IETF Logo Mail Archive

Re: [IPsec] New draft posted

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 25 April 2010 09:23 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED76E3A6951 for <ipsec@core3.amsl.com>; Sun, 25 Apr 2010 02:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHxw05cHipwZ for <ipsec@core3.amsl.com>; Sun, 25 Apr 2010 02:23:31 -0700 (PDT)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by core3.amsl.com (Postfix) with ESMTP id 45EBB3A688B for <ipsec@ietf.org>; Sun, 25 Apr 2010 02:22:13 -0700 (PDT)
Received: by fg-out-1718.google.com with SMTP id l26so86047fgb.13 for <ipsec@ietf.org>; Sun, 25 Apr 2010 02:21:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=bP5h6wvJ0NEFoQuOr6e5X5kAcYXOKvRfCLsTdFRojBc=; b=Bc4S2j6mAGn/MGcmlpYyW2Wh2wcKce0/ZG8+EHLnddWb+i/97qBG5uzyabzJL383xu UsPgHW9GrgZiskPwW5a29Xa6KRSXvhs6BT73de/X/9hS4YdrHT1vhG9HZiUTq4RNaR5c EzoGHLSIzsTZwVB7XSFSQZ5w4oTIFGTqe74Kk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=WruCo1xS/TF6G25/+mwsAT0Wf8mAMfLGISrj3e/7WQrurhioVGo+1z6tNtAdSUkiVm sAo5l/8/h5BGMavxjWUFteJ10l6ufGV4REuZxb8Oyci+51E6IjdN7Hul6tKFRrwh3Kgj tPDkMCu1VBKao/i3KeekDLTy+Y8Gt9P47p4W0=
Received: by 10.103.7.26 with SMTP id k26mr1322655mui.15.1272187318953; Sun, 25 Apr 2010 02:21:58 -0700 (PDT)
Received: from [10.0.0.3] (bzq-79-181-18-85.red.bezeqint.net [79.181.18.85]) by mx.google.com with ESMTPS id t10sm11715329muh.29.2010.04.25.02.21.58 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 25 Apr 2010 02:21:58 -0700 (PDT)
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Jitender Arora <JArora@acmepacket.com>
In-Reply-To: <A8F897BE25922348AB562D74E6C686E41F457FBA95@mail>
References: <ea322d4c93b67735a8e6eb26cc9fca41.squirrel@www.trepanning.net> <A8F897BE25922348AB562D74E6C686E41F457FBA95@mail>
Content-Type: text/plain; charset="UTF-8"
Date: Sun, 25 Apr 2010 12:21:55 +0300
Message-ID: <1272187315.22380.46.camel@yaronf-linux>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.1
Content-Transfer-Encoding: 7bit
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] New draft posted
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Apr 2010 09:23:33 -0000

Hi Jitender,

this is certainly an interesting approach to the
high-availability/load-balancing issue that we are just starting to
tackle, as a group. I would appreciate your inputs to the discussion on
draft-ietf-ipsecme-ipsec-ha.

Below are a few initial comments on your draft:

- I suggest moving Sec. 5.1 to the front (or at least pointing to it
from the Introduction) so that the motivation becomes clear before the
protocol details are presented.
- Of course, if there are additional usage scenarios, it would be nice
to include them.
- Essentially ignoring the issue of NAT severely hurts the applicability
of this protocol. Even saying something like "use STUN/TURN" is better
than limiting the protocol to closed networks.
- The security considerations never discuss the issue that the peer can
now claims ownership of ANY IP address. I *think* this is just a
denial-of-service issue, but it certainly needs to be analyzed. Which
leads to the main issue with this proposal:
- This is not just a change to IKEv2, it is a rather major change to the
IPsec architecture. So I would expect some discussion of RFC 4301
entities. See the last 2 paragraphs of
http://tools.ietf.org/html/rfc5685#section-3 for an example.

Thanks,
	Yaron

On Sat, 2010-04-24 at 10:09 -0400, Jitender Arora wrote:
> Hi All,
> 
> A new version of I-D, draft-arora-ipsecme-ikev2-alt-tunnel-addresses-00.txt has been posted to the IETF repository.
> 
> Filename:	 draft-arora-ipsecme-ikev2-alt-tunnel-addresses
> Revision:	 00
> Title:		 Alternate Tunnel Addresses for IKEv2
>   
> Please take a look and comment.
> 
> Regards,
> Jitender
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email