Re: SRv6

["tim () pelican org" <tim () pelican org>]

> For me, MACSec is kind of like SyncE... great on paper and in the sales
> pitch, but anyone that truly wants to use those features is probably
> going to be architecting, deploying and managing them themselves, and
> not paying a 3rd party network operator for the priviledge.

I've got MACSec deployed for exactly one customer as a point solution.  It works once it's in, but the documentation, 
vendor or otherwise, and choice of suitable equipment were fairly sparse.  I certainly wouldn't want to offer it at 
scale.

Encrypted network conversations with customers, I always try to be very clear about what they're trying to protect 
against, and make them think properly about trust boundaries.  Sure, I can slap a managed CPE on site if I don't 
already have one and provide overlay encryption - but that doesn't stop a rogue engineer on my side from capturing data 
before it's encrypted.  If what you're concerned about is fibre taps, or security flaws in the MPLS traffic-segregation 
model or implementation, that helps.  If you don't want to trust me as a service provider not to sniff your traffic in 
the middle, having me encrypt it at the edge really doesn't help - you need to encrypt it yourself, or have a different 
third-party that you do trust do the encryption.

Some people get it, some people are just trying to fill auditor check-boxes ;)

Regards,
Tim.