Re: [IPsec] AD review: draft-nir-ipsecme-erx-04.txt

[Yoav Nir]

Hi Sean

Thanks for the review. My answers are inline.

Yoav

On Jul 3, 2012, at 2:17 AM, Sean Turner wrote:

 Yoav asked me to do an AD review of draft-nir-ipsecme-erx.  We agreed 
 that it'd be all right for me to send my comments here.   They are as 
 follows:
 
 0) Overall: A couple of folks that I mentioned this to asked: is anybody 
 really doing ERP?  So I'm just curious if they are.  This obviously 
 non-blocking.

My guess is that it is not widely deployed, because 802.1x is for now not 
widely deployed. EAP is used in some other contexts, like L2TP VPN clients and 
cable modem/ADSL dialers, but those don't tend to need support for roaming.

 1) General: In case people missed it, the first EAP message for ERX is 
 moved to the initial IKE_AUTH request.  I haven't seen any objections to 
 this but I'd like to make sure implementers are okay with this!?
 
 Maybe it's splitting hairs but could you do the following to maintain 
 architectural integrity/purity (i.e., not mix them):
 
first request   -- EAP(EAP_Initiate/Re-auth),
 
 be this:
 
first request   -- N[EAP(EAP_Initiate/Re-auth)],
 
 I guess you could do the same thing for the first response.

The responder has indicated support for ERX in the Initial exchange response, 
so it is expecting to get an EAP message in the first IKE_AUTH request. I guess 
architectural integrity is a matter of taste, but to me it seems that EAP 
messages should go in EAP payloads rather than Notify payloads.

 2) expand AAA on first use

Last paragraph of section 2. OK, will do.

 3) s3 contains the following:
 
  This Notify replaces the EAP-Initiate/Re-auth-Start message of ERX,
  and therefore contains the domain name, as specified in section
  5.3.1.1 of [RFC5296bis].
 
 Is replaces the right word here?  I think what you're saying is that 
 the Notify serves the same purpose as the ERX EAP-Initiate/Re-auth-Start 
 message?
 
 I went to 5.3.1.1 and I think what you're really pointing to is the 
 Domain-Name in 5.3.1, which is an NAI from [RFC4282]?  Maybe switch the 
 pointer to 5.3.1.

Right about the replace. Section 5.3.1.1 talks about the authenticator 
operation (sending the EAP-Initiate/Re-auth-Start message and including the 
domain name TLV), so it seemed appropriate. On the other hand 5.3.1 contains 
the format of the EAP message, which is different from that of the IKEv2 Notify 
payload. How about:

   This Notify serves the same purpose as the EAP-Initiate/Re-auth-Start
   message of ERX, as specified in section 5.3.1 or [RFC5296bis]. The 
   domain name included in the payload is the same as that included in
   the Domain-Name TLV as specified in section 5.3.1.1 or the same 
   document.

 4) s3: In the intro to the protocol exchanges it says most of the 
 optional bits are omitted, but that seems to only be true in the 
 IKE_SA_INIT exchanges.  Could the IKE_AUTH exchanged be trimmed down to 
 (and depending on comment 0 the first line gets changed too):
 
 first request   -- EAP(EAP_Initiate/Re-auth),
 IDi,
 SA, TSi, TSr,
 
 first response  -- IDr, AUTH,
 EAP(EAP-Finish/Re-auth),
 
 last request-- AUTH
 
 last response   -- AUTH,
 SA, TSi, TSr,
 
 Just curious if those optional fields aren't so optional anymore.

You're right. I will, however leave the CERT payload in there, so as not to 
have this imply that we're not using certs anymore (we're not requiring RFC 
5998 compliance)

 5) s3: Do you think the following would help the not so plugged in 
 reader to add the following to the figure of the exchanges:
 
   IKE_SA_INIT
+-
|init request -- SA, KE, Ni,
|
|
|
|init response   -- SA, KE, Nr,
+-   N[ERX_SUPPORTED]
 
   IKE_AUTH Exchange with EAP
+-
|first request   -- EAP(EAP_Initiate/Re-auth),
|IDi,
|SA, TSi, TSr,
|
|first response  -- IDr, AUTH,
|EAP(EAP-Finish/Re-auth),
|
|last request-- AUTH
|
|last response   -- AUTH,
|SA, TSi, TSr,
+-

I guess so. I'll add headlines next version.

 6) s3/6: Don't you have to register the Identification Payload type in 
 IKEv2 Identification Payload ID Types?

I don't think so. ID_RFC822_ADDR is already registered, and that is the format 
of the KeyName-NAI.

 7) s3.1: I think you need to be clear that the codes 5 and 6 came from 
 RFC 5296:
 
  r/(5 and 6)/(5 and 6) [RFC5296]
 
 and maybe:
 
  r/or in this document/or in [RFC5296]

   To clarify, an implementation supporting this specification MUST
   accept and transmit EAP messages with at least the codes for Initiate
   and Finish (5 and 6) (RFC5296bis]), in addition to the four codes enumerated 
in 
   RFC 5996.  This 

RE: Future Handling of Blue Sheets

[Yoav Nir]

This creates a distinguished identity, so if two Fei Zhangs attended in Paris 
(only case I found in the attendee list), this would distinguish which of them 
attended a particular meeting. It would not, however, tie them to an identity 
on the mailing list, or to the Fei Zhang who attends the Vancouver meeting, 
so I'm not sure what purpose it serves.

Yoav

-Original Message-
From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of Tim 
Chown
Sent: 16 June 2012 13:54
To: Joel jaeggli
Cc: IETF Chair; IETF; ietf-boun...@ietf.org
Subject: Re: Future Handling of Blue Sheets

If the purpose is simply differentiation of people with the same names, could 
we not ask people to enter the last four digits of their IETF registration 
number, which would presumably be unique, while being easy to remember?  The 
number could even be on your badge to always be easy to look up.

Unless there's some reason to keep registration numbers private?

That would also allow poorly handwritten names to more readily be 
checked/corrected by OCR when the sheets are scanned.

Tim

On 16 Jun 2012, at 04:50, Joel jaeggli wrote:

 On 6/15/12 14:42 , edj@gmail.com wrote:
 I presume it is the same data that people input into the Organization 
 field when they register for the meeting.
 
 I do change mine based on what capacity I'm attending a particular 
 meeting in. That goes for email address on existing blue sheets as well...
 
 The nice people who send me a check every two weeks don't generally 
 fund my attendance.
 
 Regards,
 
 Ed  J.
 
 -Original Message-
 From: Eric Burger eburge...@standardstrack.com
 Sender: ietf-boun...@ietf.org
 Date: Fri, 15 Jun 2012 17:37:50
 To: IETF Chairch...@ietf.org
 Cc: IETFietf@ietf.org
 Subject: Re: Future Handling of Blue Sheets
 
 Do we have guidelines as to what is an organization affiliation?
 
 On Jun 14, 2012, at 5:26 PM, IETF Chair wrote:
 
 Two things have occurred since the message below as sent to the IETF mail 
 list.  First, we got a lawyer in Europe to do some investigation, and the 
 inclusion of the email address on the blue sheet will lead to trouble with 
 the European privacy laws.  Second, Ted Hardie suggested that we could 
 require a password to access the scanned blue sheet.
 
 Based on the European privacy law information, the use of email will result 
 in a major burden.  If the email address is used, then we must provide a 
 way for people to ask for their email address to be remove at any time in 
 the future, even if we got prior approval to include it.  Therefore, I 
 suggest that we collect organization affiliation to discriminate between 
 multiple people with the same name instead of email address.
 
 Based on Ted's suggestion, I checked with the Secretariat about using a 
 datatracker login to download the scanned blue sheet.  This is fairly easy 
 to do, once the community tracking tools are deployed.  However, with the 
 removal of the email addresses from the blue sheets, it is unclear that 
 there is any further need for password protection of these images.  
 Therefore, I suggest that we proceed without password protection for the 
 blue sheet images.
 
 Here is a summary of the suggested way forward:
 
 - Stop collecting email addresses on blue sheets;
 
 - Collect organization affiliation to discriminate between multiple 
 people with the same name;
 
 - Scan the blue sheets and include the images in the proceedings for 
 the WG session;
 
 - Add indication to top of the blue sheet so people know it will be 
 part of the proceedings; and
 
 - Discard paper blue sheets after scanning.
 
 Russ
 
 
 On May 6, 2012, at 12:46 PM, IETF Chair wrote:
 
 We have heard from many community participants, and consensus is quite 
 rough on this topic.  The IESG discussed this thread and reached two 
 conclusions:
 
 (1) Rough consensus: an open and transparent standards process is more 
 important to the IETF than privacy of blue sheet information.
 
 (2) Rough consensus: inclusion of email addresses is a good way to 
 distinguish participants with the same or similar names.
 
 
 Based on these conclusions, the plan is to handle blue sheets as follows:
 
 - Continue to collect email addresses on blue sheets;
 
 - Scan the blue sheet and include the image in the proceedings for 
 the WG session;
 
 - Add indication to top of the blue sheet so people know it will be 
 part of the proceedings; and
 
 - Discard paper blue sheets after scanning.
 
 
 On behalf of the IESG,
 Russ
 
 
 
 
 
 


Scanned by Check Point Total Security Gateway.

Re: New Non-WG Mailing List: IETF-822

[Yoav Nir]

On Jun 15, 2012, at 12:44 AM, Peter Saint-Andre wrote:

 On 6/14/12 3:37 PM, IETF Secretariat wrote:
 
 List address: ietf-...@ietf.org
 
 Is no one thinking ahead to the 822nd meeting of the IETF in the year
 2258?!?

Well, I've started working on draft-nir-ipv6-were-finally-deploying-it but I'm 
not sure what format would be an appropriate submission format in the 23rd 
century.

Doesn't it coincide with the 1st season of Babylon 5?

Yoav

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

[Yoav Nir]

On Jun 15, 2012, at 1:34 PM, Tero Kivinen wrote:

 2. Since INIT always happens over UDP, as responder, I can immediately 
 close any TCP connection that doesn't present an IKE header with an SPI 
 I recognize.
 
 I don't agree that IKE_SA_INIT should always be over UDP. The first
 flight of packets from the server in TCP includes at most 2 packets.
 Then the server has to wait for an ACK to continue. Same goes for
 the request. So beginning with the IKE_AUTH exchange for TCP can add
 up to three roundtrips. This is a shame when dealing with a peer
 that we know supports IKE.
 
 I do not understand your statement above. Especially what does server
 has to wait for an ACK to continue? If there is space in window there
 is no need to wait for ACKs, you can just send next packet to the
 other end immediately when you have it.

The application (in this context that is the IKE implementation) does not need 
to wait, it can send everything immediately. But TCP has slow start. Depending 
on OS, the first flight can be either 1 or 2 segments. If your IKE_AUTH message 
takes more than two segments, the third segment will wait for a TCP ack, 
effectively adding a round-trip.

If you do the IKE_SA_INIT over TCP as well, then the ACK for the IKE_SA_INIT 
(usually delivered in the IKE_SA_INIT response) doubles the receive window, so 
the next request can be up to four segments.

I don't think this is particularly significant, but this issue has come up in 
proposals for TLS, where the 
ServerHello-Certificate-[ServerKeyExchange]-ServerHelloDone flight can be very 
large, and break the 2 segment limit.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

[Yoav Nir]

Hi Yaron

Responses are inline.

Yoav

On Jun 14, 2012, at 1:40 AM, Yaron Sheffer wrote:

 Hi Yoav,
 
 thank you for the new draft. A few comments:
 
 - Please mention the question of IKE keepalive messages (liveness 
 check). Do you expect these messages to each be on a new connection? Or 
 to preserve one long-lived one?

I think section 2.1 makes it clear that the TCP connections should be 
short-lived. Specifically, I would not send liveness checks, which are very 
short requests and responses over TCP. I would use UDP exclusively for those.

 - The draft kind of skirts the question, and I would prefer to be clear: 
 we are standardizing new behavior for IKEv2, not for IKEv1.

I think it's suitable for both versions. If this gets adopted by the working 
group, and people object to standardizing new stuff for IKEv1, I can remove all 
mention of it. 

hat type=vendor
Our present implementation works with IKEv1, and has done so for over 10 years. 
I could submit an Informational describing how Check Point's implementation 
does IKEv1 over TCP. But just as new ciphers would apply to both versions, I 
think this transport can also be independent of version.
/hat

 - In the security considerations, we should mention that (under certain 
 assumptions), it is easier for an off-path attacker to reset a TCP 
 connection than a UDP connection.

Yes, TCP presents some DoS opportunities not available for UDP. I'll look for 
an RFC that talks about this. And if there isn't one, there d**n well should be.

 - There are obvious advantages to negotiating this capability: you don't 
 have clients sending SYNs that will get rejected by firewalls/endpoints. 
 Especially in IKEv2 where the heavy stuff only happens on message #3.

SYN/SYN-ACK or SYN/RST is a kind of negotiation. Besides, sending a 
notification over UDP that says I support TCP doesn't help much, because it 
cannot vouch for the path allowing TCP port 500.  I wonder if there's an actual 
use case for increasing the length field of payloads, so that IKE can support 
larger payloads when working over TCP. One use for this would be to send large 
CRLs in a CERT payload.

 - 2.3: disallowing retransmissions implies a change on both transmitter 
 and receiver, and I think this is unnecessary. You can change the IKE 
 timeouts on the sender to achieve the same behavior, even if rarely an 
 odd retransmission does slip through.

I guess. There is a MUST in section 2.4 for keeping retransmission detection, 
so when implementing the transmitter, you can do either. It doesn't make sense 
to retransmit at the application level when TCP does it for you.

 
 Thanks,
   Yaron
 
 On 06/14/2012 12:59 AM, Yoav Nir wrote:
 Hi
 
 I've submitted this draft as a possible solution to the problem
 discussed in the thread about fragmentation causing IKE to fail.
 
 Comments are welcome.
 
 Yoav
 
 Begin forwarded message:
 
 *From: *internet-dra...@ietf.org mailto:internet-dra...@ietf.org
 internet-dra...@ietf.org mailto:internet-dra...@ietf.org
 *Subject: **New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt*
 *Date: *June 13, 2012 7:13:55 PM GMT+03:00
 *To: *Yoav Nir y...@checkpoint.com mailto:y...@checkpoint.com
 
 
 A new version of I-D, draft-nir-ipsecme-ike-tcp-00.txt
 has been successfully submitted by Yoav Nir and posted to the
 IETF repository.
 
 Filename:draft-nir-ipsecme-ike-tcp
 Revision:00
 Title:A TCP transport for the Internet Key Exchange
 Creation date:2012-06-13
 WG ID:Individual Submission
 Number of pages: 7
 URL: http://www.ietf.org/internet-drafts/draft-nir-ipsecme-ike-tcp-00.txt
 Status: http://datatracker.ietf.org/doc/draft-nir-ipsecme-ike-tcp
 Htmlized: http://tools.ietf.org/html/draft-nir-ipsecme-ike-tcp-00
 
 
 Abstract:
 This document describes using TCP for IKE messages. This facilitates
 the transport of large messages over paths where fragments are
 dropped.
 
 
 
 
 The IETF Secretariat
 
 
 
 ___
 IPsec mailing list
 IPsec@ietf.org
 https://www.ietf.org/mailman/listinfo/ipsec
 
 Scanned by Check Point Total Security Gateway.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

[Yoav Nir]

On Jun 14, 2012, at 10:34 PM, John Leser wrote:

 On 06/14/12 13:39, Yoav Nir wrote:
 Hi Yaron
 
 Responses are inline.
 
 Yoav
 
 On Jun 14, 2012, at 1:40 AM, Yaron Sheffer wrote:
 
 Hi Yoav,
 
 thank you for the new draft. A few comments:
 
 - Please mention the question of IKE keepalive messages (liveness
 check). Do you expect these messages to each be on a new connection? Or
 to preserve one long-lived one?
 
 I think section 2.1 makes it clear that the TCP connections should be 
 short-lived. Specifically, I would not send liveness checks, which are very 
 short requests and responses over TCP. I would use UDP exclusively for those.
 
 
 This section is a little unclear to me.  Is the idea that the initiator 
 of the exchange(s) may send up to IKEv2 request window requests, wait 
 for the responses to arrive and then must close the connection?  Or can 
 the initiator perform as many exchanges as it likes over one TCP 
 connection, so long as knows that it has requests it wants to send? 
 If this connection closing requirement is designed to interact with the 
 IKEv2 request window, please make it more clear.

OK, I will. It has nothing to do with the request window. The Initiator can 
send as many requests as it wants as long as it has any to send. When it's idle 
(like if all the necessary child SAs are ready) it should close the connection 
rather than leave it idle.

 - The draft kind of skirts the question, and I would prefer to be clear:
 we are standardizing new behavior for IKEv2, not for IKEv1.
 
 I think it's suitable for both versions. If this gets adopted by the working 
 group, and people object to standardizing new stuff for IKEv1, I can remove 
 all mention of it.
 
 hat type=vendor
 Our present implementation works with IKEv1, and has done so for over 10 
 years. I could submit an Informational describing how Check Point's 
 implementation does IKEv1 over TCP. But just as new ciphers would apply to 
 both versions, I think this transport can also be independent of version.
 /hat
 
 I'd rather settle on the best possible solution for IKEv2 without 
 worrying about making sure it works for IKEv1 as well.

If that's where the group consensus is going, I am fine with making an 
Informational document about IKEv1 over TCP in CP products.

 - In the security considerations, we should mention that (under certain
 assumptions), it is easier for an off-path attacker to reset a TCP
 connection than a UDP connection.
 
 Yes, TCP presents some DoS opportunities not available for UDP. I'll look 
 for an RFC that talks about this. And if there isn't one, there d**n well 
 should be.
 
 
 I suggest adding a MUST that a lost TCP connection or truncated packet 
 from the peer should never constitute a failed exchange (which in many 
 cases, closes the SA).

Agree

 - There are obvious advantages to negotiating this capability: you don't
 have clients sending SYNs that will get rejected by firewalls/endpoints.
 Especially in IKEv2 where the heavy stuff only happens on message #3.
 
 SYN/SYN-ACK or SYN/RST is a kind of negotiation. Besides, sending a 
 notification over UDP that says I support TCP doesn't help much, because 
 it cannot vouch for the path allowing TCP port 500.  I wonder if there's an 
 actual use case for increasing the length field of payloads, so that IKE can 
 support larger payloads when working over TCP. One use for this would be to 
 send large CRLs in a CERT payload.
 
 
 I agree with the concerns Yaron has raised here.  I would much prefer 
 that this be negotiated via notifications during the SA_INIT exchange. 
 I see a number of benefits:
 
 1. The TCP listening port could be explicitly exchanged (as data in the 
 notification), rather than always assumed 500.  This would allow 
 operation in parallel with any legacy/proprietary use of that server 
 port, and in general more deployment flexibility.
 
 2. Since INIT always happens over UDP, as responder, I can immediately 
 close any TCP connection that doesn't present an IKE header with an SPI 
 I recognize.

I don't agree that IKE_SA_INIT should always be over UDP. The first flight of 
packets from the server in TCP includes at most 2 packets. Then the server has 
to wait for an ACK to continue. Same goes for the request. So beginning with 
the IKE_AUTH exchange for TCP can add up to three roundtrips. This is a shame 
when dealing with a peer that we know supports IKE. 

 3. It fits better with the IKEv2 design of never assuming the peer has 
 capabilities beyond the base requirements without a notification/vendor 
 payload indicating otherwise.

Just as clients may start IKE over UDP port 4500, they should be able to begin 
IKE_SA_INIT over TCP. We can still have those notifications for clients using 
UDP for IKE_SA_INIT, but it would be silly to send them over TCP.

 - 2.3: disallowing retransmissions implies a change on both transmitter
 and receiver, and I think this is unnecessary. You can change the IKE
 timeouts

RE: Change in I-D announcement format

[Yoav Nir]

This line is not too hot either:

There's also a htmlized version available at:
http://tools.ietf.org/html/submission.filename }}-01 

-Original Message-
From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of Brian E 
Carpenter
Sent: 13 June 2012 10:48
To: IETF discussion list
Subject: Change in I-D announcement format

Did I miss an announcement of the change in format of I-D announcement messages?

There's no longer a URL for the standard .txt format. That's mildly annoying 
for me (extra time and extra mouse clicks) and must be a nuisance for anyone 
who processes these messages automatically.

At least, I would have expected a warning message about the change.

--
Regards
   Brian Carpenter



Scanned by Check Point Total Security Gateway.

[IPsec] Fwd: New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

[Yoav Nir]

Hi

I've submitted this draft as a possible solution to the problem discussed in 
the thread about fragmentation causing IKE to fail.

Comments are welcome.

Yoav

Begin forwarded message:

From: internet-dra...@ietf.orgmailto:internet-dra...@ietf.org 
internet-dra...@ietf.orgmailto:internet-dra...@ietf.org
Subject: New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt
Date: June 13, 2012 7:13:55 PM GMT+03:00
To: Yoav Nir y...@checkpoint.commailto:y...@checkpoint.com


A new version of I-D, draft-nir-ipsecme-ike-tcp-00.txt
has been successfully submitted by Yoav Nir and posted to the
IETF repository.

Filename: draft-nir-ipsecme-ike-tcp
Revision: 00
Title: A TCP transport for the Internet Key Exchange
Creation date: 2012-06-13
WG ID: Individual Submission
Number of pages: 7
URL: 
http://www.ietf.org/internet-drafts/draft-nir-ipsecme-ike-tcp-00.txt
Status:  http://datatracker.ietf.org/doc/draft-nir-ipsecme-ike-tcp
Htmlized:http://tools.ietf.org/html/draft-nir-ipsecme-ike-tcp-00


Abstract:
  This document describes using TCP for IKE messages.  This facilitates
  the transport of large messages over paths where fragments are
  dropped.




The IETF Secretariat

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Fragmentation causing IKE to fail

[Yoav Nir]

Hi Yaron

IPsec usually reduces the effective PMTU by 50-100 bytes. There are ways to 
overcome this:
 - the encrypting gateway can send ICMP fragmentation needed packets to the 
origin of the packet
 - the encrypting gateway can fiddle with the MSS on TCP SYN and SYN-ACK to 
reduce the size of TCP packets
 - the encrypting gateway can fragment before encrypting, thus making the ESP 
(with or without UDP) small enough and apparently not fragmented.

Yoav 

-Original Message-
From: Yaron Sheffer [mailto:yaronf.i...@gmail.com] 
Sent: 11 June 2012 09:54
To: Valery Smyslov
Cc: Tero Kivinen; ipsec@ietf.org; Yoav Nir
Subject: Re: [IPsec] Fragmentation causing IKE to fail

Hi Valery,

This is not a different problem, because whatever solution we choose, we must 
ensure the whole system is functional: both IKE and IPsec. Routers that drop 
IKE fragments will not hesitate to drop ESP/UDP fragments, too.

Thanks for pointing out Sec. 8 to me. I suppose you are right about the 
behavior of implementations in the case of ESP-in-UDP, but from a formalistic 
point of view, note that:

- RFC 4301, Sec. 8 says nothing about NAT traversal (ESP-in-UDP).
- RFC 3948 (IPsec-in-UDP) says nothing about fragmentation...

So we have a hole here.

By the way, I'm not sure that UDP packets are still typically small. 
There's more and more video on the Internet, and I'm sure some of it is NOT on 
Skype.

Thanks,
Yaron

On 06/11/2012 08:37 AM, Valery Smyslov wrote:
 Hi Yaron,

 I think this is a different problem from dropping UDP fragments, and, 
 from my point of view, less important. For most of UDP traffic this is 
 not an issue, because packets are small.
 For TCP traffic IPsec gateway usually copies Don't Fragment Bit to 
 outer IP header, and usually this bit is set. If some intermediate 
 router has smaller MTU, it should drop packet and send ICMP 
 Destination Unreachable. Having received it IPsec gateway may store 
 needed MTU value in SA and then report this value to any host in 
 protected network that tries to send bigger TCP packet.
 This behavior is irrespective to whether ESP-in-UDP employed or just 
 plain ESP, and is documented in RFC4301 section 8.

 Regards,
 Valery Smyslov.

 Hi Valery,

 There's something I'm missing here. Let's say we go for a solution 
 where we fragment IKE packets into pieces of 576 bytes, at the 
 application level.

 Now, how do we determine the length of the ESP-over-UDP packets? Are 
 you suggesting we fix them at 576 too, or do we need to have a
 (proprietary) path MTU discovery for this to *really* work?

 Thanks,
 Yaron


Scanned by Check Point Total Security Gateway.
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

RE: [Fwd: Re: Last Call: draft-hoffman-tao4677bis-15.txt (The Tao of IETF: A Novice's Guide to the Internet Engineering Task Force) to Informational RFC]

[Yoav Nir]

To be fair, nearly half the attendees come from that continent. Even when the 
meetings are held in Taipei or Paris. 

-Original Message-
From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of Randy 
Bush
Sent: 10 June 2012 03:33
To: Glen Zorn
Cc: IETF Disgust
Subject: Re: [Fwd: Re: Last Call: draft-hoffman-tao4677bis-15.txt (The Tao of 
IETF: A Novice's Guide to the Internet Engineering Task Force) to Informational 
RFC]

 A quick check of the Upcoming IETF Meetings calendar
 (http://www.ietf.org/meeting/upcoming.html) shows that the next 
 meeting in Asia is scheduled for November 2015, while the last was 
 November 2011.  How does a 4 year gap map to approximately once a 
 year?

this winter we are meeting in georgia (not the one in the caucasus) and 
florida.  what more diversity do you want?  canada?

randy

[IPsec] Fragmentation causing IKE to fail

[Yoav Nir]

Hi

I work for a vendor selling and IKE/IPsec solution.

In the last few months, we've heard a troubling complaint from some of our 
customers. They say that some ISPs have begun to drop IP fragments. While 
specific ISPs were not named, most of the issues seem to be in south-east Asia. 
One customer has speculated that this has something to do with preparing to 
deploy CGNs.

According to draft-ietf-behave-lsn-requirements, CGNs MUST comply with the NAT 
requirements for UDP as in RFC 4787, and that RFC says in section 11 that NAT 
devices MUST support fragments. So these routers are not compliant, but that 
doesn't help our customers much.

