ietf
[Top] [All Lists]

Re: [lisp] Gen-ART Review for draft-ietf-lisp-crypto-09

2016-10-14 07:05:06
Manish, we wanted a more integrated solution. Many products can’t do 
encapsulation and encryption at one time in one router. There are 2-box 
solutions are there. Plus, there are more RTT packet exchanges for IPsec which 
would cause more packet loss when the ITR would have to resolve an EID to an 
RLOC and do key exchange. We did this all together in one RTT so we have 
efficiency and integration.

Plus, we can do rekeying more efficiently and quicker. And we don’t have to 
store keys and have a PKI.

Dino

On Oct 13, 2016, at 12:21 PM, Roger Jørgensen <rogerj(_at_)gmail(_dot_)com> 
wrote:

On Thu, Oct 13, 2016 at 3:30 PM, Manish Kumar 
<manishkr(_dot_)online(_at_)gmail(_dot_)com> wrote:
I guess I did mention this before but just in case that was missed - the
idea of a separate confidentiality mechanism for each encapsulation/overlay
protocol when these are all IP based does seem a bit inapposite to me. At a
minimum, it opens up scope for additional security holes to prey upon (as
against using a standard mechanism like IPsec).
<snip>

I was going to respond to the original question but somehow it got lost...

The idea went through alot of discussion with different security guys to make
sure it would be as good as it could be, if I remember correctly we did all 
that
before it was requested to be a LISP-wg document..


I would suggest you read the introduction part again, are a few things
there that
made IPSec or any form of outer encryption out of scope. Not to forget that if
using IPSec we would have to encapsulate an already encapsulated packet...

Some other background on the document - I had two ideas, one was that we
should encrypt the xTR - xTR traffic to make it a bit more secure over 
whatever
medium it was crossing - and an idea that as a LISP site I should somehow be
able to signal alongside my EID that i only wanted encrypted traffic
to arrive at
my xTR's, or that I only supported a few given encryption scheme.
This and some ideas Dino already combined with other input morphed into
the document we are discussing now.



-- 

Roger Jorgensen           | ROJO9-RIPE
rogerj(_at_)gmail(_dot_)com          | - IPv6 is The Key!
http://www.jorgensen.no   | roger(_at_)jorgensen(_dot_)no


<Prev in Thread] Current Thread [Next in Thread>