Manish, we wanted a more integrated solution. Many products can’t do encapsulation and encryption at one time in one router. There are 2-box solutions are there. Plus, there are more RTT packet exchanges for IPsec which would cause more packet loss when the ITR would have to resolve an EID to an RLOC and do key exchange. We did this all together in one RTT so we have efficiency and integration. Plus, we can do rekeying more efficiently and quicker. And we don’t have to store keys and have a PKI. Dino > On Oct 13, 2016, at 12:21 PM, Roger Jørgensen <rogerj@xxxxxxxxx> wrote: > > On Thu, Oct 13, 2016 at 3:30 PM, Manish Kumar <manishkr.online@xxxxxxxxx> wrote: >> I guess I did mention this before but just in case that was missed - the >> idea of a separate confidentiality mechanism for each encapsulation/overlay >> protocol when these are all IP based does seem a bit inapposite to me. At a >> minimum, it opens up scope for additional security holes to prey upon (as >> against using a standard mechanism like IPsec). > <snip> > > I was going to respond to the original question but somehow it got lost... > > The idea went through alot of discussion with different security guys to make > sure it would be as good as it could be, if I remember correctly we did all that > before it was requested to be a LISP-wg document.. > > > I would suggest you read the introduction part again, are a few things > there that > made IPSec or any form of outer encryption out of scope. Not to forget that if > using IPSec we would have to encapsulate an already encapsulated packet... > > Some other background on the document - I had two ideas, one was that we > should encrypt the xTR - xTR traffic to make it a bit more secure over whatever > medium it was crossing - and an idea that as a LISP site I should somehow be > able to signal alongside my EID that i only wanted encrypted traffic > to arrive at > my xTR's, or that I only supported a few given encryption scheme. > This and some ideas Dino already combined with other input morphed into > the document we are discussing now. > > > > -- > > Roger Jorgensen | ROJO9-RIPE > rogerj@xxxxxxxxx | - IPv6 is The Key! > http://www.jorgensen.no | roger@xxxxxxxxxxxx