Most traffic on the Internet is either TCP or small-packet UDP. The IKE 
protocol (both versions) has the rather rare distinction of having large UDP 
packets. These are packets #5 and #6 in IKEv1 Main Mode, or the IKE_AUTH 
packets in IKEv2, especially when using certificate authentication.

For now, the customers managed to fix the ISP with an angry phone call. That 
got them into an exception list where fragments are not dropped. One had to 
change ISPs for that. While this can work for a while, it won't work when the 
carrier doing the dropping is not the one that the customer has a business 
relationship with, but another one downstream.


Trying to think up ways to deal with this, I can think of some:

* Get all ISPs to stop dropping fragments. This would be great, but as the 
saying goes, you are so not in charge.

* Find ways of making the packets smaller: move to PSK, fiddle with trust 
anchors so that only one cert is needed, avoid sending CRLs, hash-and-URL, etc. 
These are not always successful, and often require more configuration than we 
would like.

* Build a fragmentation layer within IKE, so IKE messages are broken into 
several packets that get reassembled at the destination. This is the path taken 
by one of our competitors [1]. This means that IKE has segmentation in addition 
to other TCP-like features such as retransmission.

* Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is already 
allocated to ISAKMP. We have had IKE running over TCP for several years for 
remote access clients. This was done because remote access clients connect from 
behind some very dodgy NAT devices, and some of those do drop fragments. 
Getting this behavior at the ISP is novel.


Have others on this list run into this issue?  

Yoav

[1] 
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_fragment_ike_pack.html
[2] 
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Fragmentation causing IKE to fail

[Yoav Nir]

On Jun 7, 2012, at 7:15 PM, Paul Hoffman wrote:

 * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is 
 already allocated to ISAKMP. We have had IKE running over TCP for several 
 years for remote access clients. This was done because remote access clients 
 connect from behind some very dodgy NAT devices, and some of those do drop 
 fragments. Getting this behavior at the ISP is novel.
 
 * Use IKE over TCP only after IKE over UDP fails during transmission of a 
 packet 512 bytes. That would be interoperable with current deployments 
 (although they would not see the second attempt, of course), it costs little, 
 and is trivial to implement.

This is possible, but since UDP is not reliable, you'd have to retransmit 
several times before giving up on UDP. Even if we shorten the at least a dozen 
times over a period of at least several minutes, it's still long enough for 
users to feel - get the connection with Exchange lost message in Outlook, for 
example. 

You could begin both UDP (first IKE message) and TCP's 3-way handshake at the 
same time. If the 3-way handshake completed in time, the larger packets would 
go over that connection. If not, they would go over TCP.

But all this is implementation-specific details. I'm more interested in hearing 
whether others are seeing this (I would guess yes, otherwise Cisco would not 
have developed the IKE fragments), and on whether there is interest in the 
group in an IKE-over-TCP draft.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Fragmentation causing IKE to fail

[Yoav Nir]

On Jun 7, 2012, at 8:26 PM, Nico Williams wrote:

 On Thu, Jun 7, 2012 at 11:54 AM, Paul Hoffman paul.hoff...@vpnc.org wrote:
 On Jun 7, 2012, at 9:43 AM, Paul Wouters wrote:
 Also, if we are doing this, I'd prefer to be able to signal which tcp
 port to use, to make it more flexible to bypass port 500 blocks (which
 is part of the tcp 1 implementation I believe)
 
 That seems fine to me. However, assuming that a firewall that blocks TCP/500 
 will not block TCP/somerandomnewnumber is not wise.
 
 Use port 80.

Well, we came up with IKE-over-TCP for clients in 2002. That worked OK with 
broken routers and NAT devices, but not with firewalls. So in 2003 we came up 
with sending both IKE and IPsec over port 443 (because at the time few 
firewalls other than ours validated that what goes on port 443 looks like SSL). 
Finally in 2005 we came out with a client that actually uses SSL for traffic, 
so that firewalls have to either be SSL proxies or do traffic flow analysis to 
recognize non-HTTPS.

But this arms race between tunneling clients and firewalls is not the issue 
here. Without getting into the whole net neutrality controversy, ISPs are not 
supposed to, nor are they trying to block the creation of tunnels. What they 
are doing is saving themselves the need to keep state on received fragments, 
which allows better scale and better performance with the same hardware.

Yoav
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Fragmentation causing IKE to fail

[Yoav Nir]

On Jun 8, 2012, at 1:01 AM, Paul Hoffman wrote:

 On Jun 7, 2012, at 2:53 PM, Yoav Nir wrote:
 
 
 On Jun 7, 2012, at 7:15 PM, Paul Hoffman wrote:
 
 * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is 
 already allocated to ISAKMP. We have had IKE running over TCP for 
 several years for remote access clients. This was done because remote 
 access clients connect from behind some very dodgy NAT devices, and some 
 of those do drop fragments. Getting this behavior at the ISP is novel.
 
 * Use IKE over TCP only after IKE over UDP fails during transmission of a 
 packet 512 bytes. That would be interoperable with current deployments 
 (although they would not see the second attempt, of course), it costs 
 little, and is trivial to implement.
 
 This is possible, but since UDP is not reliable, you'd have to retransmit 
 several times before giving up on UDP. Even if we shorten the at least a 
 dozen times over a period of at least several minutes, it's still long 
 enough for users to feel - get the connection with Exchange lost message 
 in Outlook, for example. 
 
 Good point.
 
 You could begin both UDP (first IKE message) and TCP's 3-way handshake at 
 the same time. If the 3-way handshake completed in time, the larger packets 
 would go over that connection. If not, they would go over TCP.
 
 Yuck. But possibly the right answer.
 
 But all this is implementation-specific details. I'm more interested in 
 hearing whether others are seeing this (I would guess yes, otherwise Cisco 
 would not have developed the IKE fragments), and on whether there is 
 interest in the group in an IKE-over-TCP draft.
 
 
 Please consider IKE-with-TCP-and-UDP before IKE-over-TCP.

I think we can accommodate different implementations by requiring:
 - that initiator MAY switch back and forth between TCP and UDP
 - that responder MUST respond in the same transport where the request arrived
 - that responder must not depend on all requests for a particular flow coming 
through the same transport. For example, it's perfectly acceptable for the 
first request of Main Mode to come over UDP, while the next two come over TCP.

Yoav
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IPsec SPD search

[Yoav Nir]

On Jun 6, 2012, at 5:54 PM, Sheng Hsin Lo wrote:

 Hello, 
 
 Should the SPD search in IPsec support longest prefix match(LPM)?
 

Hi

The answer is no. The SPD is an ordered list of entries, and the first match is 
the one to follow. 

RFC 4301 defines a decorrelation algorithm (section 4.4.1 and appendix B) that 
remove overlaps for quicker searches, but that does not change the result fo 
the SPD search, which is first-match.

Hope this helps

Yoav


___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [websec] Pinning

[Yoav Nir]

Hi

The similarity of pinning and DANE has been discussed before. DANE relies on 
DNSSEC being deployed, which key-pinning does not. Come to think of it, the 
draft needs a section comparing with DANE, but that's for another thread.

draft-perrin-tls-tack seems to tackle the same problem as key-pinning. Instead 
of the pins getting attested to in HTTP headers, you have a special 
public/private key pair, that you use to sign the SPKI from the server 
certificate within the a TLS extension. Like key-pinning there's a TOFU element 
here, because the client only learns about the special key when it encounters 
it in a TLS handshake.

The obvious question is why would we need both key-pinning and tack. It has 
been asked on the TLS mailing list: 
http://www.ietf.org/mail-archive/web/tls/current/msg08818.html

An answer by the draft authors is here:
http://www.ietf.org/mail-archive/web/tls/current/msg08830.html

In the grand scheme of things, it's not good for the IETF to make 1 standards, 
both of which need to be implemented in both servers and browsers, that 
accomplish the same thing, and Sean is correct that implementing more than one 
may lead to mismatching information. In a sense DANE is also doing the same 
thing, but DANE requires DNSSEC everywhere, so it's operational profile is 
different. But Tack and cert pinning both have no prerequisites and accomplish 
the same thing, so what if one's at the HTTP layer, while the other is at the 
TLS layer.

I don't think the TLS WG is very excited about TACK (see the mailing list) but 
regardless, I think it's up to us to look at both options and decide if we 
would like to go on with cert-pinning, or whether we thing TACK is better.

Yoav

On Jun 5, 2012, at 11:47 PM, Paul Hoffman wrote:

 From the SAAG mailing list, but appropriate here. I bet that Sean would 
 appreciate all discussion to go on on the SAAG mailing list...
 
 Begin forwarded message:
 
 From: Sean Turner turn...@ieca.com
 Subject: [saag] Pinning
 Date: June 5, 2012 12:55:29 PM PDT
 To: s...@ietf.org
 
 All,
 
 There are many proposals for how to say which key or certificate or trust 
 anchor should be used by the client in a TLS session that it is about to 
 open. These proposals include making that decision in the DNS 
 (https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/), in the 
 application after TLS has happened once, to be remembered in the future 
 (https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/), and in 
 the TLS handshake (https://datatracker.ietf.org/doc/draft-perrin tls-tack/). 
 If more than one of these protocols are deployed, operational mistakes could 
 lead to a client getting conflicting information.
 
 Similarly, there are also proposals on how to say whether or not a client 
 should expect to see a particular service running under TLS. These proposals 
 include making that indication in the DNS (draft hoffman-server-has-tls, 
 expired but might be revived) and in the application after TLS has happened 
 once, to be remembered in the future 
 (https://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport sec/). 
 If more than one of these protocols are deployed, operational mistakes could 
 lead to a client getting conflicting information.
 
 Is a standards-track operations statement needed to describe the choices 
 that a TLS server administrator has, and to deal with conflicts between the 
 proposals?
 
 spt

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: Colloquial language [Re: Last Call:draft-hoffman-tao4677bis-15.txt (The Tao of IETF: A Novice'sGuide to the Internet Engineering Task Force) to Informational RFC]

[Yoav Nir]

On Jun 1, 2012, at 11:13 AM, Randy Bush wrote:

 if i have to delete through much more about this bikeshed, i will give
 you some colloquial american to read.


bikeshed ?

:-)

Yoav

Re: Last Call: draft-hoffman-tao4677bis-15.txt (The Tao of IETF: A Novice's Guide to the Internet Engineering Task Force) to Informational RFC

[Yoav Nir]

Hi Peter

I tend to disagree. I am not a native English speaker, although I will admit to 
watching way too much American TV in my teens. 

I believe most of these should be recognizable to anyone who has learned enough 
English to participate meaningfully in IETF mailing lists and discussions. What 
you haven't seen before, you can usually either deduce (cosmic significance 
would obviously mean a lot of significance), or else easily searchable on the 
net or in idiom books, although I did get some incorrect results searching 
google for warm fuzzy feeling.

Yes, we should keep both messages and documents straight-forward, and avoid 
cultural references and memes (like home base or I do have a Dalek but I do 
not yet have a Tardis, or any reference to taking arrows to the knee), but I 
don't think it's necessary to go back and prune all idioms out of a document.

Yoav

On May 31, 2012, at 4:49 AM, Peter Saint-Andre wrote:

 Overall I continue to think that this is a helpful document, as were its
 predecessors.
 
 That said, I would assume that many potential readers of this document
 are not native English speakers. Thus I suggest that the more colloquial
 words and phrases might best be changed to more standard English.
 Naturally one can quibble about particulars, but here are some examples
 as I see them:
 
 get into the swing of things
 give them a warm, fuzzy feeling
 happenings
 unsung heroes
 home base
 pet project
 pet peeve
 leaps and bounds
 get technical
 discussions of cosmic significance
 gatherings of the tribes
 kicks in
 breath of fresh air
 big-name
 take the pluge
 
 I realize that such words and phrases lend a friendly tone to the
 document, but IMHO that friendliness will be lost on non-native speakers.

Re: Colloquial language [Re: Last Call: draft-hoffman-tao4677bis-15.txt (The Tao of IETF: A Novice's Guide to the Internet Engineering Task Force) to Informational RFC]

[Yoav Nir]

On May 31, 2012, at 10:39 PM, Martin Rex wrote:

 Stephen Farrell wrote:
 
 I'm with Brian and Yoav on this. I don't see a need
 to change here. And I do think we might lose something
 if we become too PC. If a bunch of non-native speakers
 did say yes, I found that made the document less
 useful then I'd be more convinced that all these
 changes were worth it.
 
 +1
 
 I do not believe that *over*simplyfying the language is beneficial for
 a clearly non-technical document.  Using a language that is similar
 to discussion on mailing lists should be perfectly OK, as long as
 the colloquial expressions can still be googled easily, for those
 not familiar with them.  I have to google Dilberts and xkcd every once
 in a while, an those sometimes contain very local expressions that
 are really difficult to find -- and still I'm OK with this.
 
 -Martin

I had to look up some things when I ready The Adventures of ACTION ITEM for the 
first time[1], but the TAO draft is nowhere near that level. Besides, it's 
essential vocabulary for anyone seeking a career in project management.

Yoav

[1] http://professionalsuperhero.com/

[IPsec] Fwd: I-D Action: draft-nir-ipsecme-erx-04.txt

[Yoav Nir]

Hi

I have just submitted a new version. This one contains some changes based on a 
review by Yaron Sheffer.

