this email may be monitored by the Barclays
> Group for operational or business reasons.
>
> ----------------------------------------------------------------------- 
> -
>
>
> ----------------------------------------------------------------------- 
> -
> ---
> ----------------------------------------------------------------------- 
> -
> ----
>
>
> ----------------------------------------------------------------------- 
> ----
> ----------------------------------------------------------------------- 
> -----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/3jSDFU6lFPmOd9ERAuThAKCy0l3Ig2j1oFpjPpOyAKF/Hxe0JACfaAT9
3DfZbjJ2glmyNp3v92fNPlk=
=3AGl
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------