Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

Eugeniu Patrascu eugen at imacandi.net
Mon Dec 9 05:07:57 UTC 2013


On Sun, Dec 8, 2013 at 11:46 PM, Merike Kaeo
<merike at doubleshotsecurity.com>wrote:

>
> On Dec 6, 2013, at 11:55 AM, Eugeniu Patrascu <eugen at imacandi.net> wrote:
>
> > On Fri, Dec 6, 2013 at 9:48 PM, Jared Mauch <jared at puck.nether.net>
> wrote:
> >
> >>
> >> On Dec 6, 2013, at 1:39 PM, Brandon Galbraith <
> brandon.galbraith at gmail.com>
> >> wrote:
> >>
> >>> If your flows are a target, or your data is of an extremely sensitive
> >>> nature (diplomatic, etc), why aren't you moving those bits over
> >>> something more private than IP (point to point L2, MPLS)? This doesn't
> >>> work for the VoIP target mentioned, but foreign ministries should most
> >>> definitely not be trusting encryption alone.
> >>
> >> I will ruin someones weekend here, but:
> >>
> >> MPLS != Encryption.  MPLS VPN = "Stick a label before the still
> >> unencrypted IP packet".
> >> MPLS doesn't secure your data, you are responsible for keeping it secure
> >> on the wire.
> >>
> >>
> > It's always interesting to watch someone's expression when they hear that
> > MPLS VPN, even if it says VPN in the name is not encrypted. Priceless
> every
> > time :)
>
> So, just to raise the bar…I had someone once tell me they encrypted
> everything since they
> were using IPsec.  Since I only trust configurations, lo and behold the
> configuration was
> IPsec AH.  As exercise to reader….determine why using IPsec does not
> automagically equate to
> encrypted traffic.
>
>
Interesting, as it's particularly hard to enable only AH instead of ESP.


> This was only 2 years ago while doing a security assessment for someone.
>
> I greatly dislike the term 'VPN'…..always have and always will.
> Marketechture is awesome!
>
>
I think you probably dislike all the people that grossly misunderstand what
a VPN is and what are its use cases :)


More information about the NANOG mailing list