Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
joel jaeggli <joelja@bogus.com> Tue, 25 October 2016 18:31 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E2D129951 for <opsawg@ietfa.amsl.com>; Tue, 25 Oct 2016 11:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.331
X-Spam-Level:
X-Spam-Status: No, score=-7.331 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-vy3VEtrwek for <opsawg@ietfa.amsl.com>; Tue, 25 Oct 2016 11:31:30 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1808312995F for <opsawg@ietf.org>; Tue, 25 Oct 2016 11:31:29 -0700 (PDT)
Received: from mbp-4.local ([IPv6:2620:11a:c081:20:5ce4:5f21:9538:3a87]) (authenticated bits=0) by nagasaki.bogus.com (8.15.2/8.15.2) with ESMTPSA id u9PIVLVI007456 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 25 Oct 2016 18:31:22 GMT (envelope-from joelja@bogus.com)
X-Authentication-Warning: nagasaki.bogus.com: Host [IPv6:2620:11a:c081:20:5ce4:5f21:9538:3a87] claimed to be mbp-4.local
To: Warren Kumari <warren@kumari.net>, Duzongpeng <duzongpeng@huawei.com>
References: <147724184512.16086.16613553618779081340.idtracker@ietfa.amsl.com> <BAFEC9523F57BC48A51C20226A5589575FE5CC26@nkgeml514-mbx.china.huawei.com> <CAHw9_iJ0AKcA2PFrbumNVOCXnM=3LkoBZdwGdK9t8N+SJvieRQ@mail.gmail.com>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <407c5f0d-bebe-b492-b77e-fc1871648906@bogus.com>
Date: Tue, 25 Oct 2016 11:31:20 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:50.0) Gecko/20100101 Thunderbird/50.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_iJ0AKcA2PFrbumNVOCXnM=3LkoBZdwGdK9t8N+SJvieRQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="wKTUQuQLq73EA5cVpT56w5StoFLMMwcUK"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/XQfx2JOarV6Q2Aw2Z97iNclpYpQ>
Cc: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "draft-ietf-opsawg-capwap-alt-tunnel@ietf.org" <draft-ietf-opsawg-capwap-alt-tunnel@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 18:31:32 -0000
On 10/25/16 6:24 AM, Warren Kumari wrote: > On Tue, Oct 25, 2016 at 2:41 PM, Duzongpeng <duzongpeng@huawei.com> wrote: >> Hello, >> >> I would like to give some suggestions as below. >> >> Some operators deploys their WiFi networks with the data channel unsecured, and even for the wireless part, there are some unsecured deployment examples. >> It is not a good choice; however, it is simpler. >> >> Of course, some secure ensured methods should also be provided. >> For the wireless part, IEEE has provided several secure mechanism; >> For the wireline part, IPsec can be deployed to protect the security. >> >> Would it be ok for the draft to suggest that IPsec should be deployed if the tunnel type itself is unsecured. > > Personally I don't think that this is a useful suggestion -- *who* > exactly would you be advising to do this? Users? They don't (and > shouldn't have to) read the RFCs. Suggesting something which we know > will not be used seems disingenuous - acknowledging that this is a > real issue seems better than suggesting something which we know won't > be done to users who we know are not reachable. > W indeed, ipsec has a tendency to only be used by consenting adults on the basis of prior coordination. if it's a mnadatory component if a design that cannot be deployed without it, great; if not it smacks of a token gesture. > >> >> Best Regards >> Zongpeng Du >> >> -----Original Message----- >> From: OPSAWG [mailto:opsawg-bounces@ietf.org] On Behalf Of Kathleen Moriarty >> Sent: Monday, October 24, 2016 12:57 AM >> To: The IESG >> Cc: opsawg-chairs@ietf.org; draft-ietf-opsawg-capwap-alt-tunnel@ietf.org; opsawg@ietf.org >> Subject: [OPSAWG] Kathleen Moriarty's No Objection on draft-ietf-opsawg-capwap-alt-tunnel-08: (with COMMENT) >> >> Kathleen Moriarty has entered the following ballot position for >> draft-ietf-opsawg-capwap-alt-tunnel-08: No Objection >> >> When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-opsawg-capwap-alt-tunnel/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I'm surprised to see security is optional and an assertion that RFCs published in 2009 covers everything. Threats have evolved since then. >> In looking at RFC5415, Section 12.1, I see: >> >> Within CAPWAP, DTLS is used to secure the link between the WTP and >> AC. In addition to securing control messages, it's also a link in >> this chain of trust for establishing link layer keys. Consequently, >> much rests on the security of DTLS. >> >> In some CAPWAP deployment scenarios, there are two channels between >> the WTP and AC: the control channel, carrying CAPWAP Control >> messages, and the data channel, over which client data packets are >> tunneled between the AC and WTP. Typically, the control channel is >> secured by DTLS, while the data channel is not. >> >> The use of parallel protected and unprotected channels deserves >> special consideration, but does not create a threat. There are two >> potential concerns: attempting to convert protected data into >> unprotected data and attempting to convert un-protected data into >> protected data. These concerns are addressed below. >> >> Wouldn't interception and tampering of that traffic pose a threat? How about gaining access to the control channel? >> >> While I don't think this is the right draft to make changes for RFC5415, I don't think it's adequate to say the control channel is optional for encryption. I could see how the data might be handled elsewhere. The description discusses this as talking to hundreds of thousands of access points, isn't that access a threat? >> >> This draft allows for additional encapsulation methods, we could require encryption for these new encapsulation methods. >> >> This should probably be a discuss, so I would appreciate some discussion on this to see if we have option here or if something will change in the referenced RFCs soon. >> >> Thank you. >> >> >> _______________________________________________ >> OPSAWG mailing list >> OPSAWG@ietf.org >> https://www.ietf.org/mailman/listinfo/opsawg > >
- [OPSAWG] Kathleen Moriarty's No Objection on draf… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Duzongpeng
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Warren Kumari
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … joel jaeggli
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Duzongpeng
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Randy Bush
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Duzongpeng
- Re: [OPSAWG] Kathleen Moriarty's No Objection on … Warren Kumari