IETF Logo Mail Archive

Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)

Warren Kumari <warren@kumari.net> Wed, 26 October 2016 10:38 UTC

Return-Path: <warren@kumari.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59F6E12948B for <opsawg@ietfa.amsl.com>; Wed, 26 Oct 2016 03:38:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BkVPN2QDX4tK for <opsawg@ietfa.amsl.com>; Wed, 26 Oct 2016 03:38:19 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26D84129A5E for <opsawg@ietf.org>; Wed, 26 Oct 2016 03:38:15 -0700 (PDT)
Received: by mail-qk0-x235.google.com with SMTP id d23so3510136qke.7 for <opsawg@ietf.org>; Wed, 26 Oct 2016 03:38:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=We4ZEDyuZl0k8Qh/frsSrjtYFbYcytULdV5H1PeBpmc=; b=bxUPc9uj2mfGAOimsrCeJriJsLvEWHGPvpik1LsXXMlwVGG8KbWAUI9Z6m5Anlg+DZ iV87AqfT8SYN3HMRMVmVrPKlYdI9Gb2jn0uDFNZywO2z9pivAtM+U7NbSpo0e1sPjv8Z 2vZURW9nZ3aqJriItsJS1uI4e0s/k1Se4GxgCsuOQ+HWE/PELQiZALqlHjwdxZc4fi/g Yxlb4hFRxSBnnhAu3IPJj+emdODD9eEWmLoPnYbmyee8NncAvhNScnOyMgGyXe6C7p5B wJnYLnllrKmsNYCo5v8e9EmSZjq1I26tiIxXMJeKEULANmT4LZilQknYZz4kZ7hYDnlf oMTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=We4ZEDyuZl0k8Qh/frsSrjtYFbYcytULdV5H1PeBpmc=; b=kFcNJIyjvVjn6RnkCFh17GPmBixgCT6zrl8TzpS6HL2dL2+26TEs9O/X2QEnDt9zjA A/L29dtw50xbpIL2HEX41UK0hJuu3q78lFvUcdhVfUG17PrL2m6s93fWfV+oXYTukqLH Vo9VzIIkEMpB3slYtY6kYqpxAMnT35JeQsFr1wL/x3VPcXMCktqbPu2KalfKg/25gZTO DPymA2EF0Rjq5zG+pdrOC2pIqtNRNrR3ljA+SbM2jsf77qfJcQ+50FdjIb5gJk1kfssU ju+LtlmIebcqtjuZGlG3obYGTziLaf69u2WdJD+b0oEh56oR07pfZ8FAKUAE6yKIjIKY ia9Q==
X-Gm-Message-State: ABUngvdlwwy8vBKbv4kxpUR+h1OUyLF5r/+NIplkxKdueG5VtpSgD1cNBjmLWcOre6gc2RStrt7LcGiwuI4o61kj
X-Received: by 10.55.70.84 with SMTP id t81mr742622qka.309.1477478294127; Wed, 26 Oct 2016 03:38:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.147.100 with HTTP; Wed, 26 Oct 2016 03:37:43 -0700 (PDT)
In-Reply-To: <BAFEC9523F57BC48A51C20226A5589575FE5CCC4@nkgeml514-mbx.china.huawei.com>
References: <147724184512.16086.16613553618779081340.idtracker@ietfa.amsl.com> <BAFEC9523F57BC48A51C20226A5589575FE5CC26@nkgeml514-mbx.china.huawei.com> <CAHw9_iJ0AKcA2PFrbumNVOCXnM=3LkoBZdwGdK9t8N+SJvieRQ@mail.gmail.com> <BAFEC9523F57BC48A51C20226A5589575FE5CCC4@nkgeml514-mbx.china.huawei.com>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 26 Oct 2016 12:37:43 +0200
Message-ID: <CAHw9_iKV3TU-sSK-o6Ob8EDeGBaKM+CJA_FEmad24T=0b-Qneg@mail.gmail.com>
To: Duzongpeng <duzongpeng@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/IMq3Lhuhg5tMed6aplzMLkF_lkw>
Cc: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, "draft-ietf-opsawg-capwap-alt-tunnel@ietf.org" <draft-ietf-opsawg-capwap-alt-tunnel@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, The IESG <iesg@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Subject: Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2016 10:38:20 -0000

On Wed, Oct 26, 2016 at 3:50 AM, Duzongpeng <duzongpeng@huawei.com> wrote:
> Hi, Warren
>
>         Thanks for your reply. I want to clarify that I am not suggesting users to use IPsec.


