IETF Logo Mail Archive

Re: [IPsec] AD-VPN Protocol Selection

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 04 February 2014 15:39 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04F451A012A for <ipsec@ietfa.amsl.com>; Tue, 4 Feb 2014 07:39:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.009
X-Spam-Level: *
X-Spam-Status: No, score=1.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMzLd2poDPte for <ipsec@ietfa.amsl.com>; Tue, 4 Feb 2014 07:39:12 -0800 (PST)
Received: from tuna.sandelman.ca (unknown [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) by ietfa.amsl.com (Postfix) with ESMTP id F00F51A00E2 for <ipsec@ietf.org>; Tue, 4 Feb 2014 07:39:11 -0800 (PST)
Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id 8E9AC2002F for <ipsec@ietf.org>; Tue, 4 Feb 2014 11:56:06 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 22F22647C9; Tue, 4 Feb 2014 10:39:11 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 0E6A9647C8 for <ipsec@ietf.org>; Tue, 4 Feb 2014 10:39:11 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "'ipsec@ietf.org'" <ipsec@ietf.org>
In-Reply-To: <87BCDFB0B867FB4A85DB44EE8946E2458407E7E9@FSDEBSSXD111.fs01.vwf.vwfs-ad>
References: <87BCDFB0B867FB4A85DB44EE8946E2458407E6F6@FSDEBSSXD111.fs01.vwf.vwfs-ad> <9636.1391439750@sandelman.ca> <44042206-E996-487F-9451-F42643E2D823@checkpoint.com> <87BCDFB0B867FB4A85DB44EE8946E2458407E7E9@FSDEBSSXD111.fs01.vwf.vwfs-ad>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Tue, 04 Feb 2014 10:39:11 -0500
Message-ID: <3185.1391528351@sandelman.ca>
Sender: mcr@sandelman.ca
Subject: Re: [IPsec] AD-VPN Protocol Selection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 15:39:14 -0000

Harms, Patrick <Patrick.Harms@vwfs.com> wrote:
    >>>> Based on the theories (advpn draft and dmvpn) and real world
    >>>> experience (dmvpn), I would favor dmvpn, because the handling and
    >>>> operating sounds less complex. (eg. lower amount of steps in tunnel
    >>>> initiation, single logical interface for tunnel termination etc.)

    >>> Do you care about mobile (handheld) devices?

Yoav> Hey, those are higher-specced than the dual-pentium III at 800MHz with
Yoav> 512 MB or RAM that we were selling as a high-end gateway when I
Yoav> started working at Check Point :-)

Yoav, your statement is nonsense.
It tells me that you have done no mobile development at all.
I have.  I've done IPsec on them too.

It's not about the amount of ram that they, or the speed of the device.
It about the access to the kernel.

Tell me, if I had you a corporate laptop computer (any specs you like), for
you which you can not install any device drivers or do anything as root or
"administrator", can you install your VPN software?   

Now, if I give you just enough root so that you can have a PF_KEY socket, can
you make something work?

-- 
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works

v2.23.0 | Report a Bug | By Email