Re: [Lurk] Is this scenario covered by LURK?
Russ Housley <housley@vigilsec.com> Wed, 22 June 2016 16:31 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2222412D0F4 for <lurk@ietfa.amsl.com>; Wed, 22 Jun 2016 09:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-0Tpypjx5Ng for <lurk@ietfa.amsl.com>; Wed, 22 Jun 2016 09:31:07 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D89C12D80D for <lurk@ietf.org>; Wed, 22 Jun 2016 09:31:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 67610300447 for <lurk@ietf.org>; Wed, 22 Jun 2016 12:31:05 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Jetw3D8f8NsH for <lurk@ietf.org>; Wed, 22 Jun 2016 12:31:04 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) by mail.smeinc.net (Postfix) with ESMTPSA id F166E3000E2 for <lurk@ietf.org>; Wed, 22 Jun 2016 12:31:03 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <F7EBE8F1-EC5A-415A-B26D-519E0ACEAABB@vigilsec.com>
Date: Wed, 22 Jun 2016 12:31:08 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <CF56EA9E-B5B7-4312-ADF3-818CEBA4CF06@vigilsec.com>
References: <F6C28B32DA084644BB6C8D0BD65B669DC0B314@NKGEML515-MBX.china.huawei.com> <0EAAB1B7-2247-4C52-863E-08F5C173B859@vigilsec.com> <F6C28B32DA084644BB6C8D0BD65B669DC0C186@NKGEML515-MBX.china.huawei.com> <F7EBE8F1-EC5A-415A-B26D-519E0ACEAABB@vigilsec.com>
To: IETF LURK <lurk@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/O4qtTlEI0NxcB85YusMrd-mtUD4>
Subject: Re: [Lurk] Is this scenario covered by LURK?
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2016 16:31:10 -0000
I do not think this group should include this use case in the document. Russ On Jun 20, 2016, at 9:42 PM, Youjianjie <youjianjie@huawei.com> wrote: > Hi Russ, > > In the diagram below, the TLS connection terminates at the content server side. The edge server (in the context here, e.g. middle-box) is on the data path, and it needs the key because it needs to do some policy control on the traffic flow. > > Thanks, > Jianjie > > 发件人: Lurk [mailto:lurk-bounces@ietf.org] 代表 Russ Housley > 发送时间: 2016年6月20日 23:17 > 收件人: Youjianjie > 抄送: IETF LURK > 主题: [Lurk] Fwd: Is this scenario covered by LURK? > > Youjianjie: > > I’m sorry, but I do not get it. In your diagram, the TLS Connection terminates at the same place as the Content Server/Key Server. So, LURK is not needed for the Key Server to perform operation on behalf of the Content Server, and the Edge Servers do not need key operations because they do not terminate the TLS Connection. > > Russ > > > Begin forwarded message: > > > From: Youjianjie <youjianjie@huawei.com> > Subject: [Lurk] 答复: Is this scenario covered by LURK? > Date: June 16, 2016 at 10:42:29 PM EDT > To: Daniel Migault <daniel.migault@ericsson.com>, "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>, "lurk@ietf.org" <lurk@ietf.org> > > Hi Daniel, Thomas, > > Here’s a diagram illustrating the scenario I want to mean. > > <image001.jpg> > > Please also see my comments inline below: > > Thanks, > Jianjie >> -----邮件原件----- >> 发件人: Daniel Migault [mailto:daniel.migault@ericsson.com] >> 发送时间: 2016年6月16日 21:27 >> 收件人: Fossati, Thomas (Nokia - GB); Youjianjie; lurk@ietf.org >> 主题: RE: [Lurk] Is this scenario covered by LURK? >> >> Hi Jianjie, >> >> Thank you for bringing a potential new use case. Currently LURK aims at >> providing an interface between Edge Servers and the Key Server in a context of >> TLS. If I am correct, the use case you provide introduces an additional element >> designated as a Key Manager. From the description it is not clear to me what >> role the Key Manager has, and its relation with the Edge Servers and the Key >> Server. > > The reason why we introduce a Key manager is that there're many edge servers in some cases. It's better not to expose the topology of edge servers to the content owner if the Content Provider and the Content Owner are in different administrative domain. > >> Could you specify what role the Key Manager has as well as interactions >> between: >> - the Key Manger and Key Server > > Key information needs to be interacted between them. > >> - the Key Manager and the Edge Server > > Key information needs to be interacted between them. > >> In addition, it might be also helpful to provide feed back why you think the use >> cases of the draft do not address your use case. Could you please point what is >> missing ? > > Is the content owner also expected to deliver content traffic in the current use case doc? > https://tools.ietf.org/html/draft-mglt-lurk-tls-use-cases-01 > >> BR, >> Daniel >> >> >> -----Original Message----- >> From: Lurk [mailto:lurk-bounces@ietf.org] On Behalf Of Fossati, Thomas >> (Nokia - GB) >> Sent: Thursday, June 16, 2016 8:40 AM >> To: Youjianjie; lurk@ietf.org >> Subject: Re: [Lurk] Is this scenario covered by LURK? >> >> Hi Jianjie, >> >> On 16/06/2016 04:31, "Lurk on behalf of Youjianjie" <lurk-bounces@ietf.org >> on behalf of youjianjie@huawei.com> wrote: >>> Hi >>> >>> I've a question about the scenario. I'm not sure if the following >>> scenario is covered by the LURK. >>> >>> In this scenario, the Content Provider and the Content Owner are in >>> different administrative domain. Content owner is also responsible to >>> deliver the content. The content provider participates the delivery of >>> a content, providing necessary traffic management, such as FW, IPS. >>> >>> For example, the edge server can be middle-box in the operator's network. >>> There may be multiple middle-boxes, which can be managed by a key >>> manager in the operator's network. In order to do traffic management, >>> the key manager needs to interact with the key server located in the >>> content owner domain, in order to do traffic management since the >>> packets are encrypted. Here, the interaction between key manager (e.g. >>> operator's >>> network) and key server (in content owner) needs to be standardized? Is >>> this use case in the scope of LURK? >> >> Could you spend a few more lines on the kind of interaction that you are >> envisaging between the key manager and the key server? >> >> Cheers, t
- Re: [Lurk] Is this scenario covered by LURK? Russ Housley
- [Lurk] 答复: Fwd: Is this scenario covered by LURK? Youjianjie
- [Lurk] Fwd: Is this scenario covered by LURK? Russ Housley
- [Lurk] 答复: 答复: Is this scenario covered by LURK? Youjianjie
- Re: [Lurk] 答复: Is this scenario covered by LURK? Daniel Migault
- [Lurk] 答复: Is this scenario covered by LURK? Youjianjie
- Re: [Lurk] Is this scenario covered by LURK? Daniel Migault
- Re: [Lurk] Is this scenario covered by LURK? Fossati, Thomas (Nokia - GB)
- [Lurk] Is this scenario covered by LURK? Youjianjie