Re: [IPsec] New draft posted

Yaron Sheffer <> Sun, 25 April 2010 09:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ED76E3A6951 for <>; Sun, 25 Apr 2010 02:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GHxw05cHipwZ for <>; Sun, 25 Apr 2010 02:23:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 45EBB3A688B for <>; Sun, 25 Apr 2010 02:22:13 -0700 (PDT)
Received: by with SMTP id l26so86047fgb.13 for <>; Sun, 25 Apr 2010 02:21:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=bP5h6wvJ0NEFoQuOr6e5X5kAcYXOKvRfCLsTdFRojBc=; b=Bc4S2j6mAGn/MGcmlpYyW2Wh2wcKce0/ZG8+EHLnddWb+i/97qBG5uzyabzJL383xu UsPgHW9GrgZiskPwW5a29Xa6KRSXvhs6BT73de/X/9hS4YdrHT1vhG9HZiUTq4RNaR5c EzoGHLSIzsTZwVB7XSFSQZ5w4oTIFGTqe74Kk=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=WruCo1xS/TF6G25/+mwsAT0Wf8mAMfLGISrj3e/7WQrurhioVGo+1z6tNtAdSUkiVm sAo5l/8/h5BGMavxjWUFteJ10l6ufGV4REuZxb8Oyci+51E6IjdN7Hul6tKFRrwh3Kgj tPDkMCu1VBKao/i3KeekDLTy+Y8Gt9P47p4W0=
Received: by with SMTP id k26mr1322655mui.15.1272187318953; Sun, 25 Apr 2010 02:21:58 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id t10sm11715329muh.29.2010. (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 25 Apr 2010 02:21:58 -0700 (PDT)
From: Yaron Sheffer <>
To: Jitender Arora <>
In-Reply-To: <A8F897BE25922348AB562D74E6C686E41F457FBA95@mail>
References: <> <A8F897BE25922348AB562D74E6C686E41F457FBA95@mail>
Content-Type: text/plain; charset="UTF-8"
Date: Sun, 25 Apr 2010 12:21:55 +0300
Message-ID: <1272187315.22380.46.camel@yaronf-linux>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.1
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [IPsec] New draft posted
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 25 Apr 2010 09:23:33 -0000

Hi Jitender,

this is certainly an interesting approach to the
high-availability/load-balancing issue that we are just starting to
tackle, as a group. I would appreciate your inputs to the discussion on

Below are a few initial comments on your draft:

- I suggest moving Sec. 5.1 to the front (or at least pointing to it
from the Introduction) so that the motivation becomes clear before the
protocol details are presented.
- Of course, if there are additional usage scenarios, it would be nice
to include them.
- Essentially ignoring the issue of NAT severely hurts the applicability
of this protocol. Even saying something like "use STUN/TURN" is better
than limiting the protocol to closed networks.
- The security considerations never discuss the issue that the peer can
now claims ownership of ANY IP address. I *think* this is just a
denial-of-service issue, but it certainly needs to be analyzed. Which
leads to the main issue with this proposal:
- This is not just a change to IKEv2, it is a rather major change to the
IPsec architecture. So I would expect some discussion of RFC 4301
entities. See the last 2 paragraphs of for an example.


On Sat, 2010-04-24 at 10:09 -0400, Jitender Arora wrote:
> Hi All,
> A new version of I-D, draft-arora-ipsecme-ikev2-alt-tunnel-addresses-00.txt has been posted to the IETF repository.
> Filename:	 draft-arora-ipsecme-ikev2-alt-tunnel-addresses
> Revision:	 00
> Title:		 Alternate Tunnel Addresses for IKEv2
> Please take a look and comment.
> Regards,
> Jitender
> _______________________________________________
> IPsec mailing list