[Ipsec] Re: I-D ACTION:draft-kukec-ikev2-tutorial-additions-00.txt
Yoav Nir <ynir@checkpoint.com> Sun, 18 February 2007 08:15 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HIhCm-0001vP-Ud; Sun, 18 Feb 2007 03:15:32 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HIhCm-0001vK-7z for ipsec@ietf.org; Sun, 18 Feb 2007 03:15:32 -0500
Received: from [194.29.32.68] (helo=michael.checkpoint.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HIhCV-000849-O2 for ipsec@ietf.org; Sun, 18 Feb 2007 03:15:32 -0500
Received: from [194.29.46.218] (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id l1I8ET5E024635; Sun, 18 Feb 2007 10:14:29 +0200 (IST)
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <E1HIA1q-0000cW-9W@stiedprstage1.ietf.org>
References: <E1HIA1q-0000cW-9W@stiedprstage1.ietf.org>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <4C1D60AF-FBB7-4283-806F-FAAA003DD941@checkpoint.com>
Content-Transfer-Encoding: 7bit
From: Yoav Nir <ynir@checkpoint.com>
Date: Sun, 18 Feb 2007 10:14:29 +0200
To: ana.kukec@fer.hr, ipsec@ietf.org
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 287c806b254c6353fcb09ee0e53bbc5e
Cc:
Subject: [Ipsec] Re: I-D ACTION:draft-kukec-ikev2-tutorial-additions-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Errors-To: ipsec-bounces@ietf.org
Hi. I'm copying the IPsec list, because I think that's the proper forum to discuss your draft. I haven't read it in full yet, but I have some comments about section 9 (Alice's request for internal address...) The problem that is addressed by the CFG payloads is not that clients need an IP address that belongs to the protected network. The problems that prompted the development of MODECFG were of two kinds: 1. A client has an IP address that belongs to the protected network. 2. Two clients have the same IP address. This is usually an address like 192.168.0.1, which both are assigned by a home router or other NAT device. In both cases you get a routing problem. If the IP belongs to the protected network, the internal routers will not forward the packet to the VPN gateway. If two clients have the same IP, the VPN gateway will have no way of knowing which client is the target of a packet coming from the protected network. Second point, Bob will usually not act as a DHCP client, but rather, as a DHCP relay. If Bob is a DHCP client it will get an IP address from the subnet where he already is. Third point, I think RADIUS servers are installed for allowing the use of passwords, with IP assignment being a side benefit (for IKEv2). The wording of your explanation suggests that passwords are a complication introduced by the RADIUS. Another issue I would like to see addressed, is the interaction (or lack thereof) between DHCP timeouts and the EXPIRY attribute in CFG. Is it the job of the IRAS to periodically extend the lease, or is it the job of the the client? On Feb 16, 2007, at 10:50 PM, Internet-Drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > Title : Additions to IKEv2 tutorial and Rationale for Decisions > Author(s) : A. Kukec > Filename : draft-kukec-ikev2-tutorial-additions-00.txt > Pages : 28 > Date : 2007-2-17 > > This document contains additions to the R. Perlman's draft > Understanding IKEv2: Tutorial, and rationale for decisions. Its > purpose is to request for comments and to incorporate it into > draft-ietf-ipsec-ikev2-tutorial-01. This document describes > some of > controversial issues discussed on the IPsec mailing list and > described in various IETF documents that were written after the > publication of draft-ietf-ipsec-ikev2-tutorial-01. Its additional > purpose is to explain some of IKEv2 protocol parts that were not > described in draft-ietf-ipsec-ikev2-tutorial-01. It follows the > original R. Perlman draft's concept to be both a tutorial for > understanding IKEv2 and a summary of IKEv2 issues. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-kukec-ikev2-tutorial- > additions-00.txt > > To remove yourself from the I-D Announcement list, send a message to > i-d-announce-request@ietf.org with the word unsubscribe in the body of > the message. > You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce > to change your subscription settings. > > Internet-Drafts are also available by anonymous FTP. Login with the > username "anonymous" and a password of your e-mail address. After > logging in, type "cd internet-drafts" and then > "get draft-kukec-ikev2-tutorial-additions-00.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-kukec-ikev2-tutorial-additions-00.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > Content-Type: text/plain > Content-ID: <2007-2-16113058.I-D@ietf.org> > > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org > https://www1.ietf.org/mailman/listinfo/i-d-announce _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec