Re: [IPsec] Please Review Changes to AD VPN Problem Statement
Stephen Hanna <shanna@juniper.net> Fri, 19 April 2013 22:06 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5BE621F95E1 for <ipsec@ietfa.amsl.com>; Fri, 19 Apr 2013 15:06:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.467
X-Spam-Level:
X-Spam-Status: No, score=-103.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3xbWKSHNmmv for <ipsec@ietfa.amsl.com>; Fri, 19 Apr 2013 15:06:40 -0700 (PDT)
Received: from exprod7og101.obsmtp.com (exprod7og101.obsmtp.com [64.18.2.155]) by ietfa.amsl.com (Postfix) with ESMTP id 224EE21F92CD for <ipsec@ietf.org>; Fri, 19 Apr 2013 15:06:40 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob101.postini.com ([64.18.6.12]) with SMTP ID DSNKUXG/79kKTwkzmdTvHlQta0axpnppk0ac@postini.com; Fri, 19 Apr 2013 15:06:40 PDT
Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 19 Apr 2013 15:05:57 -0700
Received: from o365mail.juniper.net (207.17.137.224) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Fri, 19 Apr 2013 15:05:57 -0700
Received: from am1outboundpool.messaging.microsoft.com (213.199.154.206) by o365mail.juniper.net (207.17.137.224) with Microsoft SMTP Server (TLS) id 14.1.355.2; Fri, 19 Apr 2013 15:15:47 -0700
Received: from mail22-am1-R.bigfish.com (10.3.201.238) by AM1EHSOBE001.bigfish.com (10.3.204.21) with Microsoft SMTP Server id 14.1.225.23; Fri, 19 Apr 2013 22:05:55 +0000
Received: from mail22-am1 (localhost [127.0.0.1]) by mail22-am1-R.bigfish.com (Postfix) with ESMTP id F24CD1E0375 for <ipsec@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Fri, 19 Apr 2013 22:05:54 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.234.117; KIP:(null); UIP:(null); (null); H:SN2PRD0510HT003.namprd05.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -2
X-BigFish: PS-2(zz1418I4015Izz1f42h1fc6h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ahzzz2dh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1155h)
Received: from mail22-am1 (localhost.localdomain [127.0.0.1]) by mail22-am1 (MessageSwitch) id 1366409153175447_12436; Fri, 19 Apr 2013 22:05:53 +0000 (UTC)
Received: from AM1EHSMHS003.bigfish.com (unknown [10.3.201.247]) by mail22-am1.bigfish.com (Postfix) with ESMTP id 285C3260052; Fri, 19 Apr 2013 22:05:53 +0000 (UTC)
Received: from SN2PRD0510HT003.namprd05.prod.outlook.com (157.56.234.117) by AM1EHSMHS003.bigfish.com (10.3.207.103) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 19 Apr 2013 22:05:53 +0000
Received: from SN2PRD0510MB372.namprd05.prod.outlook.com ([169.254.9.65]) by SN2PRD0510HT003.namprd05.prod.outlook.com ([10.255.116.38]) with mapi id 14.16.0293.003; Fri, 19 Apr 2013 22:05:48 +0000
From: Stephen Hanna <shanna@juniper.net>
To: Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [IPsec] Please Review Changes to AD VPN Problem Statement
Thread-Index: AQHONM5h3QJpx/aEQU6tLeXKyVrNLZjdg6uAgACiA9A=
Date: Fri, 19 Apr 2013 22:05:47 +0000
Message-ID: <F1DFC16DCAA7D3468651A5A776D5796E1A95871E@SN2PRD0510MB372.namprd05.prod.outlook.com>
References: <20130409025346.7391.95143.idtracker@ietfa.amsl.com> <F1DFC16DCAA7D3468651A5A776D5796E1A91DA6C@SN2PRD0510MB372.namprd05.prod.outlook.com> <20849.13261.464684.303138@fireball.kivinen.iki.fi>
In-Reply-To: <20849.13261.464684.303138@fireball.kivinen.iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.232.2]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%IKI.FI$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Please Review Changes to AD VPN Problem Statement
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2013 22:06:40 -0000
Tero, I agree with you that requirement 5 as currently worded is too strict. We don't want to end up with a situation where no ADVPN peers can participate in the establishment of the ADVPN! On the other hand, we want to limit the effects of the compromise of an endpoint because endpoint compromise (not gateway compromise) is a common occurrence. A compromised endpoint shouldn't be able to impersonate other peers. You proposed this text: > Any of the ADVPN peers MUST NOT have a way to get the long > term authentication credentials for any other ADVPN peers. I think that's correct. But I also think we want to say: > The compromise of an Endpoint MUST NOT affect the security > of communications between other Peers. Are you OK with replacing the current text for requirement 5 with those two sentences? I think that will preserve the essence of the requirement without making it too strict. Thanks, Steve
- [IPsec] I-D Action: draft-ietf-ipsecme-ad-vpn-pro… internet-drafts
- [IPsec] Please Review Changes to AD VPN Problem S… Stephen Hanna
- [IPsec] Please Review Changes to AD VPN Problem S… Tero Kivinen
- Re: [IPsec] Please Review Changes to AD VPN Probl… Stephen Hanna
- Re: [IPsec] Please Review Changes to AD VPN Probl… Tero Kivinen
- Re: [IPsec] Please Review Changes to AD VPN Probl… Stephen Hanna