IETF Logo Mail Archive

Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem

Sean Turner <turners@ieca.com> Mon, 03 June 2013 17:28 UTC

Return-Path: <turners@ieca.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84D1121F8FEB for <ipsec@ietfa.amsl.com>; Mon, 3 Jun 2013 10:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.265
X-Spam-Level:
X-Spam-Status: No, score=-102.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B7mOPBdnNuGG for <ipsec@ietfa.amsl.com>; Mon, 3 Jun 2013 10:28:10 -0700 (PDT)
Received: from gateway01.websitewelcome.com (gateway01.websitewelcome.com [67.18.62.19]) by ietfa.amsl.com (Postfix) with ESMTP id BDD9221F8F0E for <ipsec@ietf.org>; Mon, 3 Jun 2013 10:24:05 -0700 (PDT)
Received: by gateway01.websitewelcome.com (Postfix, from userid 5007) id 4F1FED954A07; Mon, 3 Jun 2013 12:24:05 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway01.websitewelcome.com (Postfix) with ESMTP id 4277ED9549CF for <ipsec@ietf.org>; Mon, 3 Jun 2013 12:24:05 -0500 (CDT)
Received: from [173.73.135.101] (port=50011 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1UjYUG-00065E-1h; Mon, 03 Jun 2013 12:24:04 -0500
Message-ID: <51ACD133.3040903@ieca.com>
Date: Mon, 03 Jun 2013 13:24:03 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>
References: <CAOyVPHSjYfvbQFP1nJGzAEySe3saXuSEftbvshzLHix68FCHHA@mail.gmail.com>
In-Reply-To: <CAOyVPHSjYfvbQFP1nJGzAEySe3saXuSEftbvshzLHix68FCHHA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [173.73.135.101]:50011
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 4
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: IPsecme WG <ipsec@ietf.org>, "draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org" <draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org>
Subject: Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2013 17:28:25 -0000

On 6/3/13 1:02 PM, Vishwas Manral wrote:
> Hi Sean,
> My comments are inline:
>
> Please incorporate the QoS issue brought up by Toby.I'd like to make
>
> sure we have everything in the draft that the WG wants before issuing
>
> the WGLC.I also think the TSV/RTG directorates/ADs will be interested
>
> in that.
>
> VM> I can incorporate it if the Working Group thinks the QoS parts
> should be part of the aDVPN solution.

Yeah it wasn't clear to me whether it should be part of the aDVPN 
solution.  Maybe the chairs can chime in on this one.

> Can you explain the rationale for the following the changes to
>
> requirement #5; I'm just not following it:
>
> OLD:
>
> 5. One ADVPN peer MUST NOT be able to impersonate another ADVPNpeer.
>
> NEW:
>
> 5. Any of the ADVPN Peers MUST NOT have a way to get the long term
>
> authentication credentials for any other ADVPN Peers. The compromise of
>
> an Endpoint MUST NOT affect the security of communications between other
>
> ADVPN Peers. The compromise of a Gateway SHOULD NOT affect the security
>
> of the communications between ADVPN Peers not associated with that Gateway.
>
> Is the first sentence still saying basically: "peers can't impersonate
>
> peers"?
>
> VM> Yes thats the idea in my view. Steve Hanna may have more omments on
> this. Steve?

Okay I guess that makes sense it just seems a little wordy but not worth 
holding the draft up for.

> Nits:
>
> - sec 1.1: Need to add what an ADVPN is and expand the acronym
>
> VM> Should something like the below suffice:
>
> VM> ADVPN - Auto Discovery Virtual Private Network (ADVPN) is VPN
> solution that enables a large number of systems to communicate directly,
> with minimal configuration and operator intervention using IPsec to
> protect communication between them.

yes

> - sec 4/1.1: The terms allied and federated environment kind of come out
>
> of nowhere.Please add them to s1.1.I just to make sure it's clear
>
> what the difference is between the two.
>
> VM> Here is what I will add to 1.1.
>
> VM> Allied and Federated Environments - Environments where we have
> multiple different organizations that have close association and need to
> connect to each other.

that'll work.

v2.23.0 | Report a Bug | By Email