Home page logo

basics logo Security Basics mailing list archives

Re: MPLS Encryption
From: Steve McGhee <steve () mcgheemail com>
Date: Mon, 15 Dec 2003 14:23:59 -0800

Hash: SHA1

if you want to use the same key for every device, why use a PKI?
why not symmetrical encryption? distribute the key to all and you're done.

sorry, no advice on a product, just wondering why the need for a PKI.

- -- - -steve

 . --------------------
 . steve () mcgheemail com

On Dec 15, 2003, at 2:21 AM, Clive.Madden () barclayscapital com wrote:

Hi Shawn, fully understand your response but maybe I should explain the
environment and what I'm looking for. Dual carrier MPLS cloud with RFC2547
inter-connects between carriers with branch site connectivity to both
clouds. The objective is to provide full encryption between sites with
minimum complexity. We'd like to leave the original header in the clear to
leverage some of the carrier management features so only encrypting the
payload is preferred. In addition to this we'd prefer not to have to worry about managing SA negotiation between every encryption device. This would require thousands based on the number of sites we have. So effectively we'd like a product that could only do payload encryption which uses some central PKI for key management (same keys of every device) and not have to worry about the exchange between every encryption device. This way the key to use is the same for all destination and the MPLS clouds could then route based
on the original header. This removes the complexity of having to manage
thousands of tunnels/peers.

Any idea on a product would be gratefully appreciated.

Thanks again for your help.

-----Original Message-----
From: Shawn Jackson [mailto:sjackson () horizonusa com]
Sent: 12 December 2003 17:09
To: Madden, Clive: IT (LDN); security-basics () securityfocus com
Subject: RE: MPLS Encryption

        MPLS is used on switched networks to aid in routing, or static
paths, of packets. MPLS in it 'true-to-life' form is just an additional
header tagged to the packet at which the network equipment looks at.

        What you will want is called IPSec ESP (Encrypted Security Payload).
ESP is used to protect data but keeps the header in tact for transmission on a standard network, i.e. PPTP. The technologies are not mutually exclusive;
you can use IPSec-ESP/AH with MPLS. Most end-nodes never see the MPLS
header, seaming it's striped at the PE router. Any product that has IPSec VPN will have ESP and AH (Authentication Header), but it depends on what your trying to do. Are you trying to secure communications on a LAN? Or are you trying to secure data in the Internet/Extranet? If you give the group some specifics about your situation, I'm sure someone can help you better
then me.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Clive.Madden () barclayscapital com
[mailto:Clive.Madden () barclayscapital com]
Sent: Thursday, December 11, 2003 4:11 AM
To: security-basics () securityfocus com
Subject: MPLS Encryption

Hello, I was wondering if you could help me. I saw an email from an
gentleman called Hussein Ghazy back in June asking about payload encryption over MPLS. I was wondering if you could recommend any products that only do
payload encryption and NOT header. Your help would be gratefully

Clive Madden

----------------------------------------------------------------------- -
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message.  Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed.  Any views or opinions presented are
solely those of the author and do not necessarily represent those of the

Barclays Group.  Replies to this email may be monitored by the Barclays
Group for operational or business reasons.

----------------------------------------------------------------------- -

----------------------------------------------------------------------- -
----------------------------------------------------------------------- -

----------------------------------------------------------------------- ---- ----------------------------------------------------------------------- -----

Version: GnuPG v1.2.3 (Darwin)



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]