Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem

Vishwas Manral <vishwas.ietf@gmail.com> Wed, 22 May 2013 02:09 UTC

Return-Path: <vishwas.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2800C21F8ACD for <ipsec@ietfa.amsl.com>; Tue, 21 May 2013 19:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsmIDbqYCAW7 for <ipsec@ietfa.amsl.com>; Tue, 21 May 2013 19:09:58 -0700 (PDT)
Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 3C6EB21F896B for <ipsec@ietf.org>; Tue, 21 May 2013 19:09:58 -0700 (PDT)
Received: by mail-ie0-f179.google.com with SMTP id c13so3812635ieb.24 for <ipsec@ietf.org>; Tue, 21 May 2013 19:09:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jjzt9TITRpPBi1EW4wjO3sEgTmzFHiImryyVSEsvncw=; b=LmLGUy6VBuBzpYlRrswOxty6EW3PeIPvyBmT/DVwC8AooRMN2kJhSKgZkyWEzU+M7Y lWzxlqEmglI8X1x8bWrXdNjd4IH3zKeBOVUk49CloIg75lHzE1TfV6TymGYpjvtOxaYa dAG7tB5tnPBNfHshSU4az5zpp+X3gDAj3Fsfh+9lmMXc6CwmuPUYx3HtYjUXwtSrmyGB xPyf17Iju9gVIW8UecuR868HAoEy/Rmr89Nz082NilPw5SY1qU5Elw4lEorDI7t5sK3S SS7PG7kVuP8f4ymnePMdobpzDdFrr0xA20jJ7D08hTuosWOMeELSqh5oyOiBmIO66DtA shmw==
MIME-Version: 1.0
X-Received: by 10.50.114.33 with SMTP id jd1mr9745546igb.30.1369188597750; Tue, 21 May 2013 19:09:57 -0700 (PDT)
Received: by 10.50.46.170 with HTTP; Tue, 21 May 2013 19:09:57 -0700 (PDT)
In-Reply-To: <A2BDCCE9-94A2-410D-9833-009E8943525C@vpnc.org>
References: <517FDAC7.8080701@ieca.com> <A2BDCCE9-94A2-410D-9833-009E8943525C@vpnc.org>
Date: Wed, 22 May 2013 07:39:57 +0530
Message-ID: <CAOyVPHQ_FpgxK2bvS6pN9CnX=42Db2rSB=Q85_GGEuSMDytxAA@mail.gmail.com>
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="047d7b41418effe73304dd450fc9"
Cc: IPsecme WG <ipsec@ietf.org>, "draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org" <draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org>, Sean Turner <turners@ieca.com>
Subject: Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 May 2013 02:09:59 -0000

Hi Paul,

I will try to get this done around the first week of June. I am currently
travelling till the end of the week.

Thanks,
Vishwas


On Tue, May 21, 2013 at 6:57 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> Document authors: when might we have the update so Sean can move this
> forwards? We are gated on this before we solicit AD-VPN protocols.
>
> --Paul Hoffman
>
> On Apr 30, 2013, at 7:52 AM, Sean Turner <turners@ieca.com> wrote:
>
> > Please incorporate the QoS issue brought up by Toby.  I'd like to make
> sure we have everything in the draft that the WG wants before issuing the
> WGLC.  I also think the TSV/RTG directorates/ADs will be interested in that.
> >
> > Can you explain the rationale for the following the changes to
> requirement #5; I'm just not following it:
> >
> > OLD:
> >
> > 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN
> peer.
> >
> > NEW:
> >
> > 5. Any of the ADVPN Peers MUST NOT have a way to get the long term
> > authentication credentials for any other ADVPN Peers. The compromise of
> an Endpoint MUST NOT affect the security of communications between other
> ADVPN Peers. The compromise of a Gateway SHOULD NOT affect the security of
> the communications between ADVPN Peers not associated with that Gateway.
> >
> > Is the first sentence still saying basically: "peers can't impersonate
> peers"?
> >
> > Nits:
> >
> > - sec 1.1: Need to add what an ADVPN is and expand the acronym
> >
> > - sec 4/1.1: The terms allied and federated environment kind of come out
> of nowhere.  Please add them to s1.1.  I just to make sure it's clear what
> the difference is between the two.
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>