Re: [lisp] A Stab At Opportunistic Encryption for LISP
Roger Jørgensen <rogerj@gmail.com> Wed, 05 March 2014 07:33 UTC
Return-Path: <rogerj@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F28B51A0341 for <lisp@ietfa.amsl.com>; Tue, 4 Mar 2014 23:33:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GwGAfQYzNK_L for <lisp@ietfa.amsl.com>; Tue, 4 Mar 2014 23:33:09 -0800 (PST)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id F20071A02C7 for <lisp@ietf.org>; Tue, 4 Mar 2014 23:33:08 -0800 (PST)
Received: by mail-we0-f172.google.com with SMTP id t61so702962wes.31 for <lisp@ietf.org>; Tue, 04 Mar 2014 23:33:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=inba0rZn1IS3O01gL3LXS7WB9qNBFKMvk0F2dVxV0VE=; b=mNTrgwbLH0BxYX3C30XQe42vEz0+71lvD8AiIdbLKajghp+Vejdg0xDWj46lOc909g z76g8qptXzxtz8hRUGgSw2aMge/7oG46+5ohQiLEVmFSHNRjeC8slQ2XAUdgveeT6/eg ch+ebAxBroTjoRARYxtTOKjCf5jFqmoZiLgfiPknkztmXzTCnOHnykQwKMuWe5UE9m8K WTZJNeM7KCKNINgd/f5CwCImwcD43MtPbNZzJsv+Qa5SnI7xy5dfu+dxVjXyMDYJByAx X9s1rk3Xfq8j4j+HggjKZ4cmY0TTkwQwnECDxL9fUY+SGaMlNDkVXHYIalIaVGplG20Y LDVw==
MIME-Version: 1.0
X-Received: by 10.194.204.229 with SMTP id lb5mr5783134wjc.67.1394004784899; Tue, 04 Mar 2014 23:33:04 -0800 (PST)
Received: by 10.216.175.74 with HTTP; Tue, 4 Mar 2014 23:33:04 -0800 (PST)
In-Reply-To: <6BC34AAF-E8D8-4D94-BF86-67BA834564CC@fortinet.com>
References: <6BC34AAF-E8D8-4D94-BF86-67BA834564CC@fortinet.com>
Date: Wed, 05 Mar 2014 08:33:04 +0100
Message-ID: <CAKFn1SE11M0pR4BY-=KnziABMAt2Et_VyWgc8b7nEKjZoNpRSg@mail.gmail.com>
From: Roger Jørgensen <rogerj@gmail.com>
To: Edward Lopez <elopez@fortinet.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/dmSQClJLFim5sTKz8mUhl7TiWco
Cc: "lisp@ietf.org list" <lisp@ietf.org>
Subject: Re: [lisp] A Stab At Opportunistic Encryption for LISP
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 07:33:11 -0000
Not sure where to start but here we go. In short - on the background of that draft, I think it's quite respect less what you have gone and done. That's how _I_ see it. On the technical part, IPSec is nothing new, but I'm not going to comment on that. Some months ago I contacted Dino and started to discuss how we could encrypt all traffic between xTR's without involving the users at all. Or there could be an option for the EID-space holder to tell the mapping system that he only would accept encrypted traffic, or only some encryptions. I thought we could get something done and that work are in Dino's draft. And that's where _I_ started. During my discussion with Dino he involved other people, including you. I understood there was some previous work in progress and we was discussing to merge all that into one draft that you should write together with Dino and me. Then you went silent for weeks, I got no spare time so Dino went and wrote it all himself, that's Dino's draft. And now you show up with a draft with your name on, Dino has asked his to be removed for obvious reason since we've worked on his draft for quite some time now. You could have told us some weeks/months ago that you were working on a draft on your own, that's the least _I_ would have expected. Any future comments/involving from my side will be on technical things. --- Roger J --- On Mon, Mar 3, 2014 at 7:13 PM, Edward Lopez <elopez@fortinet.com> wrote: > First off, I apologize to all for my absence on the mailing list, > particularly Dino. My company is relatively new to IETF WG participation, > and there were some backend discussions I had to have back at corporate to > ensure that I was both in compliance with the IETF Note Well, as well as my > company's internal IP processes. This has been resolved, and I will be > resuming active participation on the list. > > At the time, I was working with Dino on crypto solutions for LISP. Enclosed > in my draft regarding opportunistic encryption for LISP. While there are > significant similarities with regard to the goals of one exchange of key > material, non-reliance on PKI, nor storing keys on the mapping system, I > proposed the use of IPSec ESP in transport mode for the actual encryption of > packets between xTRs, as opposed to developing support for encryption within > the LISP protocol itself. I feel this has significant advantages toward > ease of deployment and hardware acceleration, as well as support for > multiple available encryption/hash algorithms. > > The use of the security type (11) LCAF is very similar, except I propose > that the Key Algorithm field be used to support encryption/hash algorithm > sets, rather than individual algorithms. In this way, we can use Key Count > values to signify ITF preferences. > > Another significant different is that this draft makes use of the R-bit to > signal when Keys should be revoked, and can be used locally by xTRs to > signal expiry conditions such as lifetime, peer detection failure, etc. > > Thanks! > > Ed Lopez > > > ________________________________ > *** Please note that this message and any attachments may contain > confidential and proprietary material and information and are intended only > for the use of the intended recipient(s). If you are not the intended > recipient, you are hereby notified that any review, use, disclosure, > dissemination, distribution or copying of this message and any attachments > is strictly prohibited. If you have received this email in error, please > immediately notify the sender and destroy this e-mail and any attachments > and all copies, whether electronic or printed. Please also note that any > views, opinions, conclusions or commitments expressed in this message are > those of the individual sender and do not necessarily reflect the views of > Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and > only a writing manually signed by Fortinet's General Counsel can be a > binding commitment of Fortinet to Fortinet's customers or partners. Thank > you. *** > ________________________________ > > _______________________________________________ > lisp mailing list > lisp@ietf.org > https://www.ietf.org/mailman/listinfo/lisp > -- Roger Jorgensen | ROJO9-RIPE rogerj@gmail.com | - IPv6 is The Key! http://www.jorgensen.no | roger@jorgensen.no
- [lisp] A Stab At Opportunistic Encryption for LISP Edward Lopez
- Re: [lisp] A Stab At Opportunistic Encryption for… Edward Lopez
- Re: [lisp] A Stab At Opportunistic Encryption for… Roger Jørgensen
- Re: [lisp] A Stab At Opportunistic Encryption for… Edward Lopez