Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
Vishwas Manral <vishwas.ietf@gmail.com> Mon, 03 June 2013 17:02 UTC
Return-Path: <vishwas.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 992A421F8FAF for <ipsec@ietfa.amsl.com>; Mon, 3 Jun 2013 10:02:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VX4KLI6kzQq for <ipsec@ietfa.amsl.com>; Mon, 3 Jun 2013 10:02:46 -0700 (PDT)
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id D128F21F8F0E for <ipsec@ietf.org>; Mon, 3 Jun 2013 10:02:45 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id 17so11298150iea.31 for <ipsec@ietf.org>; Mon, 03 Jun 2013 10:02:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=LvSxqD0pnkIff7Wzvze/GuNoyMINReYq1WDP2VvMxIU=; b=FsQkfKpCR2wo6t0QLPTygmmGMNNb3GIGsfsOQfgrkUeT6ksAecb2QA5Fnn5TTInbl3 fbuizN0cC2ju1V9vGh3LXpFcBArSQXg2tXEimtjcvwumc+5wypNcjNSEtvS6NY3p1/5N xm3BW+td/4lSTj0MYGtaYHSSFvrLa9Bxz0tfURYHrWLnLnU5qfDGtJbUM4KXQhxcc/RN 9vI4q0k9+4B+PsrVvMGsaji+uDLiNeQAQcPgrK7prazTGjCz4+fCWh3AB6rjn2eM+yIm IiEcKBwulR5oe2piKpx6n492qtaC/3mVRpaMJlv9LJ+bBNW+26VXv1VGpSgizd2EwBX9 Kb/g==
MIME-Version: 1.0
X-Received: by 10.42.191.82 with SMTP id dl18mr6156487icb.9.1370278965443; Mon, 03 Jun 2013 10:02:45 -0700 (PDT)
Received: by 10.50.56.107 with HTTP; Mon, 3 Jun 2013 10:02:45 -0700 (PDT)
Date: Mon, 03 Jun 2013 10:02:45 -0700
Message-ID: <CAOyVPHSjYfvbQFP1nJGzAEySe3saXuSEftbvshzLHix68FCHHA@mail.gmail.com>
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Sean Turner <turners@ieca.com>, IPsecme WG <ipsec@ietf.org>, "draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org" <draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org>
Content-Type: multipart/alternative; boundary="20cf3043496efa84fd04de42ee9d"
Subject: Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2013 17:02:46 -0000
Hi Sean, My comments are inline: Please incorporate the QoS issue brought up by Toby. I'd like to make sure we have everything in the draft that the WG wants before issuing the WGLC. I also think the TSV/RTG directorates/ADs will be interested in that. VM> I can incorporate it if the Working Group thinks the QoS parts should be part of the aDVPN solution. Can you explain the rationale for the following the changes to requirement #5; I'm just not following it: OLD: 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN peer. NEW: 5. Any of the ADVPN Peers MUST NOT have a way to get the long term authentication credentials for any other ADVPN Peers. The compromise of an Endpoint MUST NOT affect the security of communications between other ADVPN Peers. The compromise of a Gateway SHOULD NOT affect the security of the communications between ADVPN Peers not associated with that Gateway. Is the first sentence still saying basically: "peers can't impersonate peers"? VM> Yes thats the idea in my view. Steve Hanna may have more omments on this. Steve? Nits: - sec 1.1: Need to add what an ADVPN is and expand the acronym VM> Should something like the below suffice: VM> ADVPN - Auto Discovery Virtual Private Network (ADVPN) is VPN solution that enables a large number of systems to communicate directly, with minimal configuration and operator intervention using IPsec to protect communication between them. - sec 4/1.1: The terms allied and federated environment kind of come out of nowhere. Please add them to s1.1. I just to make sure it's clear what the difference is between the two. VM> Here is what I will add to 1.1. VM> Allied and Federated Environments - Environments where we have multiple different organizations that have close association and need to connect to each other.
- [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn… Sean Turner
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Paul Hoffman
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Vishwas Manral
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Vishwas Manral
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Sean Turner
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Vishwas Manral
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Manral, Vishwas