IETF Logo Mail Archive

Re: [saag] looking to hold a TLS VPN side meeting at IETF 92

Aaron Zauner <azet@azet.org> Tue, 17 March 2015 22:14 UTC

Return-Path: <azet@azet.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E8361A892B for <saag@ietfa.amsl.com>; Tue, 17 Mar 2015 15:14:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGmI_n-Dt9Yo for <saag@ietfa.amsl.com>; Tue, 17 Mar 2015 15:14:05 -0700 (PDT)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4E011A1B89 for <saag@ietf.org>; Tue, 17 Mar 2015 15:14:04 -0700 (PDT)
Received: by weop45 with SMTP id p45so18324349weo.0 for <saag@ietf.org>; Tue, 17 Mar 2015 15:14:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=MT45NrYd/pzTXBrxr0ZRIdr4jt1RKcQcT7kRlZKgf0A=; b=VRFis1dy8sEA5HtXckrYZDw8IZ2/O2iKgE6mwxhH4g2J22aoa5ZoWwrUACN29AERgr P8WVpbQbVoflKS6L5kLxCn/njQ+5CwD2iiaYoklqF0Pdn47aB7LOlMj8XL8mLrvPtbwg 4q2ffzqGCMu80OgZok0hQtHRw0Yj96RorsRCD32y3DLvJPxsj/ZeWG76/7xLpdBPKGUv 7nRP4HX9661CgSuJNYs0D/xRi7vgaEV8bjvK8019fwMsLEAjR/cb7uZLtYUJfz4LJ28M +Cq8ucqxNTJeLGSYAT+fba6rNPO1RHDX71FGsarLqhmd4K/1+jF+TVieOyzWqQg1Q0Sd YybQ==
X-Gm-Message-State: ALoCoQmSOZpyBzzCdCLpkDLEiozgid8N9ZSGxHg/U/AAbiwzwwaZ5BS2m0bLfJ4Vnwb6i+lpPMFs
X-Received: by 10.180.81.7 with SMTP id v7mr1443520wix.27.1426630443730; Tue, 17 Mar 2015 15:14:03 -0700 (PDT)
Received: from [10.0.0.142] (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id u18sm470714wib.1.2015.03.17.15.14.02 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Mar 2015 15:14:02 -0700 (PDT)
Message-ID: <5508A726.5090406@azet.org>
Date: Tue, 17 Mar 2015 23:13:58 +0100
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB25C2@uxcn10-5.UoA.auckland.ac.nz> <BAD87999-DC8E-4E7A-BA14-E34874D6AA0F@gmail.com> <CAJU7za+ZBLbf3p4Zc1G2Uws88qCHxV4QmwZxUVjTYk2QzB62jQ@mail.gmail.com>
In-Reply-To: <CAJU7za+ZBLbf3p4Zc1G2Uws88qCHxV4QmwZxUVjTYk2QzB62jQ@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig204ADF0BC38D41F293E68EC0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/MQ-_TUr8UJVxyqjoqVCzFMxIabY>
Cc: Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] looking to hold a TLS VPN side meeting at IETF 92
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 22:14:06 -0000

Hi,

Nikos Mavrogiannopoulos wrote:
> argument more than a decade ago, and still the majority of VPNs in use
> are user-space VPNs based on SSL. The last sentence may actually
> capture the benefit... it simply works :)
> 

+1.

IPSec might (!) work well if you use one vendor throughout your network,
pretty much the same thing as some have argued with vendor SSL/TLS VPN
solutions. Because IPSec is such an overly complicated protocol there's
not much security in the clients that are available throughout enduser
operating system. Apple, for example, uses racoon (a NetBSD client) for
IPSec. It only supports IKEv1 in Aggressive Mode. That's a pretty big
userbase that is forced to use an insecure protocol.

Besides a couple of commercial and seldomly used FOSS software
implementations nobody really implements all authentication
subprotocols. I rarely see companies that configure IPSec for their
users (if they do, most hate it and constantly have problems with that
decision), most do use AnyConnect or OpenVPN. That is, of course, for
roadwarrior and site-access setups. IPSec works pretty well for
site-to-site setups; then -- again -- if you use different vendors, or
even different product-cycles of a given vendor, you might run into
interoperability problems. I don't know of a single network engineer
that enjoys deploying IPSec.

I don't really see a need for a new standard as I also think that
everything that is needed for a TLS VPN is already specified. Maybe a
BCP document on how to properly use and implement TLS VPNs would make
more sense?

Aaron

v2.46.0 | Report a Bug | By Email | System Status