Re: [lisp] Gen-ART Review for draft-ietf-lisp-crypto-09
Dino Farinacci <farinacci@gmail.com> Fri, 14 October 2016 12:04 UTC
Return-Path: <farinacci@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEC8D1297E2; Fri, 14 Oct 2016 05:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXICM9gj-fNL; Fri, 14 Oct 2016 05:04:24 -0700 (PDT)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1746D12972E; Fri, 14 Oct 2016 05:04:04 -0700 (PDT)
Received: by mail-lf0-x229.google.com with SMTP id x79so197640917lff.0; Fri, 14 Oct 2016 05:04:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kz7qpwf97n9Fnr9btmc7pwyscoaAg/ynlFe2PFXWgiE=; b=ZzPNcG0fQR92eHv4gzFzrAxqkv2D/x09EyJqoEwgH/LlL05+0g1QQScbqWoWUJw+/r qop5aJ1e61efyeu+7xcJhvn5UM1Fvp0KxapaE75sFX+7FV4kdNMkaW4IKpJ+N2H4G3ir HtBq0UNK3OFVBljdVL4op6RO97s9IyL5FkcW4/be7P07jW0TOl0cNPWxTYmAZCHdp5aF B7DT6NZukkJe3+PpCWY94Tq8A+FqV6hENG1i8v+MZTIfk5hqMhcdbyE79c7tuoFzGBnM +SfvKIW/shQ7gBNNjOrSWcsdIngCeSPc/i8k3ycQIeYoVYsaXe5Xk9b42hheStvceKWt ZzRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kz7qpwf97n9Fnr9btmc7pwyscoaAg/ynlFe2PFXWgiE=; b=BcX7umRSBf21LRQXmt4iJo8sjJfWmuBAdPYor826v8pBdvrMaErRauiHLQ5A0EwNjf JfWEPBgvKn3vWVHCCdq4XpJX9uBvmrovtNWPeKuGQFik1jnu6XgkYBRDA8u+ZtpyLnhM P92j0S0krH2m/xxVZIbMQGusqxrb28QKWZSwRk53awmsKer47E3dsGAxr9S28oXVhOS/ JR2nOyHr2E3b0XeMQDz8fCAt3OnpaoUedujmxgzxUQe6VcS5izGaIJh9vZECl3o12uMf axWs2lHZoUWRIEJaFWMvHyrWMzWqnAhwk4jraiZf67OzzuH2ECzUBnhkPUfhoohyW6KJ Xmtw==
X-Gm-Message-State: AA6/9RmJBWihlJhoQgwP7aFBr2LIKrbBDTln7c6Ws39CE1W47bxJ/pnwK9aA+a0e7sqDbA==
X-Received: by 10.28.230.66 with SMTP id d63mr1434759wmh.120.1476446642255; Fri, 14 Oct 2016 05:04:02 -0700 (PDT)
Received: from [10.12.7.153] ([37.205.61.206]) by smtp.gmail.com with ESMTPSA id g9sm31405101wjk.25.2016.10.14.05.04.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Oct 2016 05:04:01 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
Subject: Re: [lisp] Gen-ART Review for draft-ietf-lisp-crypto-09
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <CAKFn1SH5C0VsqZ6Qz5CWPHhuwt7xra4bGuvqFN+QMCw1zzDsSg@mail.gmail.com>
Date: Fri, 14 Oct 2016 03:43:43 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <6C4ED0F7-F7C4-491A-B91F-1835E270046C@gmail.com>
References: <C05B7CF3-3D83-4E69-B67C-976C08BB3611@qti.qualcomm.com> <F9C17115-476F-41A7-AA9B-B58E0EFF6C8D@gmail.com> <CAKFn1SH5C0VsqZ6Qz5CWPHhuwt7xra4bGuvqFN+QMCw1zzDsSg@mail.gmail.com>
To: Roger Jorgensen <rogerj@gmail.com>
X-Mailer: Apple Mail (2.3226)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/64xsy3BoOr7kad0cfHRQUCsvd5c>
Cc: "lisp@ietf.org" <lisp@ietf.org>, Manish Kumar <manishkr.online@gmail.com>, Pete Resnick <presnick@qti.qualcomm.com>, draft-ietf-lisp-crypto.all@ietf.org, General Area Review Team <gen-art@ietf.org>, IETF discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 12:04:26 -0000
Manish, we wanted a more integrated solution. Many products can’t do encapsulation and encryption at one time in one router. There are 2-box solutions are there. Plus, there are more RTT packet exchanges for IPsec which would cause more packet loss when the ITR would have to resolve an EID to an RLOC and do key exchange. We did this all together in one RTT so we have efficiency and integration. Plus, we can do rekeying more efficiently and quicker. And we don’t have to store keys and have a PKI. Dino > On Oct 13, 2016, at 12:21 PM, Roger Jørgensen <rogerj@gmail.com> wrote: > > On Thu, Oct 13, 2016 at 3:30 PM, Manish Kumar <manishkr.online@gmail.com> wrote: >> I guess I did mention this before but just in case that was missed - the >> idea of a separate confidentiality mechanism for each encapsulation/overlay >> protocol when these are all IP based does seem a bit inapposite to me. At a >> minimum, it opens up scope for additional security holes to prey upon (as >> against using a standard mechanism like IPsec). > <snip> > > I was going to respond to the original question but somehow it got lost... > > The idea went through alot of discussion with different security guys to make > sure it would be as good as it could be, if I remember correctly we did all that > before it was requested to be a LISP-wg document.. > > > I would suggest you read the introduction part again, are a few things > there that > made IPSec or any form of outer encryption out of scope. Not to forget that if > using IPSec we would have to encapsulate an already encapsulated packet... > > Some other background on the document - I had two ideas, one was that we > should encrypt the xTR - xTR traffic to make it a bit more secure over whatever > medium it was crossing - and an idea that as a LISP site I should somehow be > able to signal alongside my EID that i only wanted encrypted traffic > to arrive at > my xTR's, or that I only supported a few given encryption scheme. > This and some ideas Dino already combined with other input morphed into > the document we are discussing now. > > > > -- > > Roger Jorgensen | ROJO9-RIPE > rogerj@gmail.com | - IPv6 is The Key! > http://www.jorgensen.no | roger@jorgensen.no
- Gen-ART Review for draft-ietf-lisp-crypto-09 Pete Resnick
- Re: [lisp] Gen-ART Review for draft-ietf-lisp-cry… Manish Kumar
- Re: [lisp] Gen-ART Review for draft-ietf-lisp-cry… Roger Jørgensen
- Re: [lisp] Gen-ART Review for draft-ietf-lisp-cry… Dino Farinacci
- Re: Gen-ART Review for draft-ietf-lisp-crypto-09 Dino Farinacci