It's mostly clarifications. The one bit-on-the-wire change is adding back the 
IDi payload (although it contains redundant information) to make the modified 
handshake less different.

Yoav


Begin forwarded message:

From: internet-dra...@ietf.orgmailto:internet-dra...@ietf.org 
internet-dra...@ietf.orgmailto:internet-dra...@ietf.org
Subject: I-D Action: draft-nir-ipsecme-erx-04.txt
Date: May 21, 2012 8:53:57 AM GMT+03:00
To: i-d-annou...@ietf.orgmailto:i-d-annou...@ietf.org 
i-d-annou...@ietf.orgmailto:i-d-annou...@ietf.org
Reply-To: internet-dra...@ietf.orgmailto:internet-dra...@ietf.org 
internet-dra...@ietf.orgmailto:internet-dra...@ietf.org


A New Internet-Draft is available from the on-line Internet-Drafts directories.

Title   : An IKEv2 Extension for Supporting ERP
Author(s)   : Yoav Nir
 Qin Wu
Filename: draft-nir-ipsecme-erx-04.txt
Pages   : 8
Date: 2012-05-20

  This document describes an extension to the IKEv2 protocol that
  allows an IKE Security Association (SA) to be created and
  authenticated using the EAP Re-authentication Protocol extension as
  described in RFC 5296bis.

  NOTE TO RFC EDITOR: Replace 5296bis in the previous paragraph with
  the RFC number assigned to draft-ietf-hokey-rfc5296bis (now in the
  RFC Editor queue)


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-nir-ipsecme-erx-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-nir-ipsecme-erx-04.txt

The IETF datatracker page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-nir-ipsecme-erx/

___
I-D-Announce mailing list
i-d-annou...@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Scanned by Check Point Total Security Gateway.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: RFC 2119 terms, ALL CAPS vs lower case

[Yoav Nir]

On May 20, 2012, at 11:36 PM, Marc Petit-Huguenin wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 On 05/20/2012 12:41 PM, Stephane Bortzmeyer wrote:
 On Wed, May 16, 2012 at 11:06:25AM -0400, Simon Perreault
 simon.perrea...@viagenie.ca wrote a message of 12 lines which said:
 
 One dreams of a period in which precision and elegance were not 
 mutually exclusive properties.
 
 You mean when French was the dominant language?
 
 Nice troll. Let me amend it: we now have languages which were conceived for
 writing precisely what you mean (not too much ambiguity, not too little).
 Lojban http://en.wikipedia.org/wiki/Lojban is the best known. I do not
 expect IETF to adopt it for RFCs (despite the imperfections of English) but
 I regret it. This would give me the push I need to really learn Lojban.
 
 
 Su'i pa

la lojban satci .ije la lojban na'e nolmle

Re: [IPsec] Issue #219 - Star topology as an admin choice

[Yoav Nir]

On May 19, 2012, at 3:53 PM, Yaron Sheffer wrote:

 Hi Vishwas, Yoav,
 
 Check Point (IIRC) supports communities of IPsec endpoints, arranged 
 either as a star or a full mesh. This is nice and simple to configure 
 but obviously does not cover all use cases. Some networks cannot be 
 represented either as a full mesh or as a simple star.

More complex topologies can be achieved by having some IPsec endpoints be 
members of more than one community. That way, traffic can go from any member of 
one community to any member of another community through the common member. I 
think multiple communities with shared members does cover all the use cases, 
because taken to the edge case, an IPsec tunnel is a mesh with two members.

Of course, if you configure your VPN as a large number of communities, each 
with two members, you've really lost all traces of simplicity, and you have to 
configure as much as simple IPsec, but a more common case would be several 
large communities, each either a star or a mesh, and then either an endpoint 
that is shared between them, or tunnels (2-member communities) to connect each 
pair of communities.

While the configuration for a single star or mesh community is relatively 
simple, this moves the complexity to those connecting members. They need to 
know what is allowed to pass between the different communities.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

SecDir review of draft-ietf-ccamp-assoc-info-03

[Yoav Nir]

Hi,

I have reviewed this document as part of the security directorate's ongoing 
effort to review all IETF documents being processed by the IESG.  These 
comments were written primarily for the benefit of the security area directors. 
Document editors and WG chairs should treat these comments just like any other 
last call comments.

The document does not define any new procedures or mechanisms, and mentions 
this fact three times throughout the document. It formalizes an email by Adrian 
Farrel clarifying the procedures for processing an ASSOCIATION object on a path 
message. 

The security considerations section repeats that the document does not define 
new procedures, and concludes that no security considerations are added. This 
is not a valid deduction, as clarification often involves prohibiting 
non-functional or insecure interpretation of the original document text. 
However, in this case the clarification is not about such insecure 
configurations, so the document is fine.

One textual comment, though: section 2.2 near the bottom of page #5 lists 3 
possible values for association ID. The second option is The LSP ID of the LSP 
protecting an LSP. This is not clear. I suggest rewording as The LSP ID of 
the protecting LSP without an indefinite an LSP.

Yoav

Re: [IPsec] Issue #219 - Star topology as an admin choice

[Yoav Nir]

Hi.

I think it should be more complicated than this. The suggested solution has a 
dichotomy of either a full mesh or a start topology. The requirements should 
cover scenarios such as a mesh within an organization connecting to a hub to 
gateways outside the organization, or multiple hubs connected among themselves 
in either a star or a mesh, or even certain routes that are manually 
configured along with all the auto-discovery stuff.

Perhaps we can capture the needed complexity by talking about groups of nodes, 
where nodes that belong to a single group attempt to create a mesh among them, 
and packets can travel between nodes that do not belong to the same group 
through group intersection. I'm not sure if this level of detail is part of the 
problem statement, but it's more high level than a solution.

On May 12, 2012, at 1:11 AM, Vishwas Manral wrote:

 Hi,
 
 I would like to start off by trying to resolve the issue. The notes from the 
 IETF are attached below.
 
 Description:Some admins prefer a star topology so they can inspect traffic. 
 They may not want to use this technology.
 
 Detail arguments: My take is similar to what Yaron and Yaov seem to state. 
 There is no reason to exclude star topology at all from the Problem 
 statement/ requirements document. In fact both the proprietary solutions I 
 know of allow for such a topology. I however understand that some of the 
 functionality on the Hub (of the star) could be achieved by using PFP flags 
 in the SPD entry.
 
 Suggested Resolution: State in the document that Star topology is not 
 excluded from the solution. The problem of configuration is however mainly 
 limited to the Hub. For every spoke added/ deleted/ modified the 
 configuration on the Hub needs to be changed, which is not desirable. May be 
 update Section 3.2 with the same too.
 
 Thanks,
 Vishwas
 ===
 Notes from meeting minutes:
 
   # 219 Star topology as an admin choice
   People don't need to use this if they don't want to
   Say this in the security considerations
   Yoav Nir:
   Has to be a requirement that any solution 
 can
   implement different policies
   Yaron Sheffer:
   Agrees with Yoav, maybe becomes a use case
   Take this to the list
 ___
 IPsec mailing list
 IPsec@ietf.org
 https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Issue #213/ #214 - Allow for non-direct end point connectivity

[Yoav Nir]

I'm not sure I understand the suggested resolution. The biggest barrier to 
direct connectivity is that the responder may be behind NAT. Is this considered 
a routing issue?  In any case, there are protocols for getting to a responder 
behind a NAT. They work well enough that VoIP solutions work pretty much 
everywhere where there isn't a firewall that's specifically targeting VoIP. I 
think we should user them, adapt therm or profile them for IKE/IPsec, although 
this does not necessarily belong in the solution document.

As for #214, I don't see how this is answered. If an gateway A would like to 
contact a host behind gateway Z, and does so through gateway B, must gateway B 
provide the addresses for gateway Z, or can it give the address of gateway D, 
which will then provide the address of gateway Z?  IOW, must redirection be 
1-step?

Yoav

On May 12, 2012, at 2:03 AM, Vishwas Manral wrote:

 Hi,
 
 Description: Direct endpoint-to-endpoint connectivity may not be possible. 
 Should gateways figure things out completely or just punt endpoints to a 
 closer gateway?
 
 Detail Arguments: As Izaac and John Lesser pointed out this is more of a 
 routing issue. Though current solutions do not allow such connectivity unless 
 through a hub, I think from the security plane, we should not preclude such 
 connectivity. This could be achieved either transparently (no IPsec component 
 except the SPD involved), or by stitching tunnel traffic.
 
 Suggested Resolutions: Specify explicitly that issues around direct 
 connectivity between endpoints are more of a Routing issue. However IPsec 
 should not prevent such a connectivity model.
 
 Thanks,
 Vishwas
 ===
 Meeting notes: 
  # 213 In use case 2.1, direct endpoint-to-endpoint 
 connectivity
   may not be possible
   Need to mention challenges in use cases section
   Paul: reminded that there will be a separate 
 requirement
   section
   # 214 Should gateways figure things out completely or just 
 punt
   endpoints to a closer gateway?
   Core gateway configuring is a solution, so premature
   Also in #213
 
 ___
 IPsec mailing list
 IPsec@ietf.org
 https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Issue #219 - Star topology as an admin choice

[Yoav Nir]

I might have put it like this if it wan't so similar to the way things are 
configured on Check Point gateways :-)

It makes sense to me, but I'm not sure it covers all the use cases. Imagine a 
topology that is entirely mesh, except for HTTP(S) traffic that is routed to a 
central site because they have some HTTP inspection gateway there. It's a 
requirement that came up a while ago. How does that fit the either mesh or 
star topology?

Also, a gateway that is part of more than one topologies (at Check Point we 
call them communities) would have to have a different view of the network in 
these two contexts. As far as its peers in community A are concerned, it is 
protecting all the networks behind any gateways in community B, but for members 
on community B, it is protecting all the addresses behind gateways in community 
A.

On May 12, 2012, at 10:53 PM, Vishwas Manral wrote:

Hi Yaov,

If I udnerstand correctly, what you seem to be talking about is a 
Star-of-meshes or a mesh-of-star topology.

In my view this would be dealt with in 2 different iterations of the Mesh VPN 
topology. So there would be a Mesh VPN for the Star topology and a separate 
instance of the Mesh VPN for the mesh topology.

Let me know if that makes sense. I think we can state that the requirement 
should allow for such iterative use cases, however at one instance we only look 
at star or mesh topology. Do I make sense?

Thanks,
Vishwas

On Sat, May 12, 2012 at 11:34 AM, Yoav Nir 
y...@checkpoint.commailto:y...@checkpoint.com wrote:
Hi.

I think it should be more complicated than this. The suggested solution has a 
dichotomy of either a full mesh or a start topology. The requirements should 
cover scenarios such as a mesh within an organization connecting to a hub to 
gateways outside the organization, or multiple hubs connected among themselves 
in either a star or a mesh, or even certain routes that are manually 
configured along with all the auto-discovery stuff.

Perhaps we can capture the needed complexity by talking about groups of nodes, 
where nodes that belong to a single group attempt to create a mesh among them, 
and packets can travel between nodes that do not belong to the same group 
through group intersection. I'm not sure if this level of detail is part of the 
problem statement, but it's more high level than a solution.

On May 12, 2012, at 1:11 AM, Vishwas Manral wrote:

 Hi,

 I would like to start off by trying to resolve the issue. The notes from the 
 IETF are attached below.

 Description:Some admins prefer a star topology so they can inspect traffic. 
 They may not want to use this technology.

 Detail arguments: My take is similar to what Yaron and Yaov seem to state. 
 There is no reason to exclude star topology at all from the Problem 
 statement/ requirements document. In fact both the proprietary solutions I 
 know of allow for such a topology. I however understand that some of the 
 functionality on the Hub (of the star) could be achieved by using PFP flags 
 in the SPD entry.

 Suggested Resolution: State in the document that Star topology is not 
 excluded from the solution. The problem of configuration is however mainly 
 limited to the Hub. For every spoke added/ deleted/ modified the 
 configuration on the Hub needs to be changed, which is not desirable. May be 
 update Section 3.2 with the same too.

 Thanks,
 Vishwas
 ===
 Notes from meeting minutes:

   # 219 Star topology as an admin choice
   People don't need to use this if they don't want to
   Say this in the security considerations
   Yoav Nir:
   Has to be a requirement that any solution 
 can
   implement different policies
   Yaron Sheffer:
   Agrees with Yoav, maybe becomes a use case
   Take this to the list
 ___
 IPsec mailing list
 IPsec@ietf.orgmailto:IPsec@ietf.org
 https://www.ietf.org/mailman/listinfo/ipsec



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: Future Handling of Blue Sheets

[Yoav Nir]

On May 10, 2012, at 12:10 PM, Doug Barton wrote:

 On 5/10/2012 1:48 AM, Tobias Gondrom wrote:
 What I dispute is that make available to those who are interested
 necessarily leads to the need to broadcast the data (i.e. publish in the
 proceedings).
 
 What is the harm you are trying to guard against by requiring the request?

Well, there's the obvious issue of spam, although this post that I'm making 
right now provides my email address to the spammers in a much more convenient 
form. It's also convenient for headhunters. It also allows my employer to check 
whether I really went to sessions instead of just touring Paris. Is it the 
business of the IETF to help in these activities?

