Re: [anonsec] I-D Action:draft-ietf-btns-connection-latching-06.txt

Nicolas Williams <Nicolas.Williams@sun.com> Tue, 08 April 2008 17:53 UTC

Return-Path: <anonsec-bounces@postel.org>
X-Original-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Delivered-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E91828C1B9 for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Tue, 8 Apr 2008 10:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.507
X-Spam-Level:
X-Spam-Status: No, score=-2.507 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z5amGLdvuIdU for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Tue, 8 Apr 2008 10:53:11 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id 7F30E3A6912 for <btns-archive-waDah9Oh@lists.ietf.org>; Tue, 8 Apr 2008 10:53:11 -0700 (PDT)
Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m38HWKnO028858; Tue, 8 Apr 2008 10:32:20 -0700 (PDT)
Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m38HUgKZ028055 for <anonsec@postel.org>; Tue, 8 Apr 2008 10:30:43 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m38HUgRb002433 for <anonsec@postel.org>; Tue, 8 Apr 2008 17:30:42 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m38HUflx018241 for <anonsec@postel.org>; Tue, 8 Apr 2008 11:30:42 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m38HUfZ8005900; Tue, 8 Apr 2008 12:30:41 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m38HUaMa005899; Tue, 8 Apr 2008 12:30:36 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 8 Apr 2008 12:30:36 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Daniel Migault <mglt.biz@gmail.com>, anonsec@postel.org
Message-ID: <20080408173036.GS16998@Sun.COM>
Mail-Followup-To: Daniel Migault <mglt.biz@gmail.com>, anonsec@postel.org
References: <20080225093002.01ABB3A6CB2@core3.amsl.com> <c17ec2f80803132253k6442ec40m99be1872704f5c5a@mail.gmail.com> <20080407180003.GB16998@Sun.COM>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20080407180003.GB16998@Sun.COM>
User-Agent: Mutt/1.5.7i
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: nicolas.williams@sun.com
Subject: Re: [anonsec] I-D Action:draft-ietf-btns-connection-latching-06.txt
X-BeenThere: anonsec@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Discussions of anonymous Internet security." <anonsec.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/anonsec>
List-Post: <mailto:anonsec@postel.org>
List-Help: <mailto:anonsec-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: anonsec-bounces@postel.org
Errors-To: anonsec-bounces@postel.org

On Mon, Apr 07, 2008 at 01:00:04PM -0500, Nicolas Williams wrote:
> > < The State diagram with functions can be represented by the figure below:
> > < [I removed mine]
> 
> Er, could you send it again?

Never mind.  I've written one:

           |
          CREATE_LISTENER_LATCH()
           |
           |
           v
      +--------+                  /
      |LISTENER|-------+     <CREATE_CONNECTION_LATCH()>
      +--------+       |        /
                       |       /
                       |      +
                       |      |
                       v      v
                    +-----------+
             +------|ESTABLISHED|<-------+
             |      +-----------+        |
        <conflict>      |    |         <conflict
             |          |    |          cleared>
             v          | <conflict>     |
           +------+     |    |      +---------+
           |BROKEN|     |    +----->|SUSPENDED|
           +------+     |           +---------+
             |     <RELEASE_LATCH()>         |
             |          |                    |
   <RELEASE_LATCH()>    v                <RELEASE_LATCH()>
             |         +------+              |
             +-------->|CLOSED|<-------------+
                       +------+

> I'll review your "Interaction between LD and other IPsec Databases"
> section next.

I think your sections 4. and 4.1 mostly restate what a lot of the draft
already says, but section 4.2 inspires me to add an example section.

I think we need a section with a very simple sample PAD and SPD
configuration as follows:

 - The PAD shall have one entry specifying a PKI trust anchor that
   peers' certificates must validate to.

 - The SPD will have a single PROTECT entry with address and port ranges
   for traffic selectors, and a single BYPASS entry for another set of
   addresses and ports.  The protocol will be TCP in both cases.

Events in the example will include:

 - Creation of a TCP listener
    - receipt of a TCP SYN for that listener and completion of the TCP
      handshake

 - An attempt to do establish a TCP connection for a different
   application
    - sending a TCP SYN
    - completion of the TCP handshake

 - Connection closing

 - Network events that result in conflicting SAD updates
 - Local conflicting SPD updates

Nico
-- 
_______________________________________________