Hi Yaron, Yoav,
very interesting approach. Just a pair of quick comments.
1. You suppose to allocate 16-bytes long SPI for probe response
from "reserved" SPI space. The packet looks like UDP-encapsulated
IPsec packet, so it must start from ESP SPI, for which the values
below 256 are reserved. So, why do you make your "SPI"
16 bytes long, while 4 bytes is enough to distinguish it from
both IKE and IPsec?
2. What's the reason to allocate new payloads for AutoVPN Nonce
and (especially) for Contact Details? Why Notify Payload cannot be used?
It is more cheap resource and, I think, well suited for these
purposes.
Regards,
Valery Smyslov.
----- Original Message -----
From: "Yaron Sheffer" <yaronf.i...@gmail.com>
To: "ipsec" <ipsec@ietf.org>
Sent: Tuesday, February 04, 2014 7:37 AM
Subject: [IPsec] Fwd: New Version Notification
fordraft-sheffer-autovpn-00.txt
Hi,
Yoav and I just published this draft. The two main points are:
- IPsec opportunistic encryption is also interesting between security
gateways, not only between hosts.
- With a bit of extra plumbing, opportunistic encryption can be "upgraded"
post facto into full authentication.
Comments are welcome on this list, but note that this is not proposed as a
working group document.
Thanks,
Yaron
-------- Original Message --------
Subject: New Version Notification for draft-sheffer-autovpn-00.txt
Date: Mon, 03 Feb 2014 19:30:45 -0800
From: internet-dra...@ietf.org
To: Yoav Nir <y...@checkpoint.com>, Yaron Sheffer <yaronf.i...@gmail.com>,
"Yaron Sheffer" <yaronf.i...@gmail.com>, "Yoav Nir" <y...@checkpoint.com>
A new version of I-D, draft-sheffer-autovpn-00.txt
has been successfully submitted by Yaron Sheffer and posted to the
IETF repository.
Name: draft-sheffer-autovpn
Revision: 00
Title: The AutoVPN Architecture
Document date: 2014-02-04
Group: Individual Submission
Pages: 17
URL: http://www.ietf.org/internet-drafts/draft-sheffer-autovpn-00.txt
Status: https://datatracker.ietf.org/doc/draft-sheffer-autovpn/
Htmlized: http://tools.ietf.org/html/draft-sheffer-autovpn-00
Abstract:
This document describes the AutoVPN architecture. AutoVPN allows
IPsec security associations to be set up with no prior configuration,
using the "leap of faith" paradigm. The document defines a
lightweight protocol for negotiating such opportunistic encryption
either directly between hosts or between two security gateways on the
path.
Please note that it may take a couple of minutes from the time of
submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
