[167327] in North American Network Operators' Group
=?windows-1252?Q?Re=3A_Someone=92s_Been_Siphoning_Data_Through_a_Huge_S?=
daemon@ATHENA.MIT.EDU (Eugeniu Patrascu)
Mon Dec 9 00:08:16 2013
In-Reply-To: <2D1130BB-4534-440C-8C8C-C59B21A36DE3@doubleshotsecurity.com>
Date: Mon, 9 Dec 2013 07:07:57 +0200
From: Eugeniu Patrascu <eugen@imacandi.net>
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Dec 8, 2013 at 11:46 PM, Merike Kaeo
<merike@doubleshotsecurity.com>wrote:
>
> On Dec 6, 2013, at 11:55 AM, Eugeniu Patrascu <eugen@imacandi.net> wrote:
>
> > On Fri, Dec 6, 2013 at 9:48 PM, Jared Mauch <jared@puck.nether.net>
> wrote:
> >
> >>
> >> On Dec 6, 2013, at 1:39 PM, Brandon Galbraith <
> brandon.galbraith@gmail.com>
> >> wrote:
> >>
> >>> If your flows are a target, or your data is of an extremely sensitive
> >>> nature (diplomatic, etc), why aren't you moving those bits over
> >>> something more private than IP (point to point L2, MPLS)? This doesn'=
t
> >>> work for the VoIP target mentioned, but foreign ministries should mos=
t
> >>> definitely not be trusting encryption alone.
> >>
> >> I will ruin someones weekend here, but:
> >>
> >> MPLS !=3D Encryption. MPLS VPN =3D "Stick a label before the still
> >> unencrypted IP packet".
> >> MPLS doesn't secure your data, you are responsible for keeping it secu=
re
> >> on the wire.
> >>
> >>
> > It's always interesting to watch someone's expression when they hear th=
at
> > MPLS VPN, even if it says VPN in the name is not encrypted. Priceless
> every
> > time :)
>
> So, just to raise the bar=85I had someone once tell me they encrypted
> everything since they
> were using IPsec. Since I only trust configurations, lo and behold the
> configuration was
> IPsec AH. As exercise to reader=85.determine why using IPsec does not
> automagically equate to
> encrypted traffic.
>
>
Interesting, as it's particularly hard to enable only AH instead of ESP.
> This was only 2 years ago while doing a security assessment for someone.
>
> I greatly dislike the term 'VPN'=85..always have and always will.
> Marketechture is awesome!
>
>
I think you probably dislike all the people that grossly misunderstand what
a VPN is and what are its use cases :)