I still don't get why you would want this published. My name on a blue sheet 
could mean that I was presenting for half the session, or that I was at the 
mike telling people they were wrong, or just sitting quietly in the back 
minding my own business and reading email. Blue sheets (unlike minutes and 
jabber logs) don't make such a distinction.

 Or, to take a completely different tack, given that there are a non-zero
 number of people who think the data should be published, how do you
 intend to deal with someone who makes the request, and then puts it up
 on their own website?

I think this would be a copyright violation, unless the IETF specifically 
authorized them to do so (which it shouldn't). I don't think the IETF should 
prosecute, but it's still a violation.

 I don't hesitate to criticize when I think that the IESG gets it wrong,
 but in this case I think they threaded the needle about as well as it
 could be threaded.

I think that needle should not be threaded at all. A list of participants 
should maybe be kept (scanned or not) but never published without subpoena, 
just as it is now. I don't see any reason why publishing it (as opposed to 
recording actual participation) is a requirement for an open process.

Yoav

Re: Future Handling of Blue Sheets

[Yoav Nir]

On May 10, 2012, at 8:42 PM, Melinda Shore wrote:

 On 5/10/12 9:32 AM, Martin Rex wrote:
 There has never been a need to actively broadcast these massive amounts
 of personally identifiable information (PII), and I haven't seen any
 convincing rationale for doing it now.
 
 To be honest, I don't want to receive more spam and My boss might
 find out I skipped a session are not reasons not to be open about
 who's participating in sessions, particularly as we drift towards a
 meetings/voting model.

Participating is one thing. Presence is another. Reporting that I spoke up 
against the hard-fail requirement at Websec is part of the openness. Reporting 
that I was at SCIM, where I never once approached the microphone is not.

  I understand sensitivity about broadcasting
 travel plans but in general some of the arguments being offered for
 being a less open organization with a less open process are drifting
 into The FBI implanted a radio transmitter in my teeth territory,
 and it seems to me that making blue sheets available after meetings
 does not reveal much PII beyond what's already available on the mailing
 lists.

The FBI needn't bother. They can just read the blue sheets :-)

 There's a serious question here about tradeoffs between privacy and
 openness.  Openness is not just a core institutional value (although
 it is one - do not forget that), but it's also a defense against
 charges of collusion, which, unfortunately, we've been seeing.

And how does the existence of such a lame attempt to list attendees help in 
this?

Yoav

RE: Last Call: draft-farrresnickel-ipr-sanctions-05.txt (Sanctions Available for Application to Violators of IETF IPR Policy) to Informational RFC

[Yoav Nir]

I think that regardless of how it's worded, the real question is whether 
liability falls to the person who sent the email (to a public mailing list) or 
the IETF. The difference between believe and shown seems minor in 
comparison. 

-Original Message-
From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of Brian E 
Carpenter
Sent: 09 May 2012 09:52
To: ietf@ietf.org
Subject: Re: Last Call: draft-farrresnickel-ipr-sanctions-05.txt (Sanctions 
Available for Application to Violators of IETF IPR Policy) to Informational RFC

I'd like to be reassured that this has been carefully reviewed by the IETF 
counsel and the IETF Trust. In particular I would be interested in its possible 
interaction with the IETF's liability insurance.

Any IETF participant can call for sanctions to be applied to anyone
they believe has violated the IETF's IPR policy. This can be done by
sending email to the appropriate IETF mailing list.  

That seems reasonable, but publishing such a belief without having the wording 
checked by a libel lawyer might be risky. I think the draft should state that a 
call for sanctions should be based on factual evidence and not on belief. How 
about

   Any IETF participant can call for sanctions to be applied to anyone
   shown to have violated the IETF's IPR policy.  This can be done by
   sending email to the appropriate IETF mailing list, including a
   a short summary of the relevant facts and events.

Regards
   Brian Carpenter

On 2012-05-07 22:56, The IESG wrote:
 The IESG has received a request from an individual submitter to 
 consider the following document:
 - 'Sanctions Available for Application to Violators of IETF IPR Policy'
   draft-farrresnickel-ipr-sanctions-05.txt as Informational RFC
 
 The IESG plans to make a decision in the next few weeks, and solicits 
 final comments on this action. Please send substantive comments to the 
 ietf@ietf.org mailing lists by 2012-06-04. Exceptionally, comments may 
 be sent to i...@ietf.org instead. In either case, please retain the 
 beginning of the Subject line to allow automated sorting.
 
 Abstract
 
 
The IETF has developed and documented policies that govern the
behavior of all IETF participants with respect to Intellectual
Property Rights (IPR) about which they might reasonably be aware.
 
The IETF takes conformance to these IPR policies very seriously.
However, there has been some ambiguity as to what the appropriate
sanctions are for the violation of these policies, and how and by
whom those sanctions are to be applied.
 
This document discusses these issues and provides a suite of
potential actions that may be taken within the IETF community.
 
 
 
 
 The file can be obtained via
 http://datatracker.ietf.org/doc/draft-farrresnickel-ipr-sanctions/
 
 IESG discussion can be tracked via
 http://datatracker.ietf.org/doc/draft-farrresnickel-ipr-sanctions/ball
 ot/
 
 
 No IPR declarations have been submitted directly on this I-D.
 
 
 

Scanned by Check Point Total Security Gateway.

Re: Last Call: draft-farrresnickel-ipr-sanctions-05.txt (Sanctions Available for Application to Violators of IETF IPR Policy) to Informational RFC

[Yoav Nir]

I am not a lawyer either, but I think it depends on jurisdiction whether a 
mailing list will be considered as a media outlet or merely a conduit. 

What the IETF writes in its policy amounts to a plea to users to pretty please 
send only factual information. I don't know that it makes a difference as to 
who is liable if the information turns out to be non-factual.

On May 9, 2012, at 10:19 AM, Brian E Carpenter wrote:

 Yoav,
 
 IANAL, but as far as I know libel suits are normally against individuals
 (or media outlets such as newspapers). The defence against a libel
 suit in the British courts, the most popular jurisdiction for
 international libel suits, is factual accuracy. Therefore, I think
 the draft should state the need for factual evidence.
 
 And to be clear, there are plenty of precedents for libels originating
 outside the UK leading to successful suits in the UK courts, if they
 have been received in the UK via the Internet.
 
 Regards
   Brian Carpenter
 
 
 
 
 On 2012-05-09 08:07, Yoav Nir wrote:
 I think that regardless of how it's worded, the real question is whether 
 liability falls to the person who sent the email (to a public mailing list) 
 or the IETF. The difference between believe and shown seems minor in 
 comparison. 
 
 -Original Message-
 From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of 
 Brian E Carpenter
 Sent: 09 May 2012 09:52
 To: ietf@ietf.org
 Subject: Re: Last Call: draft-farrresnickel-ipr-sanctions-05.txt 
 (Sanctions Available for Application to Violators of IETF IPR Policy) to 
 Informational RFC
 
 I'd like to be reassured that this has been carefully reviewed by the IETF 
 counsel and the IETF Trust. In particular I would be interested in its 
 possible interaction with the IETF's liability insurance.
 
   Any IETF participant can call for sanctions to be applied to anyone
   they believe has violated the IETF's IPR policy. This can be done by
   sending email to the appropriate IETF mailing list.  
 
 That seems reasonable, but publishing such a belief without having the 
 wording checked by a libel lawyer might be risky. I think the draft should 
 state that a call for sanctions should be based on factual evidence and not 
 on belief. How about
 
   Any IETF participant can call for sanctions to be applied to anyone
   shown to have violated the IETF's IPR policy.  This can be done by
   sending email to the appropriate IETF mailing list, including a
   a short summary of the relevant facts and events.
 
 Regards
   Brian Carpenter
 
 On 2012-05-07 22:56, The IESG wrote:
 The IESG has received a request from an individual submitter to 
 consider the following document:
 - 'Sanctions Available for Application to Violators of IETF IPR Policy'
  draft-farrresnickel-ipr-sanctions-05.txt as Informational RFC
 
 The IESG plans to make a decision in the next few weeks, and solicits 
 final comments on this action. Please send substantive comments to the 
 ietf@ietf.org mailing lists by 2012-06-04. Exceptionally, comments may 
 be sent to i...@ietf.org instead. In either case, please retain the 
 beginning of the Subject line to allow automated sorting.
 
 Abstract
 
 
   The IETF has developed and documented policies that govern the
   behavior of all IETF participants with respect to Intellectual
   Property Rights (IPR) about which they might reasonably be aware.
 
   The IETF takes conformance to these IPR policies very seriously.
   However, there has been some ambiguity as to what the appropriate
   sanctions are for the violation of these policies, and how and by
   whom those sanctions are to be applied.
 
   This document discusses these issues and provides a suite of
   potential actions that may be taken within the IETF community.
 
 
 
 
 The file can be obtained via
 http://datatracker.ietf.org/doc/draft-farrresnickel-ipr-sanctions/
 
 IESG discussion can be tracked via
 http://datatracker.ietf.org/doc/draft-farrresnickel-ipr-sanctions/ball
 ot/
 
 
 No IPR declarations have been submitted directly on this I-D.
 
 
 
 
 Scanned by Check Point Total Security Gateway.
 
 
 Scanned by Check Point Total Security Gateway.

Re: Last Call: draft-farrresnickel-ipr-sanctions-05.txt (Sanctions Available for Application to Violators of IETF IPR Policy) to Informational RFC

[Yoav Nir]

On May 9, 2012, at 12:28 PM, SM wrote:

 Hi Yoav,
 At 00:44 09-05-2012, Yoav Nir wrote:
 What the IETF writes in its policy amounts to a plea to users to 
 pretty please send only factual information. I don't know that it 
 makes a difference as to who is liable if the information turns out 
 to be non-factual.
 
 Section 3 text mentions several paths for the issue, i.e. 
 responsibility lies with the working group chair with escalation to 
 area directors.  Paragraph 2 and 3 discusses about that.  The issue 
 which predates this draft is mentioned in the message at 
 http://www.ietf.org/mail-archive/web/ietf/current/msg71484.html
 
 Do you know any IETF participant who is dumb enough to send a public 
 request for sanctions? :-)  

Dean Anderson often linked to his website: 
http://www.av8.net/IETF-watch/People/ (also loads of fun without the People 
path). IANAL but this does sound like libel.

More recently, but not related to IPR issues, during the last IETF quite a few 
of our prominent members were calling for sanctions (removal of posting 
privileges) after some of the IETF.Fact.Check posts.

 That can affect the individual's carrier 
 path in the IETF and in the corporate world.  Some IETF participants 
 might even ask lawyers to take action.  Watching Behind enemy lines 
 (disambiguation required) might be instructive in this context.
 
 At the end of the day, this draft is simply a matter of having an RFC 
 for those who might find the information helpful.  Sometimes all one 
 can do is to say pretty please.
 
 I'll +1 this draft as it stands.

I'm fine with it as it is. I just hope the IETF is not held responsible for 
postings by individuals.

Re: Gender diversity in engineering

[Yoav Nir]

On May 8, 2012, at 1:12 PM, Yaakov Stein wrote:

 Around 30%-40%. I don't have hard numbers, 
 but I have a feeling that it has gone down a bit in the last 10 years. 
 
 Yoav, 
 
 Your feelings are quite accurate as to the range,
 but less so regarding the trend.
 According to a recent study, 35.6% of high-tech employees in Israel are women,
 and this percentage has been relatively stable for the past 10 years.
 
 Women make up 47.5% of all employees with academic credentials (as of 2010) 
 in all sectors,
 so high-tech is actually comparatively under-represented.
 On the other hand, only 32.9% of managerial positions (in all sectors)
 are occupied by women.

I can believe that. It could be specific to Check Point. OTOH there are those 
companies with departments where only women work. That could be keeping the 
balance.

Yoav

Re: Is the IETF aging?

[Yoav Nir]

On May 5, 2012, at 4:58 AM, Marshall Eubanks wrote:

 On Fri, May 4, 2012 at 9:50 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
 On Wed, May 2, 2012 at 3:14 PM, Hannes Tschofenig
 hannes.tschofe...@gmx.net wrote:
 Hi PHB,
 
 the IETF is not like an enterprise where you can decide (as part of the 
 hiring process) what characteristics your employees should have.
 
 True, but that does not mean that you should decide that there is
 nothing the IETF can do to change those characteristics or is in fact
 doing albeit unintentionally.
 
 So, what would you do to adjust things ?

I'm not PHB, but an obvious idea would be to change the requirements for a new 
work item from rough consensus to a bunch of people willing to do the work 
and at least one willing to implement.  Some working groups already work like 
this, but it's not universal.

Re: [IPsec] New Version Notification for draft-nir-ipsecme-erx-03.txt

[Yoav Nir]

Hi again.

The response has so far been underwhelming. As I said in my previous message, 
I'm perfectly willing to go the individual route, but I think this would be a 
shame. The protocol extension described can have applications in both remote 
access VPN (opening multiple tunnels with multiple gateways) and in seamless 
roaming between remote access VPN and local area wireless networks.

I also think that it touches a lot of different areas, and would benefit from 
the input of people better versed than me in the needs of cellular providers 
and AAA.

