Re: [IPsec] New draft posted
Yoav Nir <ynir@checkpoint.com> Sun, 25 April 2010 11:34 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BA233A69DD for <ipsec@core3.amsl.com>; Sun, 25 Apr 2010 04:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.752
X-Spam-Level:
X-Spam-Status: No, score=-1.752 tagged_above=-999 required=5 tests=[AWL=-0.567, BAYES_40=-0.185, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HE0deypfHF2G for <ipsec@core3.amsl.com>; Sun, 25 Apr 2010 04:34:31 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id EF8863A69D2 for <ipsec@ietf.org>; Sun, 25 Apr 2010 04:34:30 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o3PBYEph014278; Sun, 25 Apr 2010 14:34:14 +0300 (IDT)
X-CheckPoint: {4BD4367C-0-1B201DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 25 Apr 2010 14:34:44 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Sun, 25 Apr 2010 14:34:16 +0300
Thread-Topic: [IPsec] New draft posted
Thread-Index: Acrka0zx6TC9ptA2SPCGubX2McRa3w==
Message-ID: <FDE82F7F-9D87-4AAF-9496-90F28F36976E@checkpoint.com>
References: <ea322d4c93b67735a8e6eb26cc9fca41.squirrel@www.trepanning.net> <A8F897BE25922348AB562D74E6C686E41F457FBA95@mail> <1272187315.22380.46.camel@yaronf-linux>
In-Reply-To: <1272187315.22380.46.camel@yaronf-linux>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Jitender Arora <JArora@acmepacket.com>
Subject: Re: [IPsec] New draft posted
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Apr 2010 11:34:32 -0000
I agree. And whatever we may think of the particular solution, it does present a problem that can and should be in the problem statement draft. So how about adding teh following sub-section: 3.7. Different IP addresses for IKE and IPsec In many implementations there are separate IP addresses for the cluster, and for each member. While the packets protected by tunnel mode child SAs are encapsulated in IP headers with the cluster IP address, the IKE packets originate from a specific member, and carry that member's IP address. For the peer, this looks weird, as the usual thing is for the IPsec packets to come from the same IP address as the IKE packets. One obvious solution, is to use some fancy capability of the IKE host to change things so that IKE packets also come out of the cluster IP address. This can be achieved through NAT or through assigning multiple addresses to interfaces. This is not, however, possible for all implementations. [ARORA] discusses this problem in greater depth, and proposes another solution, that does involve protocol changes. On Apr 25, 2010, at 12:21 PM, Yaron Sheffer wrote: > Hi Jitender, > > this is certainly an interesting approach to the > high-availability/load-balancing issue that we are just starting to > tackle, as a group. I would appreciate your inputs to the discussion on > draft-ietf-ipsecme-ipsec-ha. > > Below are a few initial comments on your draft: > > - I suggest moving Sec. 5.1 to the front (or at least pointing to it > from the Introduction) so that the motivation becomes clear before the > protocol details are presented. > - Of course, if there are additional usage scenarios, it would be nice > to include them. > - Essentially ignoring the issue of NAT severely hurts the applicability > of this protocol. Even saying something like "use STUN/TURN" is better > than limiting the protocol to closed networks. > - The security considerations never discuss the issue that the peer can > now claims ownership of ANY IP address. I *think* this is just a > denial-of-service issue, but it certainly needs to be analyzed. Which > leads to the main issue with this proposal: > - This is not just a change to IKEv2, it is a rather major change to the > IPsec architecture. So I would expect some discussion of RFC 4301 > entities. See the last 2 paragraphs of > http://tools.ietf.org/html/rfc5685#section-3 for an example. > > Thanks, > Yaron > > On Sat, 2010-04-24 at 10:09 -0400, Jitender Arora wrote: >> Hi All, >> >> A new version of I-D, draft-arora-ipsecme-ikev2-alt-tunnel-addresses-00.txt has been posted to the IETF repository. >> >> Filename: draft-arora-ipsecme-ikev2-alt-tunnel-addresses >> Revision: 00 >> Title: Alternate Tunnel Addresses for IKEv2 >> >> Please take a look and comment. >> >> Regards, >> Jitender >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > Scanned by Check Point Total Security Gateway.
- Re: [IPsec] New PAKE Criteria draft posted SeongHan Shin
- [IPsec] New PAKE Criteria draft posted Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted SeongHan Shin
- Re: [IPsec] New PAKE Criteria draft posted Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted Yaron Sheffer
- [IPsec] New PAKE Criteria draft posted Dan Harkins
- [IPsec] New draft posted Jitender Arora
- Re: [IPsec] New PAKE Criteria draft posted Yaron Sheffer
- Re: [IPsec] New draft posted Yaron Sheffer
- Re: [IPsec] New draft posted Yoav Nir
- Re: [IPsec] New draft posted Tero Kivinen
- Re: [IPsec] New draft posted Yoav Nir
- Re: [IPsec] New draft posted Tero Kivinen
- Re: [IPsec] New draft posted Jitender Arora
- Re: [IPsec] New draft posted Tero Kivinen
- Re: [IPsec] New draft posted Yaron Sheffer
- Re: [IPsec] New draft posted Yoav Nir
- Re: [IPsec] New draft posted Jitender Arora
- Re: [IPsec] New draft posted Pasi.Eronen
- Re: [IPsec] New draft posted Tero Kivinen
- Re: [IPsec] New draft posted Jitender Arora
- Re: [IPsec] New draft posted Tero Kivinen
- Re: [IPsec] New draft posted Jitender Arora
- Re: [IPsec] New draft posted Tero Kivinen