IETF Logo Mail Archive

Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 26 March 2010 05:26 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8D483A6999 for <ipsec@core3.amsl.com>; Thu, 25 Mar 2010 22:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.469
X-Spam-Level:
X-Spam-Status: No, score=-1.469 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGXnMROVwCew for <ipsec@core3.amsl.com>; Thu, 25 Mar 2010 22:26:39 -0700 (PDT)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id BA25D3A69E9 for <ipsec@ietf.org>; Thu, 25 Mar 2010 22:25:23 -0700 (PDT)
Received: by fxm5 with SMTP id 5so1676211fxm.29 for <ipsec@ietf.org>; Thu, 25 Mar 2010 22:25:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=L19OYKP5VEw9PS4qz70bDSZDT7VMBHq37AyZ/q0MkfI=; b=N4P7OseesXBNc1BhlBhFX41bQprqCCFQU31qbDIltiamD633h2g4WAx72HPJSvhBGj EWfBDVv2CFXf2tKy1cCpDDsgKvOsUlN2ApJ8WL6HnpT/ktwn58lK9We5CBUow/gWSeOr ygGu6OFY7cOCVxAElODAK7/L3lUm4f4UTb2mk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=FCf6U7P9C8HFpFoRJt4I82dCyXMyLxDzH0c7S07lgTSAIJC04vZxofDuboHyPI6M2J 1hwuR5wjGw3t3K0xgGWBU4UsD35qHDhKDL+njIRbTCfwGps95sQecLF2+Jz9IWyEwz7P SgC27EF7yZjwWmDxVUb69ve2Cpyf5rrk8sQaA=
Received: by 10.87.67.25 with SMTP id u25mr3318045fgk.32.1269581137367; Thu, 25 Mar 2010 22:25:37 -0700 (PDT)
Received: from [192.117.42.149] (192.117.42.149.static.012.net.il [192.117.42.149]) by mx.google.com with ESMTPS id 3sm3262965fge.5.2010.03.25.22.25.34 (version=SSLv3 cipher=RC4-MD5); Thu, 25 Mar 2010 22:25:37 -0700 (PDT)
Message-ID: <4BAC40DC.6070509@gmail.com>
Date: Fri, 26 Mar 2010 08:06:36 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <015701cacc74$9b0f3c20$d12db460$@aist.go.jp> <4093d38f9abeccadfd77722bca2bedd5.squirrel@www.trepanning.net>
In-Reply-To: <4093d38f9abeccadfd77722bca2bedd5.squirrel@www.trepanning.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: ipsec@ietf.org, Kaz Kobara <kobara_conf@m.aist.go.jp>
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2010 05:26:40 -0000

As I mentioned in my previous mail, the document attempts to follow the 
use cases as agreed in the charter.

For the remote access case, there are clear benefits to having a 
separate AAA server, and EAP has been adopted by multiple protocols 
including IKEv2. I don't see a reason to open this decision now.

And the criteria that this document "supposedly" deals with have to be 
evaluated in the context of use cases and scenarios. They are not 
abstract entities.

Thanks,
	Yaron

On 26.3.2010 1:59, Dan Harkins wrote:
>
>    On the contrary, I would like to see no notion of "clients", "hosts",
> and "gateways" at all. There is no reason why this technique could
> not be used in any of the use cases in IKEv2.
>
>    And such a statement certainly does not belong in a document that
> supposedly deals with criteria upon which a selection will be made.
>
>    Dan.
>
> On Thu, March 25, 2010 4:40 pm, Kaz Kobara wrote:
>> Hi Yaron
>>
>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
>>> "This document is limited to the use of password-based authentication to
>>> achieve trust between gateways"
>>
>> I would like to make sure that
>> "gateway" in this document does not encompass VPN clients and hosts,
>> right?
>>
>> Kaz
>>
>>> -----Original Message-----
>>> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
>>> Of
>>> Yaron Sheffer
>>> Sent: Friday, March 26, 2010 3:31 AM
>>> To: SeongHan Shin
>>> Cc: IPsecme WG; Kazukuni Kobara
>>> Subject: Re: [IPsec] New PAKE Criteria draft posted
>>>
>>> Hi Shin,
>>>
>>> Yes. For the typical remote access VPN, EAP is typically more useful.
>>> Note that there is still need for strong password-based mutual
>>> authentication EAP methods - but their home is the EMU working group.
>>>
>>> In addition, the IPsecME has another charter item designed to fit such
>>> EAP methods (such as the future EAP-AugPAKE :-) into IKEv2.
>>>
>>> Please see again the group's charter,
>>> http://tools.ietf.org/wg/ipsecme/charters.
>>>
>>> Thanks,
>>> 	Yaron
>>>
>>> On 25.3.2010 20:07, SeongHan Shin wrote:
>>>> Dear Yaron Sheffer,
>>>>
>>>> I have one question about the draft.
>>>>
>>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
>>>> "This document is limited to the use of password-based authentication
>>> to
>>>> achieve trust between gateways"
>>>>
>>>> Is this a consensus of this WG?
>>>>
>>>> Best regards,
>>>> Shin
>>>>
>>>> On Thu, Mar 25, 2010 at 3:46 PM, Yaron Sheffer<yaronf.ietf@gmail.com
>>>> <mailto:yaronf.ietf@gmail.com>>  wrote:
>>>>
>>>>      Hi,
>>>>
>>>>      after the good discussion in Anaheim, and with the help of
>>> comments
>>>>      received on and off the list, I have updated the PAKE Criteria
>>> draft
>>>>      and posted it as
>>>>
>>> http://www.ietf.org/id/draft-sheffer-ipsecme-pake-criteria-02.txt.
>>>>
>>>>      I have added a number of criteria, clarified others, and added
>>>>      numbering (SEC1-SEC6, IPR1-IPR3 etc.).
>>>>
>>>>      Thanks,
>>>>          Yaron
>>>>      _______________________________________________
>>>>      IPsec mailing list
>>>>      IPsec@ietf.org<mailto:IPsec@ietf.org>
>>>>      https://www.ietf.org/mailman/listinfo/ipsec
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> ------------------------------------------------------------------
>>>> SeongHan Shin
>>>> Research Center for Information Security (RCIS),
>>>> National Institute of Advanced Industrial Science and Technology
>>> (AIST),
>>>> Room no. 1003, Akihabara Daibiru 10F,
>>>> 1-18-13, Sotokannda, Chiyoda-ku, Tokyo 101-0021 Japan
>>>> Tel : +81-3-5298-2722
>>>> Fax : +81-3-5298-4522
>>>> E-mail : seonghan.shin@aist.go.jp<mailto:seonghan.shin@aist.go.jp>
>>>> ------------------------------------------------------------------
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>>
>>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email