nanog mailing list archives
Re: SRv6
From: Mark Tinka <mark.tinka () seacom com>
Date: Fri, 18 Sep 2020 12:07:52 +0200
On 18/Sep/20 11:40, tim () pelican org wrote:
I've got MACSec deployed for exactly one customer as a point solution. It works once it's in, but the documentation, vendor or otherwise, and choice of suitable equipment were fairly sparse. I certainly wouldn't want to offer it at scale. Encrypted network conversations with customers, I always try to be very clear about what they're trying to protect against, and make them think properly about trust boundaries. Sure, I can slap a managed CPE on site if I don't already have one and provide overlay encryption - but that doesn't stop a rogue engineer on my side from capturing data before it's encrypted. If what you're concerned about is fibre taps, or security flaws in the MPLS traffic-segregation model or implementation, that helps. If you don't want to trust me as a service provider not to sniff your traffic in the middle, having me encrypt it at the edge really doesn't help - you need to encrypt it yourself, or have a different third-party that you do trust do the encryption. Some people get it, some people are just trying to fill auditor check-boxes ;)
Agreed.There was a time when the use-case for MACSec was to move banks away from running their own DWDM/FC networks, and letting operators do it.
I'm yet to find a bank willing to do this. Maybe I'm not paying enough attention. Mark.
Current thread:
- Re: SRv6, (continued)
- Re: SRv6 Randy Bush (Sep 15)
- Re: SRv6 Mark Tinka (Sep 16)
- Re: SRv6 Anoop Ghanwani (Sep 16)
- Re: SRv6 Randy Bush (Sep 16)
- Re: SRv6 Mark Tinka (Sep 17)
- Re: SRv6 mark seery (Sep 17)
- Re: SRv6 Mark Tinka (Sep 17)
- Re: SRv6 mark seery (Sep 17)
- Re: SRv6 Mark Tinka (Sep 17)
- Re: SRv6 tim () pelican org (Sep 18)
- Re: SRv6 Mark Tinka (Sep 18)
- Re: SRv6 Wilco Baan Hofman (Sep 18)
- Re: SRv6 mark seery (Sep 18)
- Re: SRv6 Mark Tinka (Sep 19)
- Re: SRv6 Valdis Klētnieks (Sep 19)
- Re: SRv6 Mark Tinka (Sep 20)
- Re: SRv6 Łukasz Bromirski (Sep 21)
- Re: SRv6 Mark Tinka (Sep 16)
- Re: SRv6 James Bensley (Sep 16)
- Re: SRv6 Randy Bush (Sep 16)
- Re: SRv6 Paul Timmins (Sep 16)