IETF Logo Mail Archive

Re: [saag] looking to hold a TLS VPN side meeting at IETF 92

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 18 March 2015 03:40 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2015E1A8A57 for <saag@ietfa.amsl.com>; Tue, 17 Mar 2015 20:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sXTyiEtxHUbH for <saag@ietfa.amsl.com>; Tue, 17 Mar 2015 20:40:20 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 891E71A8A50 for <saag@ietf.org>; Tue, 17 Mar 2015 20:40:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1426650019; x=1458186019; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=NL8qa9DzgVlYsrW5ewK7j5jDT78z72kxLfV8fSQsMu0=; b=Yb4sKXl9JcOSt6unHico+ZMwscvjLbVlOWoR3IIWstNOqjq7ehmpOTOm IeRFv1CL5qKm6GZhmh5fExoF4GLTZYzNShczACr+afFSjaoWRboe0fMH8 rH4+HCU8egoIGJUxhMaUQgmVgC0bDXJhzIio2t5E6kn6dPivftWvQN96G E=;
X-IronPort-AV: E=Sophos;i="5.11,420,1422874800"; d="scan'208";a="314650393"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 18 Mar 2015 16:40:18 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.82]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0174.001; Wed, 18 Mar 2015 16:40:18 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] looking to hold a TLS VPN side meeting at IETF 92
Thread-Index: AdBhLUAQmFB8XwvaR4mPYCV6pbMXPQ==
Date: Wed, 18 Mar 2015 03:40:17 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAFB4B16@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/3xl6QWtzOew5ZvGwjBCz838Qbt8>
Subject: Re: [saag] looking to hold a TLS VPN side meeting at IETF 92
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 03:40:21 -0000

Aaron Zauner <azet@azet.org> writes:

>IPSec might (!) work well if you use one vendor throughout your network,
>pretty much the same thing as some have argued with vendor SSL/TLS VPN
>solutions. 

That's the impression I got from folks who have to deploy IPsec solutions,
there seem to be two approaches:

1. Use all gear from the same vendor, configured identically.

2. If you can't manage that, budget lots of time to get things working, and
   bring along something like OpenSWAN and a lot of debugging tools (to quote
   their docs, "Configuration is normally the easy portion of setting up an
   ipsec tunnel, it's normally the debugging that takes up the majority of
   time. Particularly if dealing with heterogeneous peers").  Get things up
   and running, typically in some lowest-common-denominator mode, and never
   touch it again in case it breaks.

>Because IPSec is such an overly complicated protocol there's not much
>security in the clients that are available throughout enduser operating
>system. Apple, for example, uses racoon (a NetBSD client) for IPSec. It only
>supports IKEv1 in Aggressive Mode. 

That's pretty much a given when you have to use approach #2, unfortunately.

>IPSec works pretty well for site-to-site setups; then -- again -- if you use
>different vendors, or even different product-cycles of a given vendor, you
>might run into interoperability problems. I don't know of a single network
>engineer that enjoys deploying IPSec.

Yup.  It's great if you're being paid by the hour, but then again so is
digging ditches.

>I don't really see a need for a new standard as I also think that everything
>that is needed for a TLS VPN is already specified. Maybe a BCP document on how
>to properly use and implement TLS VPNs would make more sense?

Or just "Use OpenVPN".  It's not the perfect solution, but most of the time it
just works.  Want to use an Android phone to check email on your corporate
server?  Use OpenVPN.  iPhone to monitor your home alarm?  OpenVPN.  Two PCs
to talk to each other privately?  OpenVPN.

Peter.

v2.46.0 | Report a Bug | By Email | System Status