Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-security-groupkeying as WG item?
Francois Le Faucheur IMAP <flefauch@cisco.com> Wed, 30 January 2008 15:22 UTC
Return-path: <tsvwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JKElu-0002OK-Rk; Wed, 30 Jan 2008 10:22:42 -0500
Received: from tsvwg by megatron.ietf.org with local (Exim 4.43) id 1JKElu-0002OD-69 for tsvwg-confirm+ok@megatron.ietf.org; Wed, 30 Jan 2008 10:22:42 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JKElt-0002O5-Ql for tsvwg@ietf.org; Wed, 30 Jan 2008 10:22:41 -0500
Received: from ams-iport-1.cisco.com ([144.254.224.140]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JKEls-0003G5-Rf for tsvwg@ietf.org; Wed, 30 Jan 2008 10:22:41 -0500
X-IronPort-AV: E=Sophos;i="4.25,277,1199660400"; d="scan'208";a="4404239"
Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by ams-iport-1.cisco.com with ESMTP; 30 Jan 2008 16:22:40 +0100
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m0UFMeDl026779; Wed, 30 Jan 2008 16:22:40 +0100
Received: from xbh-ams-331.emea.cisco.com (xbh-ams-331.cisco.com [144.254.231.71]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id m0UFMVlN024838; Wed, 30 Jan 2008 15:22:35 GMT
Received: from xfe-ams-331.emea.cisco.com ([144.254.231.72]) by xbh-ams-331.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Jan 2008 16:22:35 +0100
Received: from [144.254.53.198] ([144.254.53.198]) by xfe-ams-331.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Jan 2008 16:22:34 +0100
In-Reply-To: <47A02356.4030403@gmx.net>
References: <47974BDB.70406@ericsson.com> <CD8D57B6-EB94-4DCE-A42A-02BC5F573A13@nokia.com> <7A1BB0E8-5EFB-4341-918A-F841DB1B57FF@cisco.com> <A268781D-F81A-48B3-8042-1892AC93B749@nokia.com> <A55DB203FF9BCF478586DB235086386415A872AE@emss09m03.us.lmco.com> <47A02356.4030403@gmx.net>
Mime-Version: 1.0 (Apple Message framework v753)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <C6DCAA11-500D-442A-8293-37717388772E@cisco.com>
Content-Transfer-Encoding: 7bit
From: Francois Le Faucheur IMAP <flefauch@cisco.com>
Subject: Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-security-groupkeying as WG item?
Date: Wed, 30 Jan 2008 16:22:30 +0100
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
X-Mailer: Apple Mail (2.753)
X-OriginalArrivalTime: 30 Jan 2008 15:22:34.0528 (UTC) FILETIME=[F0502A00:01C86353]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6679; t=1201706560; x=1202570560; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=flefauch@cisco.com; z=From:=20Francois=20Le=20Faucheur=20IMAP=20<flefauch@cisco. com> |Subject:=20Re=3A=20[Tsvwg]=20Adopting=09draft-behringer-ts vwg-rsvp-security-groupkeying=20as=20WG=20item? |Sender:=20; bh=Ia32YzewPC4wegtwqpkbHBV0fzubPY5OYxs+dhrMirU=; b=qFPDbkaVVjs3BQ9n2tN2LvPZzfCeV+2TE5T0RinurC8QQM9kTSXW0xaV0+ dXcMpgDiONZshN3Iwjo+rTNKploXYwI+VuA0eiJDHB3IdPlGHWD6rt7Z2rXw VsBle1fXR7;
Authentication-Results: ams-dkim-2; header.From=flefauch@cisco.com; dkim=pass ( sig from cisco.com/amsdkim2001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 848ed35f2a4fc0638fa89629cb640f48
Cc: tsvwg list IETF <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
Errors-To: tsvwg-bounces@ietf.org
Hi Hannes, On 30 Jan 2008, at 08:12, Hannes Tschofenig wrote: > Hi Anshul, > > Kantawala, Anshul wrote: >> Lars, >> My comment about the usefulness of having a single IETF document that >> covers all aspects of RSVP security (authentication and >> encryption) was >> made at the Vancouver IETF meeting (name mistakenly put in as >> "Andrew" >> in the meeting minutes: "*Andrew - interested in RSVP >> authentication and >> RSVP over IPsec, and thinks this work should progress"). >> > draft-behringer-tsvwg-rsvp-security-groupkeying is certainly not > the document that covers all aspects of RSVP security. The context of this discussion was that draft-behringer plans to cover keying not just for RSVP Authentication but also for RSVP encryption. So I personally interpreted the statement of "all aspects of RSVP" as "all aspects of RSVP in the dimension of which protection to apply to RSVP". In any case, as far as relative scope of draft-behringer vs RFC4230, our earlier agreement was that draft-behringer would focus on key management and would refer to RFC4230 for all other aspects. The text of draft-behringer-..01 already states so. I assume we are still fine with this break down. Cheers Francois > > >> A big stumbling block we have encountered in trying to propose RSVP >> signaling as a solution for government and other corporate >> secure/sensitive networks is RSVP security. Having an IETF document >> covering RSVP security not only helps in handling such concerns, >> it will >> also aid in focused development of security solutions for RSVP. >> > Have you ever read RFC 4230? > > > Please tell me more about corporate networks using RSVP todo QoS. I > would like to met that company that deploys RSVP to dynamically > signal QoS in their network. > > Btw, when you make use of QoS mechanisms in a network then you > automatically introduce more security vulnerabilities. > >> Thus, I reiterate my support in making this a WG document. >> >> > > Ciao > Hannes > >> Regards, >> Anshul >> -----Original Message----- >> From: Lars Eggert [mailto:lars.eggert@nokia.com] Sent: Monday, >> January 28, 2008 5:26 AM >> To: ext Francois Le Faucheur IMAP >> Cc: ext Magnus Westerlund; RJ Atkinson; Brian Weis; tsvwg list IETF >> Subject: Re: [Tsvwg] Adopting >> draft-behringer-tsvwg-rsvp-security-groupkeying as WG item? >> >> Hi, >> >> On 2008-1-28, at 11:59, ext Francois Le Faucheur IMAP wrote: >> >>> On 24 Jan 2008, at 18:04, Lars Eggert wrote: >>> >>> >>>> (individual hat on) >>>> >>>> I'm not convinced that this document needs to be a TSVWG >>>> document. It's an Informational document that surveys group >>>> keying options for RSVP, and as such could be published >>>> directly through the RFC Editor. >>>> >>> I am not aware of any solution currently available