I am CC-ing the HOKEY mailing list (as I should have done earlier) because this 
draft actually adapts IKE to work with their protocol, and they may be willing 
to review and contribute, even if this is IPsecME work.

So if any of you are interested, and are willing to review, please let us know.

Yoav  Qin

On Apr 12, 2012, at 10:31 PM, Paul Hoffman wrote:

 On Apr 12, 2012, at 11:17 AM, Yoav Nir wrote:
 
 We would like this working group to accept this, and have it added to 
 charter. Of course, if it gets accepted, we volunteer to be authors. If it 
 is not accepted, we will try to progress it as an individual submission, but 
 we believe that this changes IKE enough that it should come from the working 
 group.
 
 
 Statements of interest and disinterest on this document are welcome. If you 
 prefer to make such a statement off-list please send it to me or Yaron.
 
 A statement of interest that include a promise to review in WG LC count for 
 more than a bare statement of interest.


___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: 'Geek' image scares women away from tech industry ? The Register

[Yoav Nir]

On May 1, 2012, at 12:31 AM, Janet P Gunn wrote:

My own anecdotes.

Yes, it starts early.

When I was 3 I announced that I was going to be a physicist when I grew up.  
WHY?

1 - a physicist has a chair that  is on WHEELS, and spins ROUND and ROUND
2 - a physicist has a blackboard with COLORED CHALK
3 (and MOST important) a physicist has a CANDY machine in the hall outside his 
office.

But engineers get to drive trains. Trains  swivel chairs.

Re: 'Geek' image scares women away from tech industry ? The Register

[Yoav Nir]

On Apr 30, 2012, at 10:52 PM, Mary Barnes wrote:

Here is an article that does a far better job of explaining the situation than 
I did:
http://www.todaysengineer.org/2011/May/women-in-engineering.asp

The largest reason women leave engineering is due to the work environment and 
perceived lack of support from colleagues.

Interesting, but I don't really get some of the distinctions they are making. 
Women *are not* leaving engineering to spend time with their families, but they 
*are* leaving engineering because of 60-hour weeks and having to work weekends.

I'm also not sure that stereotype is still valid. It's the romantic image of a 
technology start-up trying to get a product out before funding runs out, but 
most engineers won't work in those. Most will work at established companies or 
in corporate IT, and in those places, the 60-hour week is either rare or 
non-existent. There may be other things that scare women away from 
IT/engineering jobs, but there are plenty of those available that do not 
require that type of having no life.

Yoav

Re: 'Geek' image scares women away from tech industry ? The Register

[Yoav Nir]

On May 1, 2012, at 4:45 PM, Mary Barnes wrote:

The article clearly states that women leave for the two reasons you mentioned, 
which are certainly the exact same things males deal with, but you missed a few 
others that the article notes, specifically and directly quoted below:

...lack of real or perceived opportunities for advancement, and uncivil work 
environments where women were treated in condescending or patronizing manners. 
Only 25 percent of the women who left engineering did so for family reasons.


Well, it says this:
   The common perception is that women are leaving for taking care of their 
families, says Fouad. But that's clearly not true. They left the profession 
for organizational culture reasons.

And then this:
   Among the common factors that women cited as their reasons for leaving the 
profession were too much travel, working too many hours, lack of real or 
perceived opportunities for advancement, and uncivil work environments where 
women were treated in condescending or patronizing manners. Only 25 percent of 
the women who left engineering did so for family reasons.

So on the one hand they claim that women are not leaving to take care of their 
families, but on the other the first two correct reasons they mention are too 
much travel and too many hours. I think these two are pretty much the same, and 
the primary reason why someone (male or female) would object to travel and long 
hours is because it takes time away from family. Sure, it's possible they don't 
want to work long hours so that they can spend more time playing online games 
(http://iqu.com/blog/women-dominate-mobile-game-spending) or gambling online 
(http://ezinearticles.com/?UK-Online-Gambling-Dominated-by-Women-Playersid=6934242),
 but I suspect that few people are quitting their jobs to spend more time on 
gaming. I could be wrong. IOW I don't see the difference between not wanting to 
spend too much time at work and wanting to spend more time with your family.

Re: 'Geek' image scares women away from tech industry ? The Register

[Yoav Nir]

On May 1, 2012, at 8:44 PM, Janet P Gunn wrote:

This is VERY narrow minded, and, to be honest, somewhat insulting.

You suggest that time at work and family are the only important things to 
women.

I'm suggesting no such thing. This authors of this survey say that women who 
left engineering did not do so to take care of their families, although their 
own data says that 25% of them did. They mention long hours and travel, but 
they offer no explanation why these would be different between men and women.

The one issue that would seem to be different between men and women is the 
attitude of co-workers and superiors towards women, and workplace climate 
issues, yet only one in three give that as the reason for leaving. So if women 
go from 20% when they graduate to 11% at the workplace, only about 3 of those 
percent are explained by workplace climate. I still don't see how those other 
things are different for women.

It should also be noted, that this study is not about the kind of engineering 
we do at the IETF. The women interviewed are mechanical, industrial, and 
chemical engineers. In fact in a couple of places computer programming is 
mentioned as one of those alternative careers women can take when they leave 
engineering:
...I got to a certain point in my engineering career when I NO LONGER 
ADVANCED. I felt I needed additional education to move forward, but no topics 
interested me as much as computer programming, so I changed my career to that. 
It was a good change. I have been more successful in the computer field than I 
was in the engineering field.”

I don't know the figures for the IT industry, but I would guess that they're 
not as lopsided as those for those so-called real engineering.

Yoav

Re: Is the IETF aging?

[Yoav Nir]

Hi Phil

After each meeting, Ray sends out a survey to all participants. The results 
from the latest one:

When were you born?

  Before 19502.9%
  1950 - 1960   16.6%
  1961 - 1970   33.7%
  1971 - 1980   32.8%
  After 198014.0%

I think an earlier survey had the 1971-1980 crowd inch past the 1961-1970 one, 
but it does seem like the 30-50 age groups dominate. I don't believe you really 
are among the youngest, and neither am I (I'm 40). There are quite a few WG 
chairs, and some area directors who are younger than either of us.

20 years ago, was the balance of industry vs government and academia the same 
as today?  I am guessing that it was not, and that only a small minority came 
from industry. I am also guessing that doctoral students and post-docs are more 
eager than tenured professors to publish internet drafts, so the average age of 
an academic at the IETF is low. OTOH in industry you get to participate in 
things like the IETF only after you've been around for a while. How many of 
the participants from Cisco carry the distinguished engineer title? A lot. I 
think that explains why the average age has moved up. Are things any different 
in ITU or even W3C?

Yoav 


On Apr 27, 2012, at 5:06 PM, Phillip Hallam-Baker wrote:

 A question arose on the RFC-interest list, I observed that 20 years
 ago I was one of the youngest IETF participants and 20 years later
 that still seems to be the case.
 
 I see some grad students and some postdocs in their 20s but not as
 many as I think there should be. By now at least a third of the
 organization should be younger than me, preferably half. That is
 certainly not what I see when I attend IETFs. And yes, the lack of
 women is also highly noticeable.
 
 If this is the case it should worry us greatly. But first I think we
 need to determine if it is the case or not. I suggest an optional
 demographic survey of participants in the next IETF meeting to be
 repeated at regular intervals (no more than 5 years apart).
 
 People can argue about process, RFC formats and governance but it
 should be beyond argument that any institution that cannot recruit
 younger members is going to die.
 
 -- 
 Website: http://hallambaker.com/
 
 Scanned by Check Point Total Security Gateway.

Re: Is the IETF aging?

[Yoav Nir]

On Apr 27, 2012, at 6:05 PM, Carsten Bormann wrote:

 On Apr 27, 2012, at 16:41, Yoav Nir wrote:
 
 Before 19502.9%
 1950 - 1960   16.6%
 1961 - 1970   33.7%
 1971 - 1980   32.8%
 After 198014.0%
 
 Nice bell curve, יואב, but you can't pop that soap bubble of perception with 
 the bluntness of raw data :-)

Only 350 out of 1200 people answered the survey, so all caveats about bias 
apply. It's also possible that the 20-somethings tend to sit in the back more, 
and go to the microphone less. Maybe them young'uns are too busy clicking 
Like on pictures of LOL-cats :-)

 Maybe just the areas where PHB likes to work in are growing old? :-)

The old people in the security area do tend to look older than the old people 
in other areas. Maybe the bell curve for the security area is different.

 Many of the people doing the real work in CoRE are in their 20s, or have left 
 that age range just recently.  And no, they aren't all academics.  I think we 
 have a healthy age mix, with some pretty good gray-haired input as well.
 
 I'm going to argue for an age column on the blue sheets so we get better data 
 :-)
 
 Grüße, Carsten
 
 PS.: Please, don't take any of this seriously.  Except for the CoRE age 
 statistics.
 Dave Cridland's observations also definitely don't apply to CoRE, except that 
 we do have the stunning range of experience that makes the IETF so valuable.
 
 PPS.: Is the overall median really 42?

Wait a couple of years, and most participants won't get why 42 is funny.

Re: Proposed IESG Statement on the Conclusion of Experiments

[Yoav Nir]

RFC 2026 says this about Experimental RFCs:

   The Experimental designation typically denotes a specification that
   is part of some research or development effort.

However, I do not believe that this is still typical. Authors come up with 
ideas that they think are useful. If when the documents are ready for 
publication it is still not clear whether there are enough implementers 
convinced by the use case (some definition of running code), they are 
encouraged to publish them as experimental rather than proposed standard.

I am the author of two Experimental RFCs. In both cases I was going for 
standards track, and in both cased an AD was the document shepherd and he told 
me to go for Experimental. 

The first of these (4478) has three independent, interoperable implementations 
in shipping code, although I don't know if it's used much. I am not aware of 
any implementations of the other one (6023), although there may be some. When I 
asked an AD about promoting 4478 to standards track (seeing as we have all this 
running code) his response was why bother? (these are three different ADs in 
this story...)

Neither of these can really be called an experiment except in the sense of 
let's see if the Internet needs this specification. They may be used more 
later than they are now, but they're in no way stopping. I don't see why we 
should waste precious cycles on maintaining old Experimental RFCs. Either 
they're in use or they're not, and a search engine can usually reveal this.

It may be a good idea to have former authors or ADs or volunteers write a 
paragraph that can be displayed on, say, the tools page for the RFC, along the 
lines of In seven years, this RFC has seen three independent implementations, 
but it is not in wide use, or the protocol in this RFC is used everywhere on 
the web, and this could be progressed to PS if we had the energy.

I don't think we should waste our energy by creating an RFC for each of those 
experimental RFCs.

Yoav

On Apr 19, 2012, at 11:31 PM, Adrian Farrel wrote:

 All,
 
 The IESG has been discussing how to tidy up after Experimental RFCs.
 
 We have developed the following draft IESG statement. This does not 
 represent a change in process, and continues to value Experimental RFCs
 as an important part of the IETF process. It does, however, seek to 
 encourage documentation of the conclusion of experiments.
 
 We are aware that there may be other discussion points around 
 Experimental RFCs, and we would like to discuss these, but we also
 believe that there is merit in making small, incremental improvements.
 
 The IESG would welcome your thoughts on this draft before they approve
 the final text on April 26th.
 
 Thanks,
 Adrian
 
 =
 
 IESG Statement on Conclusion of IETF Experiments
 
 
 Experiments are an established and valuable part of the IETF process.
 A number of core Internet protocols were first published as Experimental
 RFCs while the community gathered experience and carefully investigated
 the consequences of deploying new mechanisms within the Internet.
 
 In the case where an experiment leads on to the development of a  
 Standards Track RFC documenting a protocol, the new RFC obsoletes the 
 old Experimental RFC and there is a clear conclusion to the experiment.
 
 However, many experiments do not lead to the development of Standards
 Track RFCs. Instead, the work may be abandoned through lack of interest
 or because important lessons have been learned.
 
 It is currently hard to distinguish between an experiment that is still
 being investigated, and an old experiment that has ceased to be of
 interest to the community. In both cases an Experimental RFC exists in
 the repository and newcomers might easily be misled into thinking that
 it would be helpful to conduct more research into an abandoned
 experiment.
 
 In view of this, the original proponents of experiments (that is, 
 authors of Experimental RFCs, and Working Groups that requested the
 publication of Experimental RFCs) are strongly encouraged to document
 the termination of experiments that do not result in subsequent
 Standards Track work by publishing an Informational RFC that:
 
 - very briefly describes the results of the experiment
 
 - obsoletes the Experimental RFC
 
 - if appropriate, deprecate any IANA code points allocated for the 
  experiment
 
 - may request that the Experimental RFC is moved to Historic status.
 
 If there is no energy in the community for the producing such an
 Informational RFC, if the authors have moved on to other things, or if
 the Working Group has been closed down, Area Directors should author or
 seek volunteers to author such an Informational RFC.
 
 
 Scanned by Check Point Total Security Gateway.

Re: [IPsec] draft-bhatia-moving-ah-to-historic

[Yoav Nir]

On Apr 16, 2012, at 1:53 PM, Nick Hilliard wrote:

 I'd like to add a voice of support to this draft.  AH adds little except
 complication to ipsec implementations and confusion to end users.

