Re: MACsec SFP

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, Jun 24, 2014 at 1:19 PM, Saku Ytti <saku () ytti fi> wrote:
> On (2014-06-24 12:30 -0400), Christopher Morrow wrote:
>
> > it's going to be hard to schedule a key roll then, right? I would
> > expect that in most/many deployments where someone enters a 'key'
> > there has to be some compliance process that includes: "And you change
> > that key every X days" right? So you'll NOT want to be in a situation
> > that involves coordinating a few thousand truck rolls every X months
> > to have this deployed.
>
> Hopefully you could offer date when new keys take effect.

sure, 'use new key in 37.243 minutes!' I still have to coordinate
people showing up at all sites over N period of time to do this
programming, and I'm SURE that some set of the programmed devices will
get an l instead of a 1 ... so 'quick chuck, get in the truck!' is
going to be an oft-heard refrain ;(

Hand managing this just isn't feasible, I think.

> > > Maybe some customer would then enter need for this in CLI in their multimillion
> > > dollar RFQ, and then we'd get the feature.
> >
> > maybe so... multi-million of sfp is a lot of sfp though.
>
> Of course this would be for the equipment where SFP sits, SFP vendor can't
> solve this. But if you're making it mandatory in router RFQ, it seems pretty
> much guaranteed vendors would comply and winning bid at least would implement
> it.

yes, I realized as I clicked 'send'... in any case :) the sfp
manufacturer likely has to decide on some way to program the sfp
(maybe there are already in-router/switch ways for other things like
this? like wavelength...) which all router/switch vendors have to also
agree to abide by.