Security Question (Re: 2447bis and related documents)

Ross Callon <rcallon@juniper.net> Sun, 01 February 2004 02:55 UTC

Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA19651 for <vpn-dir-archive@odin.ietf.org>; Sat, 31 Jan 2004 21:55:53 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1An7le-0000EG-L9 for vpn-dir-archive@odin.ietf.org; Sat, 31 Jan 2004 21:55:26 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i112tQ25000874 for vpn-dir-archive@odin.ietf.org; Sat, 31 Jan 2004 21:55:26 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1An7le-0000E0-Gv for vpn-dir-web-archive@optimus.ietf.org; Sat, 31 Jan 2004 21:55:26 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA19641 for <vpn-dir-web-archive@ietf.org>; Sat, 31 Jan 2004 21:55:23 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1An7lb-0007cl-00 for vpn-dir-web-archive@ietf.org; Sat, 31 Jan 2004 21:55:23 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1An7ke-0007Xh-00 for vpn-dir-web-archive@ietf.org; Sat, 31 Jan 2004 21:54:25 -0500
Received: from [132.151.1.19] (helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1An7kF-0007Sj-00 for vpn-dir-web-archive@ietf.org; Sat, 31 Jan 2004 21:53:59 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1An7kH-0000CP-0E; Sat, 31 Jan 2004 21:54:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1An7jh-0000Ak-9M for vpn-dir@optimus.ietf.org; Sat, 31 Jan 2004 21:53:28 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA19562 for <vpn-dir@ietf.org>; Sat, 31 Jan 2004 21:53:22 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1An7je-0007Rq-00 for vpn-dir@ietf.org; Sat, 31 Jan 2004 21:53:22 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1An7ij-0007Ln-00 for vpn-dir@ietf.org; Sat, 31 Jan 2004 21:52:26 -0500
Received: from colo-dns-ext2.juniper.net ([207.17.137.64]) by ietf-mx with esmtp (Exim 4.12) id 1An7iB-0007Ev-00 for vpn-dir@ietf.org; Sat, 31 Jan 2004 21:51:51 -0500
Received: from merlot.juniper.net (merlot.juniper.net [172.17.27.10]) by colo-dns-ext2.juniper.net (8.12.3/8.12.3) with ESMTP id i112pMBm093858; Sat, 31 Jan 2004 18:51:22 -0800 (PST) (envelope-from rcallon@juniper.net)
Received: from rcallon-lt.juniper.net (securepptp177.static.jnpr.net [172.24.253.177]) by merlot.juniper.net (8.11.3/8.11.3) with ESMTP id i112pLh16624; Sat, 31 Jan 2004 18:51:22 -0800 (PST) (envelope-from rcallon@juniper.net)
Message-Id: <4.3.2.20040130150047.02ed1aa0@zircon.juniper.net>
X-Sender: rcallon@zircon.juniper.net (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 4.3
Date: Sat, 31 Jan 2004 21:46:25 -0500
To: Thomas Narten <narten@us.ibm.com>
From: Ross Callon <rcallon@juniper.net>
Subject: Security Question (Re: 2447bis and related documents)
Cc: vpn-dir@ietf.org
In-Reply-To: <200401271702.i0RH2AJ05563@cichlid.raleigh.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: vpn-dir-admin@ietf.org
Errors-To: vpn-dir-admin@ietf.org
X-BeenThere: vpn-dir@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/vpn-dir>, <mailto:vpn-dir-request@ietf.org?subject=unsubscribe>
List-Id: VPN Directorate <vpn-dir.ietf.org>
List-Post: <mailto:vpn-dir@ietf.org>
List-Help: <mailto:vpn-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/vpn-dir>, <mailto:vpn-dir-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=2.0 required=5.0 tests=AWL,FORGED_MUA_EUDORA autolearn=no version=2.60

>Looking further, I then see that the AS is modeled after: 
>       draft-ietf-l3vpn-as-vr-00.txt
>
>which contains a number of questions to answer about a proposed
>solutions. Both AS documents do this, but they tend to say hand-wavy
>things like "you can run IPsec here" or this or that, as a way to
>mitigate.
>
>Have others read the AS and are you happy with what it says?

The questions are actually taken from the VPN security framework.
The applicability statement for BGP/MPLS L3 VPNs was done before
the AS for VRs. Thus it is natural that the authors of the VR AS may 
have taken a look at the other document before they wrote their AS. 

I think that the correct answer to a lot of these questions is that the
way to secure VPNs in various ways involves use of other protocols
or products or product features. Thus referring to other protocols 
which can be used in conjunction with BGP/MPLS VPNs seems
straightforward to me. 

Ross


_______________________________________________
Vpn-dir mailing list
Vpn-dir@ietf.org
https://www1.ietf.org/mailman/listinfo/vpn-dir