Re: [dhcwg] IESG Discusses on draft-ietf-dhc-relay-server-security-04

"Yogendra Pal (yogpal)" <yogpal@cisco.com> Thu, 20 April 2017 14:10 UTC

Return-Path: <yogpal@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5339B131476; Thu, 20 Apr 2017 07:10:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGBg_lzay-46; Thu, 20 Apr 2017 07:10:00 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D371129571; Thu, 20 Apr 2017 07:09:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18264; q=dns/txt; s=iport; t=1492697399; x=1493906999; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zHn2tGhCReO3wKyFYduik4m4hibPiuTXgDWkVrf5uJE=; b=Qfkqa//UnHxbZZG6fsv0I8K69g+jK1gtSK7/hZuS4enkJunrtIuE5JDV 7HWiC/+Y38q1L6Bc2awfd8rlFrWJVylA4E6OE5N/3BZXtTi3DKt520J/B bnhl1fa1MxhPFqaQOWMHso7/Vf71Q4z75Oi8RO+4tWA3jTg3vgUnC9jx+ k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DNAACMwPhY/5JdJa1cGQEBAQEBAQEBAQEBBwEBAQEBgm5mYYELB411kWOVY4IPMIV0AoN8PxgBAgEBAQEBAQFrKIUVAQEBAQMtTBACAQgRAwEBASgHMhQJCAEBBAENBYocDq0Aix4BAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYZTgV2DGYMAGIEREQEGNhaFLwWQBEGMbwGHFItuggCFM4hlgT2UEwEfOH0IYxUahw91AYZ/gSGBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.37,225,1488844800"; d="scan'208,217";a="235297905"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Apr 2017 14:09:57 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id v3KE9v0K019390 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 20 Apr 2017 14:09:57 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 20 Apr 2017 09:09:57 -0500
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Thu, 20 Apr 2017 09:09:57 -0500
From: "Yogendra Pal (yogpal)" <yogpal@cisco.com>
To: "Bernie Volz (volz)" <volz@cisco.com>, Eric Rescorla <ekr@rtfm.com>
CC: The IESG <iesg@ietf.org>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "draft-ietf-dhc-relay-server-security@ietf.org" <draft-ietf-dhc-relay-server-security@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: IESG Discusses on draft-ietf-dhc-relay-server-security-04
Thread-Index: AdK5Pr76PLardk2ISZm7qPiNR7mu5gAs9mUAAAYfFvAACy2wgA==
Date: Thu, 20 Apr 2017 14:09:57 +0000
Message-ID: <D51EBD86.2673F%yogpal@cisco.com>
References: <36c922c04bee4233b58e5185f0a4f9ad@XCH-ALN-003.cisco.com> <CABcZeBMZPqvK-z+ef=M=6So9bL7WJfa-rXOdghVaXjYER2kTDA@mail.gmail.com> <b11b9d34fe4c4132b608e6b43e853252@XCH-ALN-003.cisco.com>
In-Reply-To: <b11b9d34fe4c4132b608e6b43e853252@XCH-ALN-003.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.40.21]
Content-Type: multipart/alternative; boundary="_000_D51EBD862673Fyogpalciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/PEpzdcf_94UBG_W-henddi5Gnw0>
Subject: Re: [dhcwg] IESG Discusses on draft-ietf-dhc-relay-server-security-04
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 14:10:02 -0000

FYI...Hi Bernie and Eric,

We're planning to implement this in our firewall product (ASA).

Regards, Yogendra
From: "Bernie Volz (volz)" <volz@cisco.com<mailto:volz@cisco.com>>
Date: Thursday, 20 April 2017 7:09 pm
To: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Cc: The IESG <iesg@ietf.org<mailto:iesg@ietf.org>>, "dhc-chairs@ietf.org<mailto:dhc-chairs@ietf.org>" <dhc-chairs@ietf.org<mailto:dhc-chairs@ietf.org>>, "draft-ietf-dhc-relay-server-security@ietf.org<mailto:draft-ietf-dhc-relay-server-security@ietf.org>" <draft-ietf-dhc-relay-server-security@ietf.org<mailto:draft-ietf-dhc-relay-server-security@ietf.org>>, "dhcwg@ietf.org<mailto:dhcwg@ietf.org>" <dhcwg@ietf.org<mailto:dhcwg@ietf.org>>
Subject: RE: IESG Discusses on draft-ietf-dhc-relay-server-security-04
Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>>
Resent-To: <volz@cisco.com<mailto:volz@cisco.com>>, Yogendra Pal <yogpal@cisco.com<mailto:yogpal@cisco.com>>
Resent-Date: Thursday, 20 April 2017 7:09 pm

Eric:

I can't say whether anyone would actually do this.

On the one hand, NOT having this document may make it less likely that anyone would, so having the document COULD mean someone will make use of it.

I also think that there may be little to add to a server or relay implementation to do this since it may just require some "host" configuration - as in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-ipsec-host2host.html. Thus the bar to implement is low - just requires some additional host configuration. Of course, it may be more difficult to deploy on relays (on routers)?

One reason that I think that this may not be used heavily (if at all) is that most of the relay to server commination is in probably flowing in an operator's infrastructure (data center) network and hence they likely have secured that infrastructure communication in general and thus the relay to relay / relay to server communication may be part of that - this may be the same path used to manage the relays, for example.


-          Bernie

From: Eric Rescorla [mailto:ekr@rtfm.com]
Sent: Thursday, April 20, 2017 7:25 AM
To: Bernie Volz (volz) <volz@cisco.com<mailto:volz@cisco.com>>
Cc: The IESG <iesg@ietf.org<mailto:iesg@ietf.org>>; dhc-chairs@ietf.org<mailto:dhc-chairs@ietf.org>; draft-ietf-dhc-relay-server-security@ietf.org<mailto:draft-ietf-dhc-relay-server-security@ietf.org>; dhcwg@ietf.org<mailto:dhcwg@ietf.org>
Subject: Re: IESG Discusses on draft-ietf-dhc-relay-server-security-04

Hmm... I don't think this really resolves my concern, which is: is anyone going to actually do this.

I don't think that has to be in the draft, but I'd like understand it.

-Ekr


On Wed, Apr 19, 2017 at 3:00 PM, Bernie Volz (volz) <volz@cisco.com<mailto:volz@cisco.com>> wrote:
Hi:

I've posted a -05 which tries to address the Discusses (except perhaps for Ben Campbell's about which I sent a separate email on 4/12). Please review and let me know if this helps or whether more changes are needed.

A new version of I-D, draft-ietf-dhc-relay-server-security-05.txt
has been successfully submitted by Bernie Volz and posted to the IETF repository.

Name:           draft-ietf-dhc-relay-server-security
Revision:       05
Title:          Security of Messages Exchanged Between Servers and Relay Agents
Document date:  2017-04-19
Group:          dhc
Pages:          8
URL:            https://www.ietf.org/internet-drafts/draft-ietf-dhc-relay-server-security-05.txt
Status:         https://datatracker.ietf.org/doc/draft-ietf-dhc-relay-server-security/
Htmlized:       https://tools.ietf.org/html/draft-ietf-dhc-relay-server-security-05
Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-dhc-relay-server-security-05
Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-dhc-relay-server-security-05

- Bernie Volz