[AusNOG] PtP Link Request North Sydney <-> Crows Nest
Nigel Roberts
nigel at nobiscuit.com
Sun Jun 8 21:03:44 EST 2014
On 8 Jun 2014, at 8:35 pm, Mark Newton <newton at atdot.dotat.org> wrote:
>
> On 3 Jun 2014, at 16:29, Michael Dale <mdale at dalegroup.net> wrote:
>>
>> Specifically it must be secure
>
> That makes very little sense.
>
> If you're buying your security from another service provider, then it isn't really secure because the service provider has the keys, and will provide them to any regulator who asks.
>
> If you're going to run IPSEC over the top of it anyway, then it doesn't matter whether the underlying service is "secure."
>
It depends what your threat model is. If all you care about is confidentiality and integrity then sure, but what about availability? Assuming perfectly configured IPsec, IPsec over the internet is still vulnerable to deliberate attacks that IPsec over a point to point link isn’t, such as resource exhaustion, DDoS etc. That said, I’d agree that requesting a “secure” service isn’t very useful in the context of a layer 2/3 service without additional information about the threats that you care about.
Nigel
More information about the AusNOG
mailing list