Re: [IPsec] Please Review Changes to AD VPN Problem Statement
Stephen Hanna <shanna@juniper.net> Mon, 22 April 2013 13:00 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F79F21F9027 for <ipsec@ietfa.amsl.com>; Mon, 22 Apr 2013 06:00:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.467
X-Spam-Level:
X-Spam-Status: No, score=-103.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 40Y39N-1+rYt for <ipsec@ietfa.amsl.com>; Mon, 22 Apr 2013 06:00:58 -0700 (PDT)
Received: from exprod7og105.obsmtp.com (exprod7og105.obsmtp.com [64.18.2.163]) by ietfa.amsl.com (Postfix) with ESMTP id 7A95B21F9026 for <ipsec@ietf.org>; Mon, 22 Apr 2013 06:00:58 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob105.postini.com ([64.18.6.12]) with SMTP ID DSNKUXU0ihFfJGSBzfLESXk8t/ORLl4gh8Ga@postini.com; Mon, 22 Apr 2013 06:00:58 PDT
Received: from P-CLDFE02-HQ.jnpr.net (172.24.192.60) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.3.213.0; Mon, 22 Apr 2013 05:57:26 -0700
Received: from o365mail.juniper.net (207.17.137.149) by o365mail.juniper.net (172.24.192.60) with Microsoft SMTP Server id 14.1.355.2; Mon, 22 Apr 2013 05:57:25 -0700
Received: from CO9EHSOBE027.bigfish.com (207.46.163.27) by o365mail.juniper.net (207.17.137.149) with Microsoft SMTP Server (TLS) id 14.1.355.2; Mon, 22 Apr 2013 06:00:28 -0700
Received: from mail155-co9-R.bigfish.com (10.236.132.228) by CO9EHSOBE027.bigfish.com (10.236.130.90) with Microsoft SMTP Server id 14.1.225.23; Mon, 22 Apr 2013 12:57:25 +0000
Received: from mail155-co9 (localhost [127.0.0.1]) by mail155-co9-R.bigfish.com (Postfix) with ESMTP id 1CE8D80129 for <ipsec@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 22 Apr 2013 12:57:25 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.234.117; KIP:(null); UIP:(null); (null); H:SN2PRD0510HT005.namprd05.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -25
X-BigFish: PS-25(zz9371I1102I542I1432I1418Izz1f42h1fc6h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ahzz8275dh1033ILz2dh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1155h)
Received: from mail155-co9 (localhost.localdomain [127.0.0.1]) by mail155-co9 (MessageSwitch) id 1366635443828028_17718; Mon, 22 Apr 2013 12:57:23 +0000 (UTC)
Received: from CO9EHSMHS022.bigfish.com (unknown [10.236.132.240]) by mail155-co9.bigfish.com (Postfix) with ESMTP id BE0AA200149; Mon, 22 Apr 2013 12:57:23 +0000 (UTC)
Received: from SN2PRD0510HT005.namprd05.prod.outlook.com (157.56.234.117) by CO9EHSMHS022.bigfish.com (10.236.130.32) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 22 Apr 2013 12:57:22 +0000
Received: from SN2PRD0510MB372.namprd05.prod.outlook.com ([169.254.9.65]) by SN2PRD0510HT005.namprd05.prod.outlook.com ([10.255.116.40]) with mapi id 14.16.0299.002; Mon, 22 Apr 2013 12:57:21 +0000
From: Stephen Hanna <shanna@juniper.net>
To: Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [IPsec] Please Review Changes to AD VPN Problem Statement
Thread-Index: AQHONM5h3QJpx/aEQU6tLeXKyVrNLZjdg6uAgACiA9CABBT5gIAACh3w
Date: Mon, 22 Apr 2013 12:57:20 +0000
Message-ID: <F1DFC16DCAA7D3468651A5A776D5796E1A95944E@SN2PRD0510MB372.namprd05.prod.outlook.com>
References: <20130409025346.7391.95143.idtracker@ietfa.amsl.com> <F1DFC16DCAA7D3468651A5A776D5796E1A91DA6C@SN2PRD0510MB372.namprd05.prod.outlook.com> <20849.13261.464684.303138@fireball.kivinen.iki.fi> <F1DFC16DCAA7D3468651A5A776D5796E1A95871E@SN2PRD0510MB372.namprd05.prod.outlook.com> <20853.10315.629195.503822@fireball.kivinen.iki.fi>
In-Reply-To: <20853.10315.629195.503822@fireball.kivinen.iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.232.2]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%IKI.FI$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Please Review Changes to AD VPN Problem Statement
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2013 13:00:59 -0000
Tero, Thanks for your additional suggestions. I agree with those also. I will post a revised draft shortly containing the text that we have agreed upon. Take care, Steve > -----Original Message----- > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf > Of Tero Kivinen > Sent: Monday, April 22, 2013 8:09 AM > To: Stephen Hanna > Cc: ipsec@ietf.org > Subject: Re: [IPsec] Please Review Changes to AD VPN Problem Statement > > Stephen Hanna writes: > > I agree with you that requirement 5 as currently worded > > is too strict. We don't want to end up with a situation > > where no ADVPN peers can participate in the establishment > > of the ADVPN! On the other hand, we want to limit the > > effects of the compromise of an endpoint because endpoint > > compromise (not gateway compromise) is a common occurrence. > > A compromised endpoint shouldn't be able to impersonate > > other peers. > > I agree. > > > You proposed this text: > > > > > Any of the ADVPN peers MUST NOT have a way to get the long > > > term authentication credentials for any other ADVPN peers. > > > > I think that's correct. But I also think we want to say: > > > > > The compromise of an Endpoint MUST NOT affect the security > > > of communications between other Peers. > ^^^^^ => ADVPN Peers > > > Are you OK with replacing the current text for requirement 5 > > with those two sentences? I think that will preserve the > > essence of the requirement without making it too strict. > > I am ok with those two sentences. Note, that Endpoint does not include > gateways, so the second sentence does not cover the compromize of the > Spokes. I would even add text saying that "The compromize of an > Gateway SHOULD NOT affect the security of the communications between > ADVPN Peers not associated with that Gateway". That last one cannot > easily be MUST NOT, as compromised gateway might be able to do all > kind of tricks to affect the security of other ADVPN Peers, for > example it can try to get the other ADVPN Peers to change their > current Gateway to himself and then it will be able to comprimise > them. Some of those we can protect, but plugging all possible holes > might end up very hard. For example it might be impossible to make so > that the ADVPN Peer who has been out of network for a while, will not > connect back to that compromized Gateway... > -- > kivinen@iki.fi > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] I-D Action: draft-ietf-ipsecme-ad-vpn-pro… internet-drafts
- [IPsec] Please Review Changes to AD VPN Problem S… Stephen Hanna
- [IPsec] Please Review Changes to AD VPN Problem S… Tero Kivinen
- Re: [IPsec] Please Review Changes to AD VPN Probl… Stephen Hanna
- Re: [IPsec] Please Review Changes to AD VPN Probl… Tero Kivinen
- Re: [IPsec] Please Review Changes to AD VPN Probl… Stephen Hanna