Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
"Dan Harkins" <dharkins@lounge.org> Fri, 26 March 2010 15:59 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 547F43A6A3E for <ipsec@core3.amsl.com>; Fri, 26 Mar 2010 08:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.478
X-Spam-Level:
X-Spam-Status: No, score=-4.478 tagged_above=-999 required=5 tests=[AWL=0.657, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PH5M8+ZZwBkq for <ipsec@core3.amsl.com>; Fri, 26 Mar 2010 08:59:12 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 576283A69D1 for <ipsec@ietf.org>; Fri, 26 Mar 2010 08:59:12 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id AFDF41022404A; Fri, 26 Mar 2010 08:59:35 -0700 (PDT)
Received: from 130.129.26.143 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 26 Mar 2010 08:59:35 -0700 (PDT)
Message-ID: <fab426cf27d4e0ec7f7f7867b57d1ad7.squirrel@www.trepanning.net>
In-Reply-To: <4BAC40DC.6070509@gmail.com>
References: <015701cacc74$9b0f3c20$d12db460$@aist.go.jp> <4093d38f9abeccadfd77722bca2bedd5.squirrel@www.trepanning.net> <4BAC40DC.6070509@gmail.com>
Date: Fri, 26 Mar 2010 08:59:35 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: ipsec@ietf.org, Dan Harkins <dharkins@lounge.org>, Kaz Kobara <kobara_conf@m.aist.go.jp>
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2010 15:59:13 -0000
Great, clear benefits to having a separate AAA server. So that's the reason to neuter technology? What you're talking about is a deployment issue and that really isn't any of our business. Dan. On Thu, March 25, 2010 10:06 pm, Yaron Sheffer wrote: > As I mentioned in my previous mail, the document attempts to follow the > use cases as agreed in the charter. > > For the remote access case, there are clear benefits to having a > separate AAA server, and EAP has been adopted by multiple protocols > including IKEv2. I don't see a reason to open this decision now. > > And the criteria that this document "supposedly" deals with have to be > evaluated in the context of use cases and scenarios. They are not > abstract entities. > > Thanks, > Yaron > > On 26.3.2010 1:59, Dan Harkins wrote: >> >> On the contrary, I would like to see no notion of "clients", "hosts", >> and "gateways" at all. There is no reason why this technique could >> not be used in any of the use cases in IKEv2. >> >> And such a statement certainly does not belong in a document that >> supposedly deals with criteria upon which a selection will be made. >> >> Dan. >> >> On Thu, March 25, 2010 4:40 pm, Kaz Kobara wrote: >>> Hi Yaron >>> >>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4 >>>> "This document is limited to the use of password-based authentication >>>> to >>>> achieve trust between gateways" >>> >>> I would like to make sure that >>> "gateway" in this document does not encompass VPN clients and hosts, >>> right? >>> >>> Kaz >>> >>>> -----Original Message----- >>>> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf >>>> Of >>>> Yaron Sheffer >>>> Sent: Friday, March 26, 2010 3:31 AM >>>> To: SeongHan Shin >>>> Cc: IPsecme WG; Kazukuni Kobara >>>> Subject: Re: [IPsec] New PAKE Criteria draft posted >>>> >>>> Hi Shin, >>>> >>>> Yes. For the typical remote access VPN, EAP is typically more useful. >>>> Note that there is still need for strong password-based mutual >>>> authentication EAP methods - but their home is the EMU working group. >>>> >>>> In addition, the IPsecME has another charter item designed to fit such >>>> EAP methods (such as the future EAP-AugPAKE :-) into IKEv2. >>>> >>>> Please see again the group's charter, >>>> http://tools.ietf.org/wg/ipsecme/charters. >>>> >>>> Thanks, >>>> Yaron >>>> >>>> On 25.3.2010 20:07, SeongHan Shin wrote: >>>>> Dear Yaron Sheffer, >>>>> >>>>> I have one question about the draft. >>>>> >>>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4 >>>>> "This document is limited to the use of password-based authentication >>>> to >>>>> achieve trust between gateways" >>>>> >>>>> Is this a consensus of this WG? >>>>> >>>>> Best regards, >>>>> Shin >>>>> >>>>> On Thu, Mar 25, 2010 at 3:46 PM, Yaron Sheffer<yaronf.ietf@gmail.com >>>>> <mailto:yaronf.ietf@gmail.com>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> after the good discussion in Anaheim, and with the help of >>>> comments >>>>> received on and off the list, I have updated the PAKE Criteria >>>> draft >>>>> and posted it as >>>>> >>>> http://www.ietf.org/id/draft-sheffer-ipsecme-pake-criteria-02.txt. >>>>> >>>>> I have added a number of criteria, clarified others, and added >>>>> numbering (SEC1-SEC6, IPR1-IPR3 etc.). >>>>> >>>>> Thanks, >>>>> Yaron >>>>> _______________________________________________ >>>>> IPsec mailing list >>>>> IPsec@ietf.org<mailto:IPsec@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/ipsec >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> ------------------------------------------------------------------ >>>>> SeongHan Shin >>>>> Research Center for Information Security (RCIS), >>>>> National Institute of Advanced Industrial Science and Technology >>>> (AIST), >>>>> Room no. 1003, Akihabara Daibiru 10F, >>>>> 1-18-13, Sotokannda, Chiyoda-ku, Tokyo 101-0021 Japan >>>>> Tel : +81-3-5298-2722 >>>>> Fax : +81-3-5298-4522 >>>>> E-mail : seonghan.shin@aist.go.jp<mailto:seonghan.shin@aist.go.jp> >>>>> ------------------------------------------------------------------ >>>> _______________________________________________ >>>> IPsec mailing list >>>> IPsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/ipsec >>> >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >>> >> >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Paul Hoffman
- Re: [IPsec] New PAKE Criteria draft posted (def. … Tero Kivinen
- Re: [IPsec] New PAKE Criteria draft posted (def. … Raj Singh
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Raj Singh
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer