Re: [ippm] 答复: I-D Action: draft-ietf-ippm-ipsec-02.txt
John Mattsson <john.mattsson@ericsson.com> Mon, 03 March 2014 12:49 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8408D1A007F for <ippm@ietfa.amsl.com>; Mon, 3 Mar 2014 04:49:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.951
X-Spam-Level:
X-Spam-Status: No, score=-2.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, J_CHICKENPOX_42=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X11fLYA0CAsX for <ippm@ietfa.amsl.com>; Mon, 3 Mar 2014 04:49:25 -0800 (PST)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id 0E0A51A0069 for <ippm@ietf.org>; Mon, 3 Mar 2014 04:49:24 -0800 (PST)
X-AuditID: c1b4fb2d-b7f5d8e000002a7b-52-53147a50cb0b
Received: from ESESSHC018.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id E0.D1.10875.05A74135; Mon, 3 Mar 2014 13:49:20 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.220]) by ESESSHC018.ericsson.se ([153.88.183.72]) with mapi id 14.02.0387.000; Mon, 3 Mar 2014 13:49:20 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: "Zhanglijia (A)" <emma.zhanglijia@huawei.com>, "ippm@ietf.org" <ippm@ietf.org>
Thread-Topic: 答复: [ippm] I-D Action: draft-ietf-ippm-ipsec-02.txt
Thread-Index: AQHPNt7+XV0FYo1NEUqNLRou01W90w==
Date: Mon, 03 Mar 2014 12:49:19 +0000
Message-ID: <CF3A1A1D.EC88%john.mattsson@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [153.88.183.154]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A3B714D569989F44938E34B438751C69@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJLMWRmVeSWpSXmKPExsUyM+JvjW5AlUiwwY0/ZhZXX71htuh58I7Z gcmj5chbVo8lS34yBTBFcdmkpOZklqUW6dslcGX03lzMVPBHseJt8x2WBsYexS5GTg4JAROJ titLmSBsMYkL99azgdhCAocYJXo2Z3QxcgHZixkldkx6xAqSYBMwkJi7pwGoiINDRCBEovlo DEhYWCBP4tz852C9IgL5Es82NELZehL9W24zg9gsAioSi25cB4vzCphJ3H2+GsxmBNr7/dQa sBuYBcQlbj2ZD3WPgMSSPeeZIWxRiZeP/4GdIAo0896juSwQcSWJRbc/M4GcwyygKbF+lz7E GGuJjrctzBC2osSU7ofsEGsFJU7OfMIygVF0FpJtsxC6ZyHpnoWkexaS7gWMrKsY2XMTM3PS yw03MQKj4+CW37o7GE+dEznEKM3BoiTO++Gtc5CQQHpiSWp2ampBalF8UWlOavEhRiYOTqkG xryDpRo/OH4u/+FdWWTIs96b8Tb/pztqq+bEHOG4er9QSOHgeT8zjsc+0kuTPmwvkfJ7ckXx 9MXz+z4zzO1N832/fod8n9uzx/EXjR5Pf5Z/JJE1Jjpkv8Fap6B/wTqph8u9bsZs5jkReuhq 9LFyzTydx1uZ5l1Yd/qSQGjKLZaFPgddkvtkO5VYijMSDbWYi4oTAX68oTVcAgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/ippm/DGtKFUkwBMhW-B_H4nM3hwXKHy4
Subject: Re: [ippm] 答复: I-D Action: draft-ietf-ippm-ipsec-02.txt
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 12:49:27 -0000
Thanks Emma! See my follow up comments below. A comment on the upcoming WGLC: If the key derivation is specified to allow interoperability and text explaining unauthenticated *WAMP through an IPsec tunnel" is reinstated in Section 4, then I would be quite ok with the document and sending it on to IETF last call and IESG. Cheers John - [Section 1] Maybe a explanation or reference to eNB and SeGW [Emma]: Both eNB and SeGW support certificate mode and IKEv2. Provision of shared secret for them will waste time and add complexity <javascript:void(0)>. Deriving shared key from IKE SA is fit for the use case like that. John: I know that, but I do not think the average IETF:er knows. I think you should add a reference to an appropriate 3GPP document or at least an explanation that eNB and SeGW are 3GPP LTE nodes. - [Section 4.1] “ The shared secret key can be generated as follows: Shared secret key = PRF{ SKEYSEED, "IPPM" } “ Even if the IPsec APIs are proprietary, I do not think that the key derivation can be in a draft that aims to be standard track. Unless the key derivation is defined, different implementations won’t be compatible. Encoding of “IPPM” should probably be defined. You probably mean prf() (with ordinary brackets) [Emma]: Thanks for this comment. Yes, it means prf() (with ordinary brackets) and the string "IPPM" are ASCII characters. John: Good, but you did not comment on the important thing, wether the secret key generation should be specified. According to me the text should be “The shared secret key SHALL be generated as follows:" - [General] I think the list (in this case Alfred Morton and me) was quite clear on that unauthenticated *WAMP through an IPsec tunnel was an attractive solution that should be better described. As explained by Alfred Morton: “I'll keep reading, but I'm beginning to wonder if setting up an IPsec tunnel and setting up *WAMP Control and Test protocols to transfer through the tunnel (unauthenticated so as not to waste processing on redundant security) is the solution? But what about the deployment of IPsec in LTE networks: If a tunnel is established automatically for any data transfer, the *WAMP could be viewed as typical user traffic inside an existing tunnel.” While this is now mentioned shortly in the introduction, the text sections describing the security properties when sending *WAMP over AH or ESP has instead been removed. These should be reinstated, preferably in a separate subsection in section 4. [Emma]: I agree that unauthenticated *WAMP through an IPsec tunnel can be one option. However, as we mentioned before, the draft mainly focuses on how to derive shared key from IKE SA to achieve automatic key management and how to extend *WAMP protocol to support that. So this is mentioned shortly in the draft. We can consider to add some text about it in next version. John: Well, for working group documents its the list that decides the focus and the topic “Network Performance Measurement for IPsec” is quite general (which I think it should be).
- Re: [ippm] 答复: I-D Action: draft-ietf-ippm-ipsec-… John Mattsson
- [ippm] 答复: 答复: I-D Action: draft-ietf-ippm-ipsec-… Zhanglijia (A)