IETF Logo Mail Archive

Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)

Duzongpeng <duzongpeng@huawei.com> Wed, 26 October 2016 07:14 UTC

Return-Path: <duzongpeng@huawei.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED77F1294A0; Wed, 26 Oct 2016 00:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.652
X-Spam-Level:
X-Spam-Status: No, score=-4.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yTrW6O3K3fO; Wed, 26 Oct 2016 00:14:37 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C7CA1293F8; Wed, 26 Oct 2016 00:14:36 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml708-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CTX52418; Wed, 26 Oct 2016 07:14:32 +0000 (GMT)
Received: from NKGEML411-HUB.china.huawei.com (10.98.56.70) by lhreml708-cah.china.huawei.com (10.201.5.202) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 26 Oct 2016 08:14:31 +0100
Received: from NKGEML514-MBX.china.huawei.com ([fe80::40a8:f0d:c0f3:2ca5]) by nkgeml411-hub.china.huawei.com ([10.98.56.70]) with mapi id 14.03.0235.001; Wed, 26 Oct 2016 15:14:24 +0800
From: Duzongpeng <duzongpeng@huawei.com>
To: Randy Bush <randy@psg.com>
Thread-Topic: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
Thread-Index: AQHSLU6UGsyDr2C0GkembPtV1MR43KC5ErQg//+SzICAAVQCMP//rMKAgACu1hA=
Date: Wed, 26 Oct 2016 07:14:24 +0000
Message-ID: <BAFEC9523F57BC48A51C20226A5589575FE5CD89@nkgeml514-mbx.china.huawei.com>
References: <147724184512.16086.16613553618779081340.idtracker@ietfa.amsl.com> <BAFEC9523F57BC48A51C20226A5589575FE5CC26@nkgeml514-mbx.china.huawei.com> <CAHw9_iJ0AKcA2PFrbumNVOCXnM=3LkoBZdwGdK9t8N+SJvieRQ@mail.gmail.com> <BAFEC9523F57BC48A51C20226A5589575FE5CCC4@nkgeml514-mbx.china.huawei.com> <m27f8vsosu.wl-randy@psg.com>
In-Reply-To: <m27f8vsosu.wl-randy@psg.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.149.226]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090204.581057DA.0009, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 3bfa24bd33f6a70a149de2c709033462
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/G6AzjDRfmFsOA1SZGUPGf23am90>
Cc: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Subject: Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2016 07:14:40 -0000

Hi, Randy

	I agree that other solutions exist. But IPSec should be the preferred one by the public WiFi operators because it is more mature and widely used.
	Of course, we can clarify that other solutions are also ok for protecting the security of the users.

Best Regards
Zongpeng Du

-----Original Message-----
From: Randy Bush [mailto:randy@psg.com] 
Sent: Wednesday, October 26, 2016 12:43 PM
To: Duzongpeng
Cc: Warren Kumari; Kathleen Moriarty; The IESG; opsawg@ietf.org
Subject: Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)

> Thanks for your reply. I want to clarify that I am not suggesting 
> users to use IPsec.
> 
> In the draft, the tunnels between the WTP and AR need to be protected, 
> so the IPsec is between the WTP and AR.
> 
> The network provide is responsible for the security of the users, and 
> should deploy the IPSec between the WTP and AR.
> 
> We can suggest to the network providers that it is not a good choice 
> to use unsecured tunnel.  Also, the network provide should notify the 
> users that the service is unsecured if they choose some unsecured 
> tunnel types.

on my more paranoid days, this being one, i think ipsec was designed to deter use and hence privacy; we have become married to sabatoge.

is there some simpler easily deployed auth/privacy mechanism which could be mti?  md5/4808 would at least be deployable, disgusting as it is.

randy

v2.23.0 | Report a Bug | By Email