from the IETF >>> to actually deploy such distribution of group keys for RSVP. >>> This could, for example, be easily achieved with small extensions >>> to GDOI (draft-weis-gdoi-for-rsvp), but a solution will only be >>> defined in IETF (e.g. by MSEC) if the corresponding need is >>> established by the TSVWG. >>> >> >> based on the discussions in Vancouver, I thought the goal of this >> document was to survey the options for group keying for RSVP. I >> don't see how such a survey would motivate the need for any sort >> of solution work. Meaning that even if this survey finds that >> none of the existing options are always satisfactory, that's a >> finding that to me still doesn't immediately motivate the need to >> develop any new solution. New protocol work should be motivated >> by an application requiring it. >> >> >>> So, my recommendation is that TSVWG decides whether group keying >>> is useful for RSVP security or not, and if yes documents this >>> decision. Making draft-behringer-tsvwg-.. a WG document seems a >>> natural way to achieve this. >>> This is one reason why I feel draft-behringer-tsvwg should be >>> considered for WG document. >>> >> >> For which current work item in TSVWG would group keying be useful, >> or rather, required? A need for a new solution needs to come from >> an application that requires group keying. As far as I know, no >> such application is being worked on in TSVWG. >> >> >>> (I certainly feel that a group keying solution for RSVP would be >>> very useful. If some people feel that group keying for RSVP is >>> not useful, it would be interesting to know why and how the >>> problems solved by group keying can be addressed differently.) >>> >> >> Lots of things are useful - what application requires group keying >> for RSVP that goes beyond what we currently have? I'd like to >> understand where the motivation comes from. >> >> >>> Another practical reason is that the issue of group keying >>> methods for RSVP gets raised by Security experts every time >>> there is a new RSVP-related document going to IESG Last Call. >>> See, for example, the thread with Ran Atkinson from Dec 2006 and >>> titled "Re: [Tsvwg] Re: IETF LC comments on draft-ietf-tsvwg- >>> rsvp-ipsec". >>> Effectively, on request from Security experts in order to make >>> sure the security aspects are covered appropriately, we end up >>> re- discussing the applicability of existing keying methods + >>> applicability of potential future group keying methods in the >>> "Security Considerations" section of every RSVP-related document >>> (see RFC4860, draft-ietf-tsvwg-emergency-rsvp). It is important >>> that applicability/Pros&cons of various keying methods for RSVP >>> be documented by TSVWG once for all. This discussion should >>> reflect the view of the WG since it affects RSVP security across >>> all RSVP- related documents. >>> >> >> So this argues for extracting the repeated argument into an >> individual draft, so it can be referenced instead of needing to >> be duplicated. But it does not motivate the need for a new solution. >> >> >>> Also, draft-behringer-tsvwg proposes to document applicability >>> of keying methods to IPsec protection of RSVP (as opposed to >>> just RSVP authentication). We are not aware of an IETF document >>> where this is well addressed and feel this would be useful (and >>> has been requested by a few people e.g. Anshul from LMCO). >>> >> >> >> Can you point me at Anhul's email, please? I couldn't dig it up >> locally. >> >> Thanks, >> Lars >> >> >> >> >
- [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-secur… Magnus Westerlund
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- RE: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Kantawala, Anshul
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Lars Eggert
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Melinda Shore
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Lars Eggert
- RE: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… hannes.tschofenig
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Hannes Tschofenig
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Melinda Shore
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Magnus Westerlund
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… RJ Atkinson
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… RJ Atkinson
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… RJ Atkinson
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… RJ Atkinson
- AW: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Tschofenig, Hannes (NSN - FI/Espoo)
- AW: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: AW: [Tsvwg] Adopting draft-behringer-tsvwg-rs… RJ Atkinson
- Re: AW: [Tsvwg] Adopting draft-behringer-tsvwg-rs… RJ Atkinson
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: AW: [Tsvwg] Adopting draft-behringer-tsvwg-rs… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Lars Eggert
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Magnus Westerlund
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Lars Eggert
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Brian Weis
- RE: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Kantawala, Anshul
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Brian Weis
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… ken carlberg
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- AW: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Hannes Tschofenig
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Hannes Tschofenig
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Lars Eggert
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Lars Eggert
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Lars Eggert
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Lars Eggert
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Francois Le Faucheur IMAP
- Re: [Tsvwg] Adopting draft-behringer-tsvwg-rsvp-s… Magnus Westerlund