Re: [dhcwg] IESG Discusses on draft-ietf-dhc-relay-server-security-04

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 21 April 2017 16:45 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F05F129A92; Fri, 21 Apr 2017 09:45:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yxzBf8dE6icy; Fri, 21 Apr 2017 09:45:29 -0700 (PDT)
Received: from mail-qt0-x242.google.com (mail-qt0-x242.google.com [IPv6:2607:f8b0:400d:c0d::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3EB0129572; Fri, 21 Apr 2017 09:45:29 -0700 (PDT)
Received: by mail-qt0-x242.google.com with SMTP id t52so12590968qtb.3; Fri, 21 Apr 2017 09:45:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jk+jnAZ+zOLbdSXiSV2HFz204QybZtLBUCYIBrqdBB4=; b=lskanG2w15kcOk9UWi27FsJRkwOb+TOgapsl4rcBV0Lv+VDlbFU9TIYCx4iME0TFlU JU2DXtsl+6gkL6TaSRVwdjMwpekvp331IIwfU/ABTZIm8V2GlU5EJe+F4zlrXT9n/Q3K yeMKNO2x0TefPoBN1YytsFbIIafnUHrmQP40jnwVot5qggycBdPj0GzYWXJRHKz03vvj 2hxUkC/zvtq2rZZmiQowL9q2AJAqPhwNvftf5ZRIvLScQmG5gVJqbNCc1PyOOjWF43+R WIIxoPWhOB0zg9PpK3wmER9iIiJ9k1yFydZB9e+Rm236GMnKp6hxkpmjfpuoYeVmzJ1d ucvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jk+jnAZ+zOLbdSXiSV2HFz204QybZtLBUCYIBrqdBB4=; b=h9bXSrqViyxMIcwAQbTuw7K1BzSZQtlPbaBmM/X6R+0EE7MML0tpH6PISAaYl+HIEj GbDjkWhS8WsaOXWHGcfmBYuU8HWQnoZSM5npNEUJpkdJqP4EQqn8i0kmLOAmviKk3aCn 6/vN4jiT3t4gk8csyMngoNT6gjKQmaUSVMJEleqTOWBNUM97KJiOMVpyK9xeCo/lCdYG ctQxvB46l80zOZq6Akdj7r8flEkY4UqiNoHleKe47f8NB8DL5m5zlP7QTC0XIatvG7G3 VpxxYS+nIV1j60I3+K6l2xAqGvpo+nBbBoSIe8M/NJ+EpmpV6IVfsMXYHcyeR4KibH74 zBUQ==
X-Gm-Message-State: AN3rC/78esPT99hE0au6++dtOoZ6b69OJ55wA0ggEM2pr9Ar7NIkrsPq ARGnpPNcWMv3ig==
X-Received: by 10.200.48.14 with SMTP id f14mr14418517qte.201.1492793128348; Fri, 21 Apr 2017 09:45:28 -0700 (PDT)
Received: from [10.0.1.10] (ool-457c4d63.dyn.optonline.net. [69.124.77.99]) by smtp.gmail.com with ESMTPSA id p19sm6664791qtp.36.2017.04.21.09.45.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Apr 2017 09:45:27 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-A9F14B0A-7EE5-40B1-B7E8-FC23CB89EB41"
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <D51EBD86.2673F%yogpal@cisco.com>
Date: Fri, 21 Apr 2017 12:45:26 -0400
Cc: "Bernie Volz (volz)" <volz@cisco.com>, Eric Rescorla <ekr@rtfm.com>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-dhc-relay-server-security@ietf.org" <draft-ietf-dhc-relay-server-security@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <09030C6C-90BD-4246-965C-CC3239DCABE9@gmail.com>
References: <36c922c04bee4233b58e5185f0a4f9ad@XCH-ALN-003.cisco.com> <CABcZeBMZPqvK-z+ef=M=6So9bL7WJfa-rXOdghVaXjYER2kTDA@mail.gmail.com> <b11b9d34fe4c4132b608e6b43e853252@XCH-ALN-003.cisco.com> <D51EBD86.2673F%yogpal@cisco.com>
To: "Yogendra Pal (yogpal)" <yogpal@cisco.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/jjSXgwGuDRQLifuMQjajaRCtFIc>
Subject: Re: [dhcwg] IESG Discusses on draft-ietf-dhc-relay-server-security-04
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Apr 2017 16:45:33 -0000


