On 18/Sep/20 11:40, t...@pelican.org wrote:
I've got MACSec deployed for exactly one customer as a point solution. It
works once it's in, but the documentation, vendor or otherwise, and choice of
suitable equipment were fairly sparse. I certainly wouldn't want to offer it
at scale.
Encrypted network conversations with customers, I always try to be very clear
about what they're trying to protect against, and make them think properly
about trust boundaries. Sure, I can slap a managed CPE on site if I don't
already have one and provide overlay encryption - but that doesn't stop a rogue
engineer on my side from capturing data before it's encrypted. If what you're
concerned about is fibre taps, or security flaws in the MPLS
traffic-segregation model or implementation, that helps. If you don't want to
trust me as a service provider not to sniff your traffic in the middle, having
me encrypt it at the edge really doesn't help - you need to encrypt it
yourself, or have a different third-party that you do trust do the encryption.
Some people get it, some people are just trying to fill auditor check-boxes ;)
Agreed.
There was a time when the use-case for MACSec was to move banks away
from running their own DWDM/FC networks, and letting operators do it.
I'm yet to find a bank willing to do this.
Maybe I'm not paying enough attention.
Mark.