It only adds confusion and complication in the sense that telnet adds them (ESP 
is SSH in this analogy). If you don't implement it you and your users don't get 
confused. Besides, the end users of IPsec who actually have to know what ESP is 
vs what AH is are very sophisticated. They're not the people who simply press 
Connect on their L2TP or VPN clients.

 Regarding ipv4 NATs, they are ubiquitous and will become more so once ipv4
 scarcity is realised worldwide (particularly in asia, which is currently
 the fastest growing global region, and has already reached RIR exhaustion).

Maybe, maybe not. As ISPs move large blocks of users to a combination of IPv6 
and CGN, blocks of IPv4 address space may be freed up. But regardless, NAT *is* 
going to be with us for a while, even in IPv6.

 There was a previous comment about this draft about the NAT/AH issue being
 a NAT problem rather than an AH problem.  Well, yeah, in the purest sense
 this is true, but we live in the real world and need to work within its
 limitations.  You can apply fixups and ALGs to lots of protocols which are
 NAT sensitive, but AH is cryptographically incompatible with NAT and this
 cannot be fixed.

Nothing's stopping you from proposing 4302bis, which will be compatible with 
NATs. There just isn't much demand for changing AH like that.

 I see little value in the IETF formally supporting a protocol which simply
 cannot work for most end-users on the basis of the access addressing
 provided.  Formal deprecation / designation to historic status is
 appropriate in this case.

Formal deprecation is pretty much meaningless. Consider this example:
Suppose the TICTOC working group decide that they need packet authentication 
for time signals, but not encryption. (makes sense, as they only deliver the 
time of day). They can go with either AH or ESP-Null. They also don't care 
about NAT, because NATs introduce so much jitter, that they'll ruin the 
accuracy of PTP, so PTP does not go through NAT anyway. They also first 
construct the IPsec packet, then paste the timestamp where it's needed, and 
quickly calculate the hash. If they can do this with less jitter with AH than 
with ESP, do you think they'll actually care whether they're using a current 
or historic standard?  They'll just use whatever gets the job done better.

Even historic does not mean everyone has to stop using it, even in new 
standards. It just means that you have to have a really good justification why 
you need that rather than ESP. That's the situation already. Declaring it so 
doesn't help.

 Also +1 to the following arguments:
 
 - ESP + NULL == substantially equivalent
 - less mailing list chatter

Well, this draft generated a 77-post thread. Then the mailing list got quiet 
about it, and we had three months without any mention of AH. I think moving it 
to historic creates a lot more mailing list chatter than ignoring it.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] Fwd: New Version Notification for draft-nir-ipsecme-erx-03.txt

[Yoav Nir]

Hi all.

This is the 3rd iteration of the draft I presented about in Paris.

We would like this working group to accept this, and have it added to charter. 
Of course, if it gets accepted, we volunteer to be authors. If it is not 
accepted, we will try to progress it as an individual submission, but we 
believe that this changes IKE enough that it should come from the working group.

Yoav  Qin

Begin forwarded message:

 From: internet-dra...@ietf.org internet-dra...@ietf.org
 Subject: New Version Notification for draft-nir-ipsecme-erx-03.txt
 Date: April 12, 2012 1:33:48 PM GMT+03:00
 To: Yoav Nir y...@checkpoint.com
 Cc: sunse...@huawei.com sunse...@huawei.com
 
 A new version of I-D, draft-nir-ipsecme-erx-03.txt has been successfully 
 submitted by Yoav Nir and posted to the IETF repository.
 
 Filename:  draft-nir-ipsecme-erx
 Revision:  03
 Title: An IKEv2 Extension for Supporting ERP
 Creation date: 2012-04-12
 WG ID: Individual Submission
 Number of pages: 7
 
 Abstract:
   This document describes an extension to the IKEv2 protocol that
   allows an IKE Security Association (SA) to be created and
   authenticated using the EAP Re-authentication Protocol extension as
   described in RFC 5296bis.
 
   NOTE TO RFC EDITOR: Replace 5296bis in the previous paragraph with
   the RFC number assigned to that document.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [vmeet] Minutes from the Paris meeting

[Yoav Nir]

On Apr 9, 2012, at 7:58 PM, Paul Hoffman wrote:

 ...are available at 
 http://www.ietf.org/proceedings/83/minutes/minutes-83-rpsreqs.txt. Send me 
 any corrections. My apologies for taking so long to do the transcription, but 
 there was a lot of good material there. There are many ideas that were 
 brought up at the meeting that should be separate threads on this list.

Interesting read. I see that the audio recording page ( 
http://www.ietf.org/audio/ietf83/ ) still doesn't have recordings for Friday. 
Any idea when that will change?

Yoav

___
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html.
https://www.ietf.org/mailman/listinfo/vmeet

Re: [IPsec] SPI Collision

[Yoav Nir]

Hi Daniel

On Apr 5, 2012, at 9:22 PM, Daniel Migault wrote:

 Hi, 
 
 I am wondering how SPI collision is considered by IKEv2, and have not found 
 any documentation on it, so if there are some, please let me know.
 
 My current understanding is that when an CREATE_CHILD_SA exchange is 
 performed the Initiator and Responder announce the SPI in the SA payload. If 
 the Initiator announces an SPI that is already used by the Responder (with 
 another peer), the Responder cannot accept this proposition and must send an 
 error message. I haven't found anything like this in RFC5996. Am I missing 
 something ?
 
 Furthermore I cannot find any message for this error. INVALID_SPI does not 
 seems to be used for the creating of an SPI, but only if an ESP/AH/IKE packet 
 comes with an unrecognized SPI. In addition it seems the Notify Payload MUST 
 be sent out of the IKE_SA Can anyone tell me which error message is used? 
 
 BR 
 Daniel

In IKE (both v1 and v2) it's always two IPsec SAs that are negotiated at the 
same time. Each side sends in its CCSA message the SPI for the inbound SA. So 
for traffic going from the initiator to the responder, it's the responder that 
chooses the SPI, while for traffic going from the responder to the initiator, 
the initiator chooses the SPI. This allows both peers to make sure that inbound 
SAs have unique SPIs.

The same guarantee cannot be made for outbound traffic. The SPI for outbound 
traffic is chosen by the peer, and one particular implementation that I'm aware 
of assigns them serially, so with many peers like that, you have a high chance 
of collision. The fact is that it is usually not a problem. In outbound IPsec 
processing the stack sees the cleartext packet, chooses an SA based on 
attributes of the packet, and constructs the protected packet based on 
encryption keys, MAC keys, the replay counter and the SPI which are part of the 
SA. The SPI is a value, not a key in the table of outbound SAs, so there's no 
harm done even if all the outbound SAs have the same SPI. 

This is different from the inbound case, where the SPI is used as a key to the 
SA table, and therefore has to be unique.

Hope this helps

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [vmeet] Issue: is PSTN access really required?

[Yoav Nir]

On Mar 30, 2012, at 1:11 PM, Dean Willis wrote:

 From today's meeting, taking to list.
 
 Remote participation for users connecting via the PSTN though gateways into a 
 VoIP conference platform raises some issues.
 
 One of these is registration . There are hacks like PINs that can be made 
 to work.
 
 But to me, the biggest problem is that it is just really hard to make it 
 work, especially for participants on the fringe of the PSTN. Echo 
 cancellation may be impossible to provide without exceeding the 150ms latency 
 interaction/interrupt threshold determined in Brian Rosen's research.
 
 One doesn't necessarily need broadband to use IP. I've talked quite 
 successfully between participants with EDGE mobile connections. But going 
 over a long path of telephone network to a PSTN gateway, thence over IP to a 
 conference platform is a recipe for disaster.
 
 I therefore propose that our remote participation system neither require nor 
 support dial-in telephone numbers. This assumption can greatly simplify the 
 system, reduce operating expense, and reduce the probability of systemic 
 marginal failure where the system works but not well enough to actually use.
 
 Some argue that this would unfairly exclude people who can't get Internet 
 connections, but I counter that it's certainly less of an exclusion than 
 requiring them to physically attend the meeting, and it's far more unfair to 
 make an IETF meeting fail for these who are actually using the Internet to 
 participate in it.

I disagree that providing service to people connecting from PSTN or through a 
gateway from the wrong software (like Skype) needs have any effect on the 
service provided for the other remote participants. People might be excluded 
because they are behind a corporate firewall or because the particular solution 
we chose does not run on their favorite distribution of Linux or z/OS.

I also disagree with Brian's claim that 150ms is a limit for the kind of 
discussion that takes place in IETF working groups. It does apply to phone 
calls, but WG discussion tends not to be interrupt-driven. People politely wait 
their turn at the mike, with the chairs signaling the use of the floor. Not 
having the ability to connect from work (when the IETF is in  a suitable time 
zone) means having to take the day off or relying on cellular internet that 
seems to have higher latency anyways.

So I think some ability to connect via PSTN (and Skype) should be a requirement.

___
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html.
https://www.ietf.org/mailman/listinfo/vmeet

Re: [vmeet] Issue: is PSTN access really required?

[Yoav Nir]

On Mar 30, 2012, at 1:11 PM, Dean Willis wrote:

 From today's meeting, taking to list.
 
 Remote participation for users connecting via the PSTN though gateways into a 
 VoIP conference platform raises some issues.
 
 One of these is registration . There are hacks like PINs that can be made 
 to work.
 
 But to me, the biggest problem is that it is just really hard to make it 
 work, especially for participants on the fringe of the PSTN. Echo 
 cancellation may be impossible to provide without exceeding the 150ms latency 
 interaction/interrupt threshold determined in Brian Rosen's research.
 
 One doesn't necessarily need broadband to use IP. I've talked quite 
 successfully between participants with EDGE mobile connections. But going 
 over a long path of telephone network to a PSTN gateway, thence over IP to a 
 conference platform is a recipe for disaster.
 
 I therefore propose that our remote participation system neither require nor 
 support dial-in telephone numbers. This assumption can greatly simplify the 
 system, reduce operating expense, and reduce the probability of systemic 
 marginal failure where the system works but not well enough to actually use.
 
 Some argue that this would unfairly exclude people who can't get Internet 
 connections, but I counter that it's certainly less of an exclusion than 
 requiring them to physically attend the meeting, and it's far more unfair to 
 make an IETF meeting fail for these who are actually using the Internet to 
 participate in it.

I disagree that providing service to people connecting from PSTN or through a 
gateway from the wrong software (like Skype) needs have any effect on the 
service provided for the other remote. Whatever solution we choose may be 
blocked by flaky network or corporate firewall. It might require remote 
participants to take the day off to attend a single meeting.

I also disagree with the claim that the 150ms limit applies to IETF WG 
discussions. These are not equivalent to phone conversations. They are 
structured and controlled by the chairs. Even the people who are physically 
present politely wait their turn at the mike.  I think the ability to patch in 
from a PSTN or Skype should be part of the requirements.

Yoav
___
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html.
https://www.ietf.org/mailman/listinfo/vmeet

Re: [vmeet] Issue: is PSTN access really required?

[Yoav Nir]

[sorry for the resend]
___
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html.
https://www.ietf.org/mailman/listinfo/vmeet

Re: IETF.Fact.Check IETF Participants that were also at ICANN Costa Rica Meeting ?

[Yoav Nir]

Oh, this guy pre-dates RFC 4633

http://www.google.com/search?q=%22jim%20fleming%22%20site:ietf.org

On Mar 29, 2012, at 11:48 PM, Eric Burger wrote:

 I was about to say we are at a point for an RFC 4633 action. Thanks.

 On Mar 29, 2012, at 2:26 PM, JORDI PALET MARTINEZ wrote:

 Hi Jim,

 This is my last message to you as IETF Sergeant-at-arms.

 I've asked the Secretariat avoid your posts going thru the email exploder.

 Regards,
 Jordi






 -Mensaje original-
 De: Jim Fleming ietf.fact.ch...@gmail.com
 Responder a: ietf.fact.ch...@gmail.com
 Fecha: Thu, 29 Mar 2012 07:09:50 -0500
 Para: ietf ietf@ietf.org
 Asunto: IETF.Fact.Check IETF Participants that were also at ICANN Costa
 Rica Meeting ?

