nanog mailing list archives
Re: SRv6
From: "tim () pelican org" <tim () pelican org>
Date: Fri, 18 Sep 2020 10:40:54 +0100 (BST)
For me, MACSec is kind of like SyncE... great on paper and in the sales pitch, but anyone that truly wants to use those features is probably going to be architecting, deploying and managing them themselves, and not paying a 3rd party network operator for the priviledge.
I've got MACSec deployed for exactly one customer as a point solution. It works once it's in, but the documentation, vendor or otherwise, and choice of suitable equipment were fairly sparse. I certainly wouldn't want to offer it at scale. Encrypted network conversations with customers, I always try to be very clear about what they're trying to protect against, and make them think properly about trust boundaries. Sure, I can slap a managed CPE on site if I don't already have one and provide overlay encryption - but that doesn't stop a rogue engineer on my side from capturing data before it's encrypted. If what you're concerned about is fibre taps, or security flaws in the MPLS traffic-segregation model or implementation, that helps. If you don't want to trust me as a service provider not to sniff your traffic in the middle, having me encrypt it at the edge really doesn't help - you need to encrypt it yourself, or have a different third-party that you do trust do the encryption. Some people get it, some people are just trying to fill auditor check-boxes ;) Regards, Tim.
Current thread:
- RE: SRv6, (continued)
- RE: SRv6 aaron1 (Sep 15)
- Re: SRv6 Randy Bush (Sep 15)
- Re: SRv6 Mark Tinka (Sep 16)
- Re: SRv6 Anoop Ghanwani (Sep 16)
- Re: SRv6 Randy Bush (Sep 16)
- Re: SRv6 Mark Tinka (Sep 17)
- Re: SRv6 mark seery (Sep 17)
- Re: SRv6 Mark Tinka (Sep 17)
- Re: SRv6 mark seery (Sep 17)
- Re: SRv6 Mark Tinka (Sep 17)
- Re: SRv6 tim () pelican org (Sep 18)
- Re: SRv6 Mark Tinka (Sep 18)
- Re: SRv6 Wilco Baan Hofman (Sep 18)
- Re: SRv6 mark seery (Sep 18)
- Re: SRv6 Mark Tinka (Sep 19)
- Re: SRv6 Valdis Klētnieks (Sep 19)
- Re: SRv6 Mark Tinka (Sep 20)
- Re: SRv6 Łukasz Bromirski (Sep 21)
- Re: SRv6 Mark Tinka (Sep 16)
- Re: SRv6 James Bensley (Sep 16)
- Re: SRv6 Randy Bush (Sep 16)