Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
Duzongpeng <duzongpeng@huawei.com> Tue, 25 October 2016 12:41 UTC
Return-Path: <duzongpeng@huawei.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EB86129669; Tue, 25 Oct 2016 05:41:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.652
X-Spam-Level:
X-Spam-Status: No, score=-4.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYpE1S-t7NPf; Tue, 25 Oct 2016 05:41:55 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14ECF12954B; Tue, 25 Oct 2016 05:41:54 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CYZ42579; Tue, 25 Oct 2016 12:41:51 +0000 (GMT)
Received: from NKGEML411-HUB.china.huawei.com (10.98.56.70) by lhreml704-cah.china.huawei.com (10.201.5.130) with Microsoft SMTP Server (TLS) id 14.3.235.1; Tue, 25 Oct 2016 13:41:50 +0100
Received: from NKGEML514-MBX.china.huawei.com ([fe80::40a8:f0d:c0f3:2ca5]) by nkgeml411-hub.china.huawei.com ([10.98.56.70]) with mapi id 14.03.0235.001; Tue, 25 Oct 2016 20:41:46 +0800
From: Duzongpeng <duzongpeng@huawei.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
Thread-Topic: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
Thread-Index: AQHSLU6UGsyDr2C0GkembPtV1MR43KC5ErQg
Date: Tue, 25 Oct 2016 12:41:45 +0000
Message-ID: <BAFEC9523F57BC48A51C20226A5589575FE5CC26@nkgeml514-mbx.china.huawei.com>
References: <147724184512.16086.16613553618779081340.idtracker@ietfa.amsl.com>
In-Reply-To: <147724184512.16086.16613553618779081340.idtracker@ietfa.amsl.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.149.226]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.580F5310.00BE, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: bbd6cc0e6328defdceefb68eef9285f1
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/FvXxPvPuTDbaRl9YHufpLxArRzU>
Cc: "draft-ietf-opsawg-capwap-alt-tunnel@ietf.org" <draft-ietf-opsawg-capwap-alt-tunnel@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Subject: Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 12:41:59 -0000
Hello, I would like to give some suggestions as below. Some operators deploys their WiFi networks with the data channel unsecured, and even for the wireless part, there are some unsecured deployment examples. It is not a good choice; however, it is simpler. Of course, some secure ensured methods should also be provided. For the wireless part, IEEE has provided several secure mechanism; For the wireline part, IPsec can be deployed to protect the security. Would it be ok for the draft to suggest that IPsec should be deployed if the tunnel type itself is unsecured. Best Regards Zongpeng Du -----Original Message----- From: OPSAWG [mailto:opsawg-bounces@ietf.org] On Behalf Of Kathleen Moriarty Sent: Monday, October 24, 2016 12:57 AM To: The IESG Cc: opsawg-chairs@ietf.org; draft-ietf-opsawg-capwap-alt-tunnel@ietf.org; opsawg@ietf.org Subject: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT) Kathleen Moriarty has entered the following ballot position for draft-ietf-opsawg-capwap-alt-tunnel-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-capwap-alt-tunnel/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I'm surprised to see security is optional and an assertion that RFCs published in 2009 covers everything. Threats have evolved since then. In looking at RFC5415, Section 12.1, I see: Within CAPWAP, DTLS is used to secure the link between the WTP and AC. In addition to securing control messages, it's also a link in this chain of trust for establishing link layer keys. Consequently, much rests on the security of DTLS. In some CAPWAP deployment scenarios, there are two channels between the WTP and AC: the control channel, carrying CAPWAP Control messages, and the data channel, over which client data packets are tunneled between the AC and WTP. Typically, the control channel is secured by DTLS, while the data channel is not. The use of parallel protected and unprotected channels deserves special consideration, but does not create a threat. There are two potential concerns: attempting to convert protected data into unprotected data and attempting to convert un-protected data into protected data. These concerns are addressed below. Wouldn't interception and tampering of that traffic pose a threat? How about gaining access to the control channel? While I don't think this is the right draft to make changes for RFC5415, I don't think it's adequate to say the control channel is optional for encryption. I could see how the data might be handled elsewhere. The description discusses this as talking to hundreds of thousands of access points, isn't that access a threat? This draft allows for additional encapsulation methods, we could require encryption for these new encapsulation methods. This should probably be a discuss, so I would appreciate some discussion on this to see if we have option here or if something will change in the referenced RFCs soon. Thank you. _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
- [OPSAWG] Kathleen Moriarty's No Objection on draf… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Duzongpeng
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Warren Kumari
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … joel jaeggli
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Duzongpeng
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Randy Bush
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Duzongpeng
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Warren Kumari