In that case I completely misunderstood and take back my grumpiness.

>
>         In the draft, the tunnels between the WTP and AR need to be protected, so the IPsec is between the WTP and AR.

Got it.
W

>
>         The network provide is responsible for the security of the users, and should deploy the IPSec between the WTP and AR.
>
>         We can suggest to the network providers that it is not a good choice to use unsecured tunnel.
>         Also, the network provide should notify the users that the service is unsecured if they choose some unsecured tunnel types.
>
> Best Regards
> Zongpeng Du
>
> -----Original Message-----
> From: Warren Kumari [mailto:warren@kumari.net]
> Sent: Tuesday, October 25, 2016 9:24 PM
> To: Duzongpeng
> Cc: Kathleen Moriarty; The IESG; opsawg-chairs@ietf.org; draft-ietf-opsawg-capwap-alt-tunnel@ietf.org; opsawg@ietf.org
> Subject: Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
>
> On Tue, Oct 25, 2016 at 2:41 PM, Duzongpeng <duzongpeng@huawei.com> wrote:
>> Hello,
>>
>>         I would like to give some suggestions as below.
>>
>>         Some operators deploys their WiFi networks with the data channel unsecured, and even for the wireless part, there are some unsecured deployment examples.
>>         It is not a good choice; however, it is simpler.
>>
>>         Of course, some secure ensured methods should also be provided.
>>         For the wireless part, IEEE has provided several secure mechanism;
>>         For the wireline part, IPsec can be deployed to protect the security.
>>
>>         Would it be ok for the draft to suggest that IPsec should be deployed if the tunnel type itself is unsecured.
>
>
> Personally I don't think that this is a useful suggestion -- *who* exactly would you be advising to do this? Users? They don't (and shouldn't have to) read the RFCs. Suggesting something which we know will not be used seems disingenuous - acknowledging that this is a real issue seems better than suggesting something which we know won't be done to users who we know are not reachable.
> W
>
>
>>
>>
>> Best Regards
>> Zongpeng Du
>>
>> -----Original Message-----
>> From: OPSAWG [mailto:opsawg-bounces@ietf.org] On Behalf Of Kathleen
>> Moriarty
>> Sent: Monday, October 24, 2016 12:57 AM
>> To: The IESG
>> Cc: opsawg-chairs@ietf.org;
>> draft-ietf-opsawg-capwap-alt-tunnel@ietf.org; opsawg@ietf.org
>> Subject: [OPSAWG] Kathleen Moriarty's No Objection on
>> draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
>>
>> Kathleen Moriarty has entered the following ballot position for
>> draft-ietf-opsawg-capwap-alt-tunnel-08: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut
>> this introductory paragraph, however.)
>>
>>
>> Please refer to
>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-opsawg-capwap-alt-tunnel/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> I'm surprised to see security is optional and an assertion that RFCs published in 2009 covers everything.  Threats have evolved since then.
>> In looking at RFC5415, Section 12.1, I see:
>>
>>    Within CAPWAP, DTLS is used to secure the link between the WTP and
>>    AC.  In addition to securing control messages, it's also a link in
>>    this chain of trust for establishing link layer keys.  Consequently,
>>    much rests on the security of DTLS.
>>
>>     In some CAPWAP deployment scenarios, there are two channels between
>>    the WTP and AC: the control channel, carrying CAPWAP Control
>>    messages, and the data channel, over which client data packets are
>>    tunneled between the AC and WTP.  Typically, the control channel is
>>    secured by DTLS, while the data channel is not.
>>
>>    The use of parallel protected and unprotected channels deserves
>>    special consideration, but does not create a threat.  There are two
>>    potential concerns: attempting to convert protected data into
>>    unprotected data and attempting to convert un-protected data into
>>    protected data.  These concerns are addressed below.
>>
>> Wouldn't interception and tampering of that traffic pose a threat?  How about gaining access to the control channel?
>>
>> While I don't think this is the right draft to make changes for RFC5415, I don't think it's adequate to say the control channel is optional for encryption.  I could see how the data might be handled elsewhere.  The description discusses this as talking to hundreds of thousands of access points, isn't that access a threat?
>>
>> This draft allows for additional encapsulation methods, we could require encryption for these new encapsulation methods.
>>
>> This should probably be a discuss, so I would appreciate some discussion on this to see if we have option here or if something will change in the referenced RFCs soon.
>>
>> Thank you.
>>
>>
>> _______________________________________________
>> OPSAWG mailing list
>> OPSAWG@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsawg
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
>    ---maf



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email