On Tue, 15 Sep 2020 at 19:14, Randy Bush <randy@psg.com> wrote:
I'm still learning, but, It does seem interesting that the IP layer (v6) can now support vpn's without mpls.
as the packet payload is nekkid cleartext, where is the P in vpn?
Define "privacy". In the kind of VPN I think you're suggesting (e.g. an IPSEC based VPN) they implement the classic CIA acronym (Confidentiality, Integrity and Authentication, with the "C" essentially meaning "encrypted" in practice however, privacy requires all three of "CIA", encryption alone isn't privacy). "VPN" is not mutually dependent on "CIA", the two things can and do exist separately. WIth MPLS L3 VPNs for example, the traffic isn't encrypted, but by creating a layer of abstraction (at the control plane, by signalling via MP-BGP using RDs and RTs, and at the forwarding plane by using MPLS tunneling) a customer's routing data and forwarding data is kept private (not encrypted!) from my physical infa forwarding- and control-planes, and from each other L3 VPN customer on my infra [1]. In fact, the point that customer (control- and forwarding-plane) data is kept private from MY INFRA, is *the* fundamental aspect of MPLS L3 VPNs; they wouldn't scale at all without it. Privacy != encryption. Cheers, James. [1] This doesn't mean there aren't security flaws in MPLS (there are, but there are in things like IPSEC too), and "how secure" it is, is a separate subject.