IETF Logo Mail Archive

Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 05 May 2011 20:41 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D5AEE0799; Thu, 5 May 2011 13:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.154
X-Spam-Level:
X-Spam-Status: No, score=-102.154 tagged_above=-999 required=5 tests=[AWL=-0.013, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXO25+vU6Pw8; Thu, 5 May 2011 13:41:21 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4314AE0778; Thu, 5 May 2011 13:41:21 -0700 (PDT)
Received: by wyb29 with SMTP id 29so2194975wyb.31 for <multiple recipients>; Thu, 05 May 2011 13:41:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=wnYFm51CaB5fR1VsXM4CumoVOONAu9cLhjYvu7kBWoc=; b=RRoDcPQQrDx5nxFVNrI/u1Te9XFdfZDbUaLNIna71OdFqzfryL4lrgqzuYB8s8C73h ezTKrFGukwaD5MLmyLTA/akQhxQMKtzeWZJBY96wHtfm6nEMlrMC2Vk3gLsbBaBQBIeH 9PviLL3enuXY9plI4aFYnUw604we5qowlAIbo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=PY6ZOC79QkrS0RCIOBHP4ZpjfV2BomP0/lf2lf2+kOeIlZj/QBIHZ6FpACLwNsmzEt p1YePO06+4JTpNlW1bXPE0J+2uQtB0g3mIkBnKMT74hXq/QtKPIyprJQK/68EcsK/5fI 07T1Oi3w6Fy/lat2spj7ZaaeJ2jyq7wa6BcrE=
Received: by 10.227.128.20 with SMTP id i20mr3041642wbs.3.1304628077246; Thu, 05 May 2011 13:41:17 -0700 (PDT)
Received: from [10.0.0.1] (bzq-79-181-31-81.red.bezeqint.net [79.181.31.81]) by mx.google.com with ESMTPS id w12sm1585295wby.24.2011.05.05.13.41.14 (version=SSLv3 cipher=OTHER); Thu, 05 May 2011 13:41:15 -0700 (PDT)
Message-ID: <4DC30B68.70202@gmail.com>
Date: Thu, 05 May 2011 23:41:12 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <006FEB08D9C6444AB014105C9AEB133F013ABE025E24@il-ex01.ad.checkpoint.com> <4DBF19F4.6050804@gmail.com> <95F1A883-8213-4A57-911B-E660E02A3117@checkpoint.com> <00a401cc09fd$b152ef00$46298a0a@china.huawei.com> <8CAC67D8-623B-4738-89B0-4A72C3C7AF95@checkpoint.com> <b94047babd6474117f7734354425dc0b.squirrel@www.trepanning.net> <BAE19B87-DE7A-4306-B3F0-D171580BCE57@checkpoint.com> <86c7cd758de89a6f640f8e55faff11ee.squirrel@www.trepanning.net> <F27D10DD-0B3A-4BA1-AF42-9D814C761804@checkpoint.com> <6c5908c5ea31d90ed1a8f96b57bf2d72.squirrel@www.trepanning.net> <FC252A0F-BCF3-458D-B2C1-68CCF64F583F@checkpoint.com>
In-Reply-To: <FC252A0F-BCF3-458D-B2C1-68CCF64F583F@checkpoint.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 05 May 2011 16:39:12 -0700
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2011 20:41:22 -0000

Hi,

I think we are going down a rathole on the issue of "authenticated identity". Most IKE gateways, like many other security devices, normally make policy decisions based on groups. I will provide secure connectivity to anybody@this-isp.com, but not to anybody@that-isp.com. But I don't want to differentiate john@isp.com from jane@isp.com.

It seems to me RFC 4306/5996 took the concept a bit further than RFC 4301 ever intended (in fact I believe the text is new to RFC 5996). Presumably, when we talk about identity-based policy decisions, we refer to http://tools.ietf.org/html/rfc4301#section-4.4.3" rel="nofollow">http://tools.ietf.org/html/rfc4301#section-4.4.3. This text (and the following section) explicitly allows for "bulk" policies that apply to "@example.com", i.e. anybody at that domain. And such coarse granularity may be sufficient in practice for inter-ISP traffic: ISP1 may be happy to provide secure connectivity to ISP2's customers and take a cut of the business, even if it doesn't know the exact identity of each customer and cannot contact them, bill them or log their names.

So I would suggest that the draft should mention that no individual authenticated identity is available in the typical case (and this is unfortunately in conflict with RFC 5996), but the obscured identity provided in RADIUS Access-Accept can be used to make legitimate policy decisions.

Thanks,
    Yaron

v2.8.7 | Report a Bug | By Email