Re: SRv6

[Mark Tinka <mark.tinka () seacom com>]

On 18/Sep/20 11:40, tim () pelican org wrote:

> I've got MACSec deployed for exactly one customer as a point solution.  It works once it's in, but the documentation, vendor 
> or otherwise, and choice of suitable equipment were fairly sparse.  I certainly wouldn't want to offer it at scale.
>
> Encrypted network conversations with customers, I always try to be very clear about what they're trying to protect against, and make them think 
> properly about trust boundaries.  Sure, I can slap a managed CPE on site if I don't already have one and provide overlay encryption - but that 
> doesn't stop a rogue engineer on my side from capturing data before it's encrypted.  If what you're concerned about is fibre taps, or 
> security flaws in the MPLS traffic-segregation model or implementation, that helps.  If you don't want to trust me as a service provider not to sniff 
> your traffic in the middle, having me encrypt it at the edge really doesn't help - you need to encrypt it yourself, or have a different third-party 
> that you do trust do the encryption.
>
> Some people get it, some people are just trying to fill auditor check-boxes ;)

Agreed.

There was a time when the use-case for MACSec was to move banks away 
from running their own DWDM/FC networks, and letting operators do it.

I'm yet to find a bank willing to do this.

Maybe I'm not paying enough attention.

Mark.