Re: [IPsec] WG Review: IP Security Maintenance and Extensions (ipsecme)
Yoav Nir <ynir@checkpoint.com> Mon, 28 July 2008 22:00 UTC
Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD9CB3A6B24; Mon, 28 Jul 2008 15:00:49 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C1BB3A6B24 for <ipsec@core3.amsl.com>; Mon, 28 Jul 2008 15:00:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XXk6+aKjOUbj for <ipsec@core3.amsl.com>; Mon, 28 Jul 2008 15:00:47 -0700 (PDT)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 083EF3A6B1E for <ipsec@ietf.org>; Mon, 28 Jul 2008 15:00:47 -0700 (PDT)
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 99D06294002; Tue, 29 Jul 2008 01:00:56 +0300 (IDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 8512D294001; Tue, 29 Jul 2008 00:59:02 +0300 (IDT)
Received: from [172.31.21.146] (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id m6SLx0jI016215; Tue, 29 Jul 2008 00:59:01 +0300 (IDT)
Message-Id: <F7958F65-F576-4323-B0F4-19856EB3ED6C@checkpoint.com>
From: Yoav Nir <ynir@checkpoint.com>
To: Dan Harkins <dharkins@lounge.org>
In-Reply-To: <24824166c413680844268e1db43651cf.squirrel@www.trepanning.net>
Mime-Version: 1.0 (Apple Message framework v928.1)
X-Priority: 3 (Normal)
Date: Mon, 28 Jul 2008 22:58:59 +0100
References: <20080624163001.66CF63A6A69@core3.amsl.com> <24824166c413680844268e1db43651cf.squirrel@www.trepanning.net>
X-Mailer: Apple Mail (2.928.1)
Cc: ipsec@ietf.org
Subject: Re: [IPsec] WG Review: IP Security Maintenance and Extensions (ipsecme)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1293454376=="
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
I don't really agree with this. Different vendors would want different things in the "ticket". So much so, that if we insist on including it, one of two things will happen: (1) We will fail to reach consensus or some vendors implement their own private version, or (2) We will end up with a monstrous structure with IETF-specified and vendor-specific extensions. Just as a for-instance, I'll give some examples of what may or may not be in the ticket: 1. My company makes VPN software that runs of commodity servers. These servers run on regular X86 processors and come with 100's of gigabytes of disk space. It's fairly easy for me to save the IKE SA to disk upon its creation, perhaps in a database with a unique 64-bit key, and send that 64-bit key as the "ticket". After a crash, the database is still there. Other vendors run on systems with either no disk or very limited disk space, sometimes flash-based. They can't store their SAs on disk. 2. With AAA servers you sometimes get authorization information from the server during the log-in process. In such a case, the ticket (or its persistent record) must hold the authorization information (you either can't or don't want to query the AAA server for that information during resumption). Other vendors may not rely on AAA servers for authorization. 3. User identity may sometimes be stored as a simple string (ASCII or UTF8), as a DN, as an email address extracted from the DN or from an alternate name in the certificate, or we may want to keep the user identity as their public key. Since failover from one gateway to another is out of scope, let alone a failover from one gateway to a gateway made by a different vendor, interoperability does not suffer by not specifying a ticket. We can and should specify security considerations and what data the gateway should be able to reconstruct based on the ticket, but format should be out of scope. On Jul 28, 2008, at 7:04 PM, Dan Harkins wrote: > > Hi, <snip> > > A bigger issue, though, concerns the construction of the "ticket". > I'd > like to know why this is out-of-scope. I can see the possibility of > consensus forming in the WG around a document that does not specify > construction of the "ticket" but that doesn't mean the topic should be > out-of-scope. How the "ticket" get constructed will influence the > security > of the scheme. A properly constructed "ticket" may even help address > DoS > issues. This topic should be in scope. It seems very wrong that we > would > generate a standards track document in the Security Area with a > critical > component of the security of the proposal being left up to the > imagination > of the guy implementing it.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] WG Review: IP Security Maintenance and Ex… IESG Secretary
- Re: [IPsec] WG Review: IP Security Maintenance an… Hui Deng
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- Re: [IPsec] WG Review: IP Security Maintenance an… Yaron Sheffer
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- Re: [IPsec] WG Review: IP Security Maintenance an… Yoav Nir
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- Re: [IPsec] WG Review: IP Security Maintenance an… Tero Kivinen
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- Re: [IPsec] WG Review: IP Security Maintenance an… Tero Kivinen
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- [IPsec] WG Review: IP Security Maintenance and Ex… The IESG