IETF Logo Mail Archive

Re: [IPsec] Please Review Changes to AD VPN Problem Statement

Stephen Hanna <shanna@juniper.net> Fri, 19 April 2013 22:06 UTC

Return-Path: <shanna@juniper.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5BE621F95E1 for <ipsec@ietfa.amsl.com>; Fri, 19 Apr 2013 15:06:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.467
X-Spam-Level:
X-Spam-Status: No, score=-103.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3xbWKSHNmmv for <ipsec@ietfa.amsl.com>; Fri, 19 Apr 2013 15:06:40 -0700 (PDT)
Received: from exprod7og101.obsmtp.com (exprod7og101.obsmtp.com [64.18.2.155]) by ietfa.amsl.com (Postfix) with ESMTP id 224EE21F92CD for <ipsec@ietf.org>; Fri, 19 Apr 2013 15:06:40 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob101.postini.com ([64.18.6.12]) with SMTP ID DSNKUXG/79kKTwkzmdTvHlQta0axpnppk0ac@postini.com; Fri, 19 Apr 2013 15:06:40 PDT
Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 19 Apr 2013 15:05:57 -0700
Received: from o365mail.juniper.net (207.17.137.224) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Fri, 19 Apr 2013 15:05:57 -0700
Received: from am1outboundpool.messaging.microsoft.com (213.199.154.206) by o365mail.juniper.net (207.17.137.224) with Microsoft SMTP Server (TLS) id 14.1.355.2; Fri, 19 Apr 2013 15:15:47 -0700
Received: from mail22-am1-R.bigfish.com (10.3.201.238) by AM1EHSOBE001.bigfish.com (10.3.204.21) with Microsoft SMTP Server id 14.1.225.23; Fri, 19 Apr 2013 22:05:55 +0000
Received: from mail22-am1 (localhost [127.0.0.1]) by mail22-am1-R.bigfish.com (Postfix) with ESMTP id F24CD1E0375 for <ipsec@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Fri, 19 Apr 2013 22:05:54 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.234.117; KIP:(null); UIP:(null); (null); H:SN2PRD0510HT003.namprd05.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -2
X-BigFish: PS-2(zz1418I4015Izz1f42h1fc6h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ahzzz2dh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1155h)
Received: from mail22-am1 (localhost.localdomain [127.0.0.1]) by mail22-am1 (MessageSwitch) id 1366409153175447_12436; Fri, 19 Apr 2013 22:05:53 +0000 (UTC)
Received: from AM1EHSMHS003.bigfish.com (unknown [10.3.201.247]) by mail22-am1.bigfish.com (Postfix) with ESMTP id 285C3260052; Fri, 19 Apr 2013 22:05:53 +0000 (UTC)
Received: from SN2PRD0510HT003.namprd05.prod.outlook.com (157.56.234.117) by AM1EHSMHS003.bigfish.com (10.3.207.103) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 19 Apr 2013 22:05:53 +0000
Received: from SN2PRD0510MB372.namprd05.prod.outlook.com ([169.254.9.65]) by SN2PRD0510HT003.namprd05.prod.outlook.com ([10.255.116.38]) with mapi id 14.16.0293.003; Fri, 19 Apr 2013 22:05:48 +0000
From: Stephen Hanna <shanna@juniper.net>
To: Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [IPsec] Please Review Changes to AD VPN Problem Statement
Thread-Index: AQHONM5h3QJpx/aEQU6tLeXKyVrNLZjdg6uAgACiA9A=
Date: Fri, 19 Apr 2013 22:05:47 +0000
Message-ID: <F1DFC16DCAA7D3468651A5A776D5796E1A95871E@SN2PRD0510MB372.namprd05.prod.outlook.com>
References: <20130409025346.7391.95143.idtracker@ietfa.amsl.com> <F1DFC16DCAA7D3468651A5A776D5796E1A91DA6C@SN2PRD0510MB372.namprd05.prod.outlook.com> <20849.13261.464684.303138@fireball.kivinen.iki.fi>
In-Reply-To: <20849.13261.464684.303138@fireball.kivinen.iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.232.2]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%IKI.FI$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Please Review Changes to AD VPN Problem Statement
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2013 22:06:40 -0000

Tero,

I agree with you that requirement 5 as currently worded
is too strict. We don't want to end up with a situation
where no ADVPN peers can participate in the establishment
of the ADVPN! On the other hand, we want to limit the
effects of the compromise of an endpoint because endpoint
compromise (not gateway compromise) is a common occurrence.
A compromised endpoint shouldn't be able to impersonate
other peers.

You proposed this text:

> Any of the ADVPN peers MUST NOT have a way to get the long
> term authentication credentials for any other ADVPN peers.

I think that's correct. But I also think we want to say:

> The compromise of an Endpoint MUST NOT affect the security
> of communications between other Peers.

Are you OK with replacing the current text for requirement 5
with those two sentences? I think that will preserve the
essence of the requirement without making it too strict.

Thanks,

Steve

v2.23.0 | Report a Bug | By Email