Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem

"Manral, Vishwas" <vishwas.manral@hp.com> Tue, 09 July 2013 22:35 UTC

Return-Path: <vishwas.manral@hp.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AFD011E8181 for <ipsec@ietfa.amsl.com>; Tue, 9 Jul 2013 15:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.509
X-Spam-Level:
X-Spam-Status: No, score=-8.509 tagged_above=-999 required=5 tests=[AWL=-1.910, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vCJq1CL3RYkW for <ipsec@ietfa.amsl.com>; Tue, 9 Jul 2013 15:35:51 -0700 (PDT)
Received: from g5t0009.atlanta.hp.com (g5t0009.atlanta.hp.com [15.192.0.46]) by ietfa.amsl.com (Postfix) with ESMTP id 9A54121F9A61 for <ipsec@ietf.org>; Tue, 9 Jul 2013 15:35:51 -0700 (PDT)
Received: from G6W4001.americas.hpqcorp.net (g6w4001.atlanta.hp.com [16.205.80.210]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by g5t0009.atlanta.hp.com (Postfix) with ESMTPS id 15DB7306C5; Tue, 9 Jul 2013 22:35:50 +0000 (UTC)
Received: from G5W5498.americas.hpqcorp.net (16.201.144.178) by G6W4001.americas.hpqcorp.net (16.205.80.210) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 9 Jul 2013 22:34:14 +0000
Received: from G5W2732.americas.hpqcorp.net ([169.254.4.124]) by G5W5498.americas.hpqcorp.net ([16.201.144.178]) with mapi id 14.03.0123.003; Tue, 9 Jul 2013 22:34:15 +0000
From: "Manral, Vishwas" <vishwas.manral@hp.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, "draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org" <draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org>
Thread-Topic: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
Thread-Index: AQHORbJuXNcbmh2LeU+MyHQRBCwiYpkO+WQAgE5j4eA=
Date: Tue, 09 Jul 2013 22:34:13 +0000
Message-ID: <5A9E892C56FD5842856290BDA06E12A00B733A21@G5W2732.americas.hpqcorp.net>
References: <517FDAC7.8080701@ieca.com> <A2BDCCE9-94A2-410D-9833-009E8943525C@vpnc.org>
In-Reply-To: <A2BDCCE9-94A2-410D-9833-009E8943525C@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [16.201.12.21]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 10 Jul 2013 08:04:01 -0700
Cc: IPsecme WG <ipsec@ietf.org>, Sean Turner <turners@ieca.com>
Subject: Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2013 22:35:58 -0000

Hi Paul,

I am done with all the changes. I am now waiting for the reviewers to approve the same.

Thanks,
Vishwas

-----Original Message-----
From: Paul Hoffman [mailto:paul.hoffman@vpnc.org] 
Sent: Monday, May 20, 2013 6:28 PM
To: draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org
Cc: Sean Turner; IPsecme WG
Subject: Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem

Document authors: when might we have the update so Sean can move this forwards? We are gated on this before we solicit AD-VPN protocols.

--Paul Hoffman

On Apr 30, 2013, at 7:52 AM, Sean Turner <turners@ieca.com> wrote:

> Please incorporate the QoS issue brought up by Toby.  I'd like to make sure we have everything in the draft that the WG wants before issuing the WGLC.  I also think the TSV/RTG directorates/ADs will be interested in that.
> 
> Can you explain the rationale for the following the changes to requirement #5; I'm just not following it:
> 
> OLD:
> 
> 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN	peer.
> 
> NEW:
> 
> 5. Any of the ADVPN Peers MUST NOT have a way to get the long term
> authentication credentials for any other ADVPN Peers. The compromise of an Endpoint MUST NOT affect the security of communications between other ADVPN Peers. The compromise of a Gateway SHOULD NOT affect the security of the communications between ADVPN Peers not associated with that Gateway.
> 
> Is the first sentence still saying basically: "peers can't impersonate peers"?
> 
> Nits:
> 
> - sec 1.1: Need to add what an ADVPN is and expand the acronym
> 
> - sec 4/1.1: The terms allied and federated environment kind of come out of nowhere.  Please add them to s1.1.  I just to make sure it's clear what the difference is between the two.