Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)

"Dan Harkins" <dharkins@lounge.org> Fri, 26 March 2010 15:59 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 547F43A6A3E for <ipsec@core3.amsl.com>; Fri, 26 Mar 2010 08:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.478
X-Spam-Level:
X-Spam-Status: No, score=-4.478 tagged_above=-999 required=5 tests=[AWL=0.657, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PH5M8+ZZwBkq for <ipsec@core3.amsl.com>; Fri, 26 Mar 2010 08:59:12 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 576283A69D1 for <ipsec@ietf.org>; Fri, 26 Mar 2010 08:59:12 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id AFDF41022404A; Fri, 26 Mar 2010 08:59:35 -0700 (PDT)
Received: from 130.129.26.143 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 26 Mar 2010 08:59:35 -0700 (PDT)
Message-ID: <fab426cf27d4e0ec7f7f7867b57d1ad7.squirrel@www.trepanning.net>
In-Reply-To: <4BAC40DC.6070509@gmail.com>
References: <015701cacc74$9b0f3c20$d12db460$@aist.go.jp> <4093d38f9abeccadfd77722bca2bedd5.squirrel@www.trepanning.net> <4BAC40DC.6070509@gmail.com>
Date: Fri, 26 Mar 2010 08:59:35 -0700 (PDT)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Yaron Sheffer" <yaronf.ietf@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: ipsec@ietf.org, Dan Harkins <dharkins@lounge.org>, Kaz Kobara <kobara_conf@m.aist.go.jp>
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2010 15:59:13 -0000

  Great, clear benefits to having a separate AAA server. So that's
the reason to neuter technology?

  What you're talking about is a deployment issue and that really isn't
any of our business.

  Dan.

On Thu, March 25, 2010 10:06 pm, Yaron Sheffer wrote:
> As I mentioned in my previous mail, the document attempts to follow the
> use cases as agreed in the charter.
>
> For the remote access case, there are clear benefits to having a
> separate AAA server, and EAP has been adopted by multiple protocols
> including IKEv2. I don't see a reason to open this decision now.
>
> And the criteria that this document "supposedly" deals with have to be
> evaluated in the context of use cases and scenarios. They are not
> abstract entities.
>
> Thanks,
> 	Yaron
>
> On 26.3.2010 1:59, Dan Harkins wrote:
>>
>>    On the contrary, I would like to see no notion of "clients", "hosts",
>> and "gateways" at all. There is no reason why this technique could
>> not be used in any of the use cases in IKEv2.
>>
>>    And such a statement certainly does not belong in a document that
>> supposedly deals with criteria upon which a selection will be made.
>>
>>    Dan.
>>
>> On Thu, March 25, 2010 4:40 pm, Kaz Kobara wrote:
>>> Hi Yaron
>>>
>>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
>>>> "This document is limited to the use of password-based authentication
>>>> to
>>>> achieve trust between gateways"
>>>
>>> I would like to make sure that
>>> "gateway" in this document does not encompass VPN clients and hosts,
>>> right?
>>>
>>> Kaz
>>>
>>>> -----Original Message-----
>>>> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
>>>> Of
>>>> Yaron Sheffer
>>>> Sent: Friday, March 26, 2010 3:31 AM
>>>> To: SeongHan Shin
>>>> Cc: IPsecme WG; Kazukuni Kobara
>>>> Subject: Re: [IPsec] New PAKE Criteria draft posted
>>>>
>>>> Hi Shin,
>>>>
>>>> Yes. For the typical remote access VPN, EAP is typically more useful.
>>>> Note that there is still need for strong password-based mutual
>>>> authentication EAP methods - but their home is the EMU working group.
>>>>
>>>> In addition, the IPsecME has another charter item designed to fit such
>>>> EAP methods (such as the future EAP-AugPAKE :-) into IKEv2.
>>>>
>>>> Please see again the group's charter,
>>>> http://tools.ietf.org/wg/ipsecme/charters.
>>>>
>>>> Thanks,
>>>> 	Yaron
>>>>
>>>> On 25.3.2010 20:07, SeongHan Shin wrote:
>>>>> Dear Yaron Sheffer,
>>>>>
>>>>> I have one question about the draft.
>>>>>
>>>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
>>>>> "This document is limited to the use of password-based authentication
>>>> to
>>>>> achieve trust between gateways"
>>>>>
>>>>> Is this a consensus of this WG?
>>>>>
>>>>> Best regards,
>>>>> Shin
>>>>>
>>>>> On Thu, Mar 25, 2010 at 3:46 PM, Yaron Sheffer<yaronf.ietf@gmail.com
>>>>> <mailto:yaronf.ietf@gmail.com>>  wrote:
>>>>>
>>>>>      Hi,
>>>>>
>>>>>      after the good discussion in Anaheim, and with the help of
>>>> comments
>>>>>      received on and off the list, I have updated the PAKE Criteria
>>>> draft
>>>>>      and posted it as
>>>>>
>>>> http://www.ietf.org/id/draft-sheffer-ipsecme-pake-criteria-02.txt.
>>>>>
>>>>>      I have added a number of criteria, clarified others, and added
>>>>>      numbering (SEC1-SEC6, IPR1-IPR3 etc.).
>>>>>
>>>>>      Thanks,
>>>>>          Yaron
>>>>>      _______________________________________________
>>>>>      IPsec mailing list
>>>>>      IPsec@ietf.org<mailto:IPsec@ietf.org>
>>>>>      https://www.ietf.org/mailman/listinfo/ipsec
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> ------------------------------------------------------------------
>>>>> SeongHan Shin
>>>>> Research Center for Information Security (RCIS),
>>>>> National Institute of Advanced Industrial Science and Technology
>>>> (AIST),
>>>>> Room no. 1003, Akihabara Daibiru 10F,
>>>>> 1-18-13, Sotokannda, Chiyoda-ku, Tokyo 101-0021 Japan
>>>>> Tel : +81-3-5298-2722
>>>>> Fax : +81-3-5298-4522
>>>>> E-mail : seonghan.shin@aist.go.jp<mailto:seonghan.shin@aist.go.jp>
>>>>> ------------------------------------------------------------------
>>>> _______________________________________________
>>>> IPsec mailing list
>>>> IPsec@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ipsec
>>>
>>>
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>>>
>>
>>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>