Re: draft-touch-ipsec-vpn-06.txt
Joe Touch <touch@ISI.EDU> Fri, 23 January 2004 18:20 UTC
Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14718 for <l3vpn-archive@odin.ietf.org>; Fri, 23 Jan 2004 13:20:22 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ak5uO-00086e-N3 for l3vpn-archive@odin.ietf.org; Fri, 23 Jan 2004 13:19:56 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i0NIJuJh031154 for l3vpn-archive@odin.ietf.org; Fri, 23 Jan 2004 13:19:56 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ak5uO-00086P-I3 for l3vpn-web-archive@optimus.ietf.org; Fri, 23 Jan 2004 13:19:56 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14671 for <l3vpn-web-archive@ietf.org>; Fri, 23 Jan 2004 13:19:52 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Ak5uM-0005Fu-00 for l3vpn-web-archive@ietf.org; Fri, 23 Jan 2004 13:19:54 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Ak5tQ-0005BV-00 for l3vpn-web-archive@ietf.org; Fri, 23 Jan 2004 13:18:57 -0500
Received: from [132.151.1.19] (helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1Ak5sX-00056w-00 for l3vpn-web-archive@ietf.org; Fri, 23 Jan 2004 13:18:01 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ak5sX-0007uK-QS; Fri, 23 Jan 2004 13:18:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ak5re-0007qz-4X for l3vpn@optimus.ietf.org; Fri, 23 Jan 2004 13:17:06 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14440 for <l3vpn@ietf.org>; Fri, 23 Jan 2004 13:17:01 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Ak5rc-00052g-00 for l3vpn@ietf.org; Fri, 23 Jan 2004 13:17:04 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Ak5qk-0004z0-00 for l3vpn@ietf.org; Fri, 23 Jan 2004 13:16:11 -0500
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx with esmtp (Exim 4.12) id 1Ak5py-0004us-00 for l3vpn@ietf.org; Fri, 23 Jan 2004 13:15:22 -0500
Received: from isi.edu (23.sub-69-83-170.myvzw.com [69.83.170.23]) by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id i0NIF5D26030; Fri, 23 Jan 2004 10:15:05 -0800 (PST)
Message-ID: <401164A7.8000107@isi.edu>
Date: Fri, 23 Jan 2004 10:15:03 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Mark Duffy <mduffy@quarrytech.com>
CC: Ross Callon <rcallon@juniper.net>, l3vpn@ietf.org, Thomas Narten <narten@us.ibm.com>
Subject: Re: draft-touch-ipsec-vpn-06.txt
References: <5.2.0.9.0.20040122200853.021a90e0@email>
In-Reply-To: <5.2.0.9.0.20040122200853.021a90e0@email>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: l3vpn-admin@ietf.org
Errors-To: l3vpn-admin@ietf.org
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Id: <l3vpn.ietf.org>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Mark Duffy wrote: > >> - Does the l3vpn working group feel that this document should be >> reviewed by a public working group, such as the l3vpn working group, >> prior to publication? > > > I would think that should be more a matter of ietf policy regarding > personal submission RFCs than what any wg thinks. Unless the policy is > to ask relevant wg's :-) 1) that's the policy 2) as I've stated, and as is available in the archives, we did as several WGs even before the IESG did. >> - Do we have any technical comments on the document? > > > The basic concept of forming virtual links by first applying IP-in-IP > tunnelling, then securing them by applying transport mode IPsec to the > resulting packets seems a good one to me. (And it is already embodied > in at least one document that is a product of this wg.) It was embodied in this draft in 3/2000, and described in normative publications of our project since 2000 as well. > As an aside, I would be quite interested for the working group to take > on the effort to progress a *standard* for virtual links. It should go > a step further and provide a way to convey to the far end what vpn > context a given tunnel is for. Those deeply interested in this subject > might want to look at > <http://www.ietf.org/internet-drafts/draft-duffy-ppvpn-ipsec-vlink-00.txt> > which provides a survey of issues in this space and of potential solutions. > > Anyway, back to draft-touch. > > I think the basic approach presented is sound and appropriate. I do > think the message gets a little lost in all the description of other > possible approaches and why they don't work. I found those > descriptions difficult to follow. > > The draft expresses an interpretation of RFC 2401 that I believe is > excessively rigid and literal. E.g. in concluding that transport mode > may not be used between two gateways, and that protocol #4 > encapsulations must be skipped past in evaluating SPD policy to look for > a transport header deeper in the packet. Please review the IPsec WG mailing list archives on this issue. Rigidity is the defining characteristic of security specs (if not all specs, hopefully). > The draft on page 7 states: > There are two common implementation scenarios for tunnel mode SAs: > One is based on firewall-like packet matching operations where tunnel > mode SAs are not virtual interfaces, another is tunnel-based, and > treats a tunnel mode SA as a virtual interface. The current IPsec > architecture does not mandate one or the other. > This is completely outside my understanding of RFC 2401. 2401 is > completely oriented towards the policy based approach. I am unaware > that it provides in any way for treating a tunnel mode SA as a virtual > interface. In fact it does much to obstruct that viz. SPD policy and > packet selectors. 2401 cannot mandate only firewall-like (policy-based) approach; that would defeat BITW architectures, which are specifically supported. > Nit: the link numbers on figure 3 do not seem to match some references > to them in the preceding paragraphs. That has already been corrected in an update that is pending this final IESG review. > Previous revisions of this document contained the concept that if one > sends an IKE proposal for transport mode protection for protocol #4, > then one is signalling the intent that the tunnel is to be considered a > virtual link. Perhaps that has been removed because offhand I cannot > find it. I thought that was undesirable because it imposes a new > meaning onto a possibly pre-existing behavior, and it is implicit rather > than explicit. > > Regards, Mark That's in section 4.2.4 (IKE impact), and has been reviewed by the IPsec WG. Joe
- draft-touch-ipsec-vpn-06.txt Ross Callon
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Hamid Ould-Brahim
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Eric Rosen
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Paul Knight
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Mark Duffy
- Re: draft-touch-ipsec-vpn-06.txt Lars Eggert
- Re: draft-touch-ipsec-vpn-06.txt Thomas Narten
- RE: draft-touch-ipsec-vpn-06.txt Eric Gray
- Re: draft-touch-ipsec-vpn-06.txt jeremy.de_clercq
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Lars Eggert
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Mark Duffy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- FW: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: FW: draft-touch-ipsec-vpn-06.txt Lars Eggert
- Re: FW: draft-touch-ipsec-vpn-06.txt Mark Duffy
- RE: FW: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: FW: draft-touch-ipsec-vpn-06.txt Lars Eggert
- Re: FW: draft-touch-ipsec-vpn-06.txt Lars Eggert
- Re: draft-touch-ipsec-vpn-06.txt Rahul Aggarwal
- Re: draft-touch-ipsec-vpn-06.txt Yakov Rekhter
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Eric Rosen
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Eric Rosen
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch