Re: [karp] Question: splitting RAPD discussion from policy framework discussion in draft-atwood-karp-aapm-rp

Uma Chunduri <uma.chunduri@ericsson.com> Thu, 01 August 2013 19:05 UTC

Return-Path: <uma.chunduri@ericsson.com>
X-Original-To: karp@ietfa.amsl.com
Delivered-To: karp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 260E111E8138 for <karp@ietfa.amsl.com>; Thu, 1 Aug 2013 12:05:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdGyY8gzMrFZ for <karp@ietfa.amsl.com>; Thu, 1 Aug 2013 12:05:26 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) by ietfa.amsl.com (Postfix) with ESMTP id 4474811E8137 for <karp@ietf.org>; Thu, 1 Aug 2013 12:05:24 -0700 (PDT)
X-AuditID: c6180641-b7f986d000007a82-2b-51fab173db04
Received: from EUSAAHC007.ericsson.se (Unknown_Domain [147.117.188.93]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 1A.86.31362.371BAF15; Thu, 1 Aug 2013 21:05:23 +0200 (CEST)
Received: from EUSAAMB105.ericsson.se ([147.117.188.122]) by EUSAAHC007.ericsson.se ([147.117.188.93]) with mapi id 14.02.0328.009; Thu, 1 Aug 2013 15:05:23 -0400
From: Uma Chunduri <uma.chunduri@ericsson.com>
To: Stephen Kent <kent@bbn.com>, "karp@ietf.org" <karp@ietf.org>
Thread-Topic: [karp] Question: splitting RAPD discussion from policy framework discussion in draft-atwood-karp-aapm-rp
Thread-Index: AQHOjq2bprwB0oEKjEORNDbnpKFp3JmAr+2A
Date: Thu, 1 Aug 2013 19:05:22 +0000
Message-ID: <1B502206DFA0C544B7A604691520086317445FEC@eusaamb105.ericsson.se>
References: <tslzjt2exde.fsf@mit.edu> <51FA4BA1.7020508@bbn.com>
In-Reply-To: <51FA4BA1.7020508@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [155.53.73.142]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrPLMWRmVeSWpSXmKPExsUyuXRPrG7xxl+BBss/KVns/baG0WLjbEYH Jo+p50M9liz5yRTAFMVlk5Kak1mWWqRvl8CV0bllNkvBWvGKH2s/sDUwfhLqYuTkkBAwkVj4 YxobhC0mceHeeiCbi0NI4CijRPOK+cwgCSGBZYwSvy8Lg9hsAnoSH6f+ZAexRQQcJDpurWAB sYUFyiXm3NvOCBGvkLh17jOUbSSxfP1+sBoWARWJBR3NYHFeAV+JhbuWsUPMd5C4da0BLM4p oC7Ruu4wWJwR6KDvp9YwgdjMAuISt57MZ4I4VEBiyZ7zzBC2qMTLx/9YIWxFida7/5kh6nUk Fuz+xAZha0ssW/iaGWKvoMTJmU9YJjCKzkIydhaSlllIWmYhaVnAyLKKkaO0OLUsN93IcBMj MBKOSbA57mBc8MnyEKM0B4uSOO8GvTOBQgLpiSWp2ampBalF8UWlOanFhxiZODilGhj7F2WU C1hXr/koVnfHyeh69wx+0Wevj83R839jNVlZRuZD5cHFvgaquySSj/dP/tJxVP6JpEL24k0/ C1MXZ7td5Lwh9tHBWPGb8s78f68+fmxhSJJuU3rj6XnFc/Iy/anZ14yTfwXusVkprPhYb2+v TpK5tQI3/zHPRxER8s3md9bVPchf9FSJpTgj0VCLuag4EQB2KZWdUgIAAA==
Subject: Re: [karp] Question: splitting RAPD discussion from policy framework discussion in draft-atwood-karp-aapm-rp
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 19:05:35 -0000

Great and headed response Steve.

>> support adoption of the discussion of the SPD/PAD-like mechanisms

Conceptually this is critical for IKEv2 integration of RPs and KARP discussions focused 
less on this. 

Though http://datatracker.ietf.org/doc/draft-ietf-karp-crypto-key-table/?include_text=1 
is important for RP integration with IKEv2 but it's not sufficient unless you solve the 
RP policy is given to IKE. At best crypto-tables can be seen as SAD (for some RPs).

FWIW, this is one of the main reasons Gatekeeper was introduced 
http://datatracker.ietf.org/doc/draft-chunduri-karp-using-ikev2-with-tcp-ao/
and presented in earlier IETF meetings. This essentially is the repository of 
the pair wise RP policy to be presented for IKEv2. With out this an IKEv2 responder can't 
get a comprehensive view of what SA it should negotiate, for which traffic selectors and for
which RP.

>> but do not support the broader, rather high level policy framework text.

+10

Also I feel, should not mix RKMP (KMP for pair wise RPs) and MRKMP (KMP for group keying RPs) 
and attempt to create a high level policy frame work. I believe, this can severely complicate things 
rather than helping in actual implementation and usage.

This is what I propose:

1. Policy framework for pair-wise RPs which use RFC 5996 [IKEv2]
           - It's been in the discussion for quite a while in KARP and 
             the draft I mentioned above
2. Policy framework for group keying RPs which use variant of IKEv2 
   (any draft close to publication which can get us there??)
3. We should try to use PAD as is (most of it) to leverage existing IKEv2 code base

-- 
Uma C. 


-----Original Message-----
From: karp-bounces@ietf.org [mailto:karp-bounces@ietf.org] On Behalf Of Stephen Kent
Sent: Thursday, August 01, 2013 4:51 AM
To: karp@ietf.org
Subject: Re: [karp] Question: splitting RAPD discussion from policy framework discussion in draft-atwood-karp-aapm-rp

I asked that we consider this split because I support adoption of the discussion of the SPD/PAD-like mechanisms, but do not support the broader, rather high level policy framework text.

So, count me as one vote for the split.

Steve

> Hi.  During the presentation of our draft, I asked Steve Kent whether 
> he thought it would be valuable to split the discussion of the 
> conseptual database similar to aspects of the IPsec PAD and SPD from 
> the broader policy framework.  He said yes.  I said it would be 
> valuable to get feedback from others about whether this split is 
> useful.  The chairs asked me to ask on the list.
> 7
> _______________________________________________
> karp mailing list
> karp@ietf.org
> https://www.ietf.org/mailman/listinfo/karp
>

_______________________________________________
karp mailing list
karp@ietf.org
https://www.ietf.org/mailman/listinfo/karp