Sent from my iPhone

> On Apr 20, 2017, at 10:09 AM, Yogendra Pal (yogpal) <yogpal@cisco.com> wrote:
> 
> FYI…Hi Bernie and Eric,
> 
> We’re planning to implement this in our firewall product (ASA).

Excellent, glad to hear it!

Kathleen 
> 
> Regards, Yogendra
> From: "Bernie Volz (volz)" <volz@cisco.com>
> Date: Thursday, 20 April 2017 7:09 pm
> To: Eric Rescorla <ekr@rtfm.com>
> Cc: The IESG <iesg@ietf.org>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "draft-ietf-dhc-relay-server-security@ietf.org" <draft-ietf-dhc-relay-server-security@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
> Subject: RE: IESG Discusses on draft-ietf-dhc-relay-server-security-04
> Resent-From: <alias-bounces@ietf.org>
> Resent-To: <volz@cisco.com>, Yogendra Pal <yogpal@cisco.com>
> Resent-Date: Thursday, 20 April 2017 7:09 pm
> 
> Eric:
>  
> I can’t say whether anyone would actually do this.
>  
> On the one hand, NOT having this document may make it less likely that anyone would, so having the document COULD mean someone will make use of it.
>  
> I also think that there may be little to add to a server or relay implementation to do this since it may just require some “host” configuration – as in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-ipsec-host2host.html. Thus the bar to implement is low – just requires some additional host configuration. Of course, it may be more difficult to deploy on relays (on routers)?
>  
> One reason that I think that this may not be used heavily (if at all) is that most of the relay to server commination is in probably flowing in an operator’s infrastructure (data center) network and hence they likely have secured that infrastructure communication in general and thus the relay to relay / relay to server communication may be part of that – this may be the same path used to manage the relays, for example.
>  
> -          Bernie
>  
> From: Eric Rescorla [mailto:ekr@rtfm.com] 
> Sent: Thursday, April 20, 2017 7:25 AM
> To: Bernie Volz (volz) <volz@cisco.com>
> Cc: The IESG <iesg@ietf.org>; dhc-chairs@ietf.org; draft-ietf-dhc-relay-server-security@ietf.org; dhcwg@ietf.org
> Subject: Re: IESG Discusses on draft-ietf-dhc-relay-server-security-04
>  
> Hmm... I don't think this really resolves my concern, which is: is anyone going to actually do this.
>  
> I don't think that has to be in the draft, but I'd like understand it.
>  
> -Ekr
>  
>  
> On Wed, Apr 19, 2017 at 3:00 PM, Bernie Volz (volz) <volz@cisco.com> wrote:
> Hi:
> 
> I've posted a -05 which tries to address the Discusses (except perhaps for Ben Campbell's about which I sent a separate email on 4/12). Please review and let me know if this helps or whether more changes are needed.
> 
> A new version of I-D, draft-ietf-dhc-relay-server-security-05.txt
> has been successfully submitted by Bernie Volz and posted to the IETF repository.
> 
> Name:           draft-ietf-dhc-relay-server-security
> Revision:       05
> Title:          Security of Messages Exchanged Between Servers and Relay Agents
> Document date:  2017-04-19
> Group:          dhc
> Pages:          8
> URL:            https://www.ietf.org/internet-drafts/draft-ietf-dhc-relay-server-security-05.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-dhc-relay-server-security/
> Htmlized:       https://tools.ietf.org/html/draft-ietf-dhc-relay-server-security-05
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-dhc-relay-server-security-05
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-dhc-relay-server-security-05
> 
> - Bernie Volz
>