On Thu, Oct 13, 2016 at 3:30 PM, Manish Kumar
<manishkr(_dot_)online(_at_)gmail(_dot_)com> wrote:
I guess I did mention this before but just in case that was missed - the
idea of a separate confidentiality mechanism for each encapsulation/overlay
protocol when these are all IP based does seem a bit inapposite to me. At a
minimum, it opens up scope for additional security holes to prey upon (as
against using a standard mechanism like IPsec).
<snip>
I was going to respond to the original question but somehow it got lost...
The idea went through alot of discussion with different security guys to make
sure it would be as good as it could be, if I remember correctly we did all that
before it was requested to be a LISP-wg document..
I would suggest you read the introduction part again, are a few things
there that
made IPSec or any form of outer encryption out of scope. Not to forget that if
using IPSec we would have to encapsulate an already encapsulated packet...
Some other background on the document - I had two ideas, one was that we
should encrypt the xTR - xTR traffic to make it a bit more secure over whatever
medium it was crossing - and an idea that as a LISP site I should somehow be
able to signal alongside my EID that i only wanted encrypted traffic
to arrive at
my xTR's, or that I only supported a few given encryption scheme.
This and some ideas Dino already combined with other input morphed into
the document we are discussing now.
--
Roger Jorgensen | ROJO9-RIPE
rogerj(_at_)gmail(_dot_)com | - IPv6 is The Key!
http://www.jorgensen.no | roger(_at_)jorgensen(_dot_)no