 IETF.Fact.Check IETF Participants that were also at ICANN Costa Rica
 Meeting ?

 https://www.ietf.org/registration/ietf83/attendance.py

 http://www.registration123.com/ICANN/CR43/

 Registration list as of: 03/29/2012
 NAME AFFILIATION COUNTRY
 AARON STEWARTCLOUD VINE  United States
 Aarón Quesada Méndez Ice Costa Rica
 Abdoul-Akim Adjibola Benin Telecoms  BENIN
 Abel Brenes  University of Cosra RicaCosta Rica
 ABELARDO FONSECA LA NACIÒN   Costa Rica
 Abiodun Olawale  Reboot Associates Ltd
 Abraham ArayaMMSoluciones Seguridad en Informatica   Costa Rica
 Abraham Djekou   AtciCote d''Ivoire
 Abraham RodriguezAgencia Datsun Nissan   Costa Rica
 Acc Va Cac   Ac Ac   CR
 Adalberto López  NIC Costa Rica
 Adam Eisner  Tucows Inc.
 Adam Peake   Glocom  Japan
 Adaobi Okeke Nigerian Communications Commission  Nigeria
 Adebiyi Oladipo  Nigeria Internet Registration Association (NIRA)   
  Nigeria
 Adebunmi Akinbo  Young Internet Professionals (YiPS)/(NiRA) dotNG   
  Nigeria
 Adela Elena Danciu   Fellowship  Romania
 Adrian Carballo  South School On Internet Governance Argentina
 Adrian GarciaISOC Costa Rica Chapter Costa Rica
 Adrian Kinderis  ARI Registry Services   Australia
 Adrián Pérez CcssCosta Rica
 Adrián Quesada Rodríguez Costa Rica
 Adrián SolanoAcoprot Costa Rica
 ADRIANA DIAZ ICANN   Costa Rica
 Adriana González Sulá Batsú  Costa Rica
 Adriana Rivero   Lacnic  Uruguay
 Adriana UlateCOSTA RICA
 AGARWAL SWAPNA   .INDIA  India
 Ague Alain   Ministry of agriculture Bénin
 Ahsan Fahmi  Pakistan
 Aimee Deziel Mad
 Akewushola Adisa Sanbak Communications CommissionNigeria
 Akinori Maemura  JPNIC   Japan
 Alain Artero European Broadcasting Union France
 Alain Berranger  Centre d'étude et de coopération internationale
  Canada
 Alain Bidron France Telecom/ETNO France
 Alain Patrick Aina   AFRIMIC Bénin
 Alan Barrett AfriNIC / ASO-ACSouth Africa
 Alan Fernández Marín Universidad de Costa Rica   Costa Rica
 Alan Fernández Marín Universidad de Costa Rica   Costa Rica
 Alan Greenberg   Alac/gnso   Canada
 Alan Gutierrez   Att Bolivia
 Alberto GomezRed.es  España
 Alberto Medrano Cáceres  Universidad NacionalCosta Rica
 Alejandra Castro Arias  Muñoz   Costa Rica
 Alejandra Fernández Bonilla  TV Channel 15, University of Costa Rica
 Costa Rica
 Alejandra ReynosoFellowship  Guatemala
 Alejandro Berrocal Valverde  Viceministrerio Telecomunicaciones MINAET
 Costa Rica
 Alejandro Cruz   Ministro de CIencia y TecnologiaCosta Rica
 Alejandro Esquivel Rodriguez Cisco Systems   Costa Rica
 Alejandro Guzman ASO AC - LACNIC - GoogleColombia
 Alejandro JimenezIce Costa Rica
 Alejandro LizNic Do  Dominican Republic
 Alejandro Moscol Fellow  PERÚ
 Alejandro PisantyISOC Mexico Mexico
 Alejandro Portilla Navarro   Radio Universidad de Costa Rica Costa 
 Rica
 Alejandro Rivera ICE Costa Rica
 Alejandro Solis  Unimer  Costa Rica
 Alex Blowers Nominet United Kingdom
 Alex Mwangangi   Municipal Council Of Mavoko KENYA
 Alex Siffrin Key-Systems GmbH
 Alex Stamos  iSEC Partners   United States
 Alexa Raad   Architelos  United States
 Alexander AlíCosta Rica
 Alexander Flores Universidad de Costa Rica   Costa Rica
 Alexander Mora   CAMTIC  Costa Rica
 Alexander Mora   Universidad de Costa Rica   Costa Rica
 Alexander OtárolaOmd Costa Rica
 Alexander Panov  Ru-Center   Russia
 Alexander Rojas  Coral Technologies  Costa Rica
 Alexander Salas Arce Oficina Digital - CentroAmerica Hosting
  Costa Rica
 Alexander Schubert   dotgay LLC  USA
 Alexander Schwertner EPAG Domainservices GmbHGermany
 Alexander Seger  Council of Europe   France
 Alexis Coto  Colegio AgropecuarioCosta Rica
 Alexis Sandoval  Ice Costa Rica
 

Re: [IPsec] ipsec-registry change for IPSEC Authentication Methods (Value 3) registration policy

[Yoav Nir]

Hi Dan

I have no opinion about the level of review needed for changes to IKEv1, and I 
share your unhappiness with the way PAKE turned out. 

If I had to guess the reasons for the slow adoption of IKEv2, I would guess 
that it's because IKEv1 (with XAuth/hybrid, Config, odd-numbered messages, and 
poor PSK support for mobile peers) just works. The big vendors have at least 
server-side support, and Microsoft has a client in Win7. I think EAP is a 
hindrance, because XAuth works better with older backend servers.

Your proposal will be more secure than XAuth and require less round trips, but 
won't integrate with AAA servers.  I think anyone who is going to go to the 
effort of implementing this (replace or update all IKEv1 endpoints) might as 
well move them to IKEv2. The big hurdle to implementing what you suggest for 
remote access is that XAuth works. 

What doesn't work is a gateway with a dynamic external IP address that doesn't 
have a certificate. But I don't see how upgrading the gateways to support your 
extension is easier than upgrading them to support IKEv2. 

Yoav

On Mar 28, 2012, at 9:49 AM, Dan Harkins wrote:

 
  Hi,
 
  Let me answer David here in a response to Yaron
 
  To be equally blunt, it is because this PAKE work became extremely
 political and I was, and still am, very unhappy with the way it turned
 out. Repeating it, this time with an obsoleted protocol, would cause
 (more) people to question my sanity-- i.e. doing the same thing and
 expecting a different result.
 
  I'd like to just get a stable reference for this minor change that
 has the potential to do good. I don't want to fight over it anymore.
 
  regards,
 
  Dan.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] ipsec-registry change for IPSEC Authentication Methods (Value 3) registration policy

[Yoav Nir]

On Mar 28, 2012, at 2:12 PM, Michael Richardson wrote:

 
 Yoav == Yoav Nir y...@checkpoint.com writes:
Yoav If I had to guess the reasons for the slow adoption of IKEv2,
Yoav I would guess that it's because IKEv1 (with XAuth/hybrid,
Yoav Config, odd-numbered messages, and poor PSK support for mobile
Yoav peers) just works. The big vendors have at least server-side
Yoav support, and Microsoft has a client in Win7. I think EAP is a
Yoav hindrance, because XAuth works better with older backend
Yoav servers.
 
 Let me suggest that enhancements to IKEv1 are point releases, for which
 you get with your maintenance.
 But, IKEv2 is a major release, for which the customer pays again.

I don't know about other vendors, but for us IKEv2 was introduced in a version 
called R71. Customers eventually do upgrade, whether it's to get IKEv2 or get 
one of the other features. Similarly in Windows, customers buy Windows 7 for 
the 64-bit support, or the aero interface, or for IPv6 support, and they also 
get the IKEv2. 

I don't think anyone is going to add new enhancements to old releases now, 
unless those enhancements begin with the words prevent an attack where…
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [ipsecme] #217: Temporary credentials

[Yoav Nir]

On Mar 26, 2012, at 9:52 AM, Michael Richardson wrote:

 
 Geoffrey == Geoffrey Huang ghu...@juniper.net writes:
Geoffrey My initial inclination is to say that won't fly: that many
Geoffrey deployments still require preshared key authentication.
Geoffrey Rather, they would object to certificates because of
Geoffrey perceived complexity. That said, I could see arguments
Geoffrey that what we're discussing are already fairly
Geoffrey sophisticated topologies, so perhaps the certificate
Geoffrey allergy doesn't hold? 
 
 Tero isn't proposing using certificates.
 
 Tero is proposing that the gateway/hub provides each leaf node with a
 gateway mediated, ASN.1 encoded, scalable, asymmetric, transitive proofs
 of identity.  It would be used only for the leaf to leaf connection.  
 It would be retained for a convenient period of time and then destroyed.

Not just leaf-to-leaf, but also leaf to any other node, even if it's not a real 
leaf.

This is beginning to look a lot like Kerberos, no?

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [ipsecme] #214: Should gateways figure things out completely or just punt endpoints to a closer gateway?

[Yoav Nir]

On Mar 26, 2012, at 10:47 AM, Michael Richardson wrote:

 
 Yaron == Yaron Sheffer yaronf.i...@gmail.com writes:
Yaron I don't want to speak for MCR, but I think you are taking his
Yaron question too far towards the implementation aspects. What I
Yaron read in the question is, do we allow for a situation where
Yaron (by policy and/or because of limitations in the solution) an
Yaron endpoint cannot connect directly to the ultimate peer, but
Yaron needs instead to go through some sort of relay.
 
 You didn't take my comments too far; I think you realized that I was in
 fact saying two things:
 
 1) when traffic is redirected, MUST it be redirected directly to the
   real endpoint?  (There might be issues of in-band double NAT that
   matter if the traffic doesn't get all the way there... I dunno, IPv6
   RFC6145 is my answer to double NAT)
 
 2) when traffic is redirected, MAY it be redirected more than once?

Aren't these really the same question?  

My answer is that it's OK for redirection to happen more than once, but it's 
better to have less redirections than more.

IOW it should be a requirement that H1 (in the diagram of your previous mail) 
be able to send more information about the topology behind H2 than just B is 
behind H2, such as D and H3 are also behind H2. But A should be required to 
not expect it.

So H1 MUST be able to tell A that B is behind H2. It MAY be able to tell A that 
D is also behind H2, or that B is actually behind H3, or the actual address of 
B.

Yoav
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] draft-nir-ipsecme-erx

[Yoav Nir]

Hi

This is about my presentation from the IPsecME meeting today (which for some 
reason is not on the website)

Anyways, RFC 5266 mentions that RFC 4306 must be updated to carry ERP 
messages. This caused some controversy a year ago, but regardless, I did think 
of a use case, so I partnered with Qin Wu and wrote the draft.

The use case is being able to seamlessly move between two networks were network 
access is granted or denied based on EAP. Examples are 802.1x and IKEv2. IEEE 
has already revised 802.1x so that moving between two 802.1x access points can 
use ERP to be seamless, but IKEv2 has not. a mobile device could use 802.1x 
within the corporate network and move to IPsec as soon as it leaves the 
building. MCR has called this the Elvis use case, but it actually should work 
seamlessly in the other direction, when the mobile node enters the building, 
detects the 802.1x network, establishes an association, and deletes the 
no-longer-needed IKE and child SAs.

My first priority is for this to become a WG item. It probably needs some work, 
and there is an open question about whether there is any use case for multiple 
AAA domains.

If not, I'm also fine with taking this directly to Sean.

Yoav
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] draft-nir-ipsecme-erx

[Yoav Nir]

On Mar 26, 2012, at 6:43 PM, Tero Kivinen wrote:

 Yoav Nir writes:
 This is about my presentation from the IPsecME meeting today (which
 for some reason is not on the website) 
 
 Anyways, RFC 5266 mentions that RFC 4306 must be updated to carry
 ERP messages. This caused some controversy a year ago, but
 regardless, I did think of a use case, so I partnered with Qin Wu
 and wrote the draft. 
 
 RFC5996 says:
 
   While this document references [EAP] with the intent that new methods
   can be added in the future without updating this specification, some
   simpler variations are documented here.  [EAP] defines an
   authentication protocol requiring a variable number of messages.
 
 and
 
 A short summary of the EAP format is included here
   for clarity.
 
 So my take there is that the EAP description in the RFC5996 is just
 for clarity, and is not meant to be exhaustive, meaning it does not
 limit codes we can use in the EAP messages. 

Agree. That's why my draft calls it clarification

 
 On the other hand RFC5996 also says that:
 
   Following such an extended exchange, the EAP AUTH payloads MUST be
   included in the two messages following the one containing the EAP
   Success message.
 
 which means that as ERX uses different message to finish the
 authentication, update to the RFC5996 is needed (i.e. not to allow
 codes 5 and 6, but to say we can have EAP payloads in exchanges where
 they normally do not be and tell that EAP exchange can finish with
 these other codes too).
 
 My first priority is for this to become a WG item. It probably needs
 some work, and there is an open question about whether there is any
 use case for multiple AAA domains. 
 
 I agree it could be WG item. On the other hand I also think it might
 be quite fast document, so getting it out as individual rfc might be
 faster.

They're not necessarily faster. What the draft needs is review, especially 
regarding the assumption that multiple AAA domains are not needed. I think WG 
documents get better review, but even that is not really clear.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[websec] Issue #41

[Yoav Nir]

Hi

It was my review that triggered this, so I'd like to explain my position.

There are several things that could be considered failures of the TLS layer:
 1. Revoked certificate
 2. No CRL/OCSP response
 3. Expired certificate
 4. Expired CRL (yes, I know NextUpdate is not expiry…)
 5. Mismatch between hostname and certificate (CN or alt name)
 6. Some other things I forgot?

I believe we all agree that #1 should be a hard fail. Maybe even in the absence 
of HSTS. #2 is usually not treated as a failure today - it doesn't trigger a 
warning screen in any browser. I haven't tested this with HSTS, but I'd be 
surprised if this causes a hard fail. Same for #4.

AFAIK the most common failure cases are #3 and #5. Certificates do expire, and 
even some well-run, security conscious site administrators have been known to 
let them expire. 
Mismatching domain names is an issue, because two FQDNs might point to the same 
server. IMO this is a good argument for a report-only setting, whereas the 
expiry is something that will bite you far after your supposedly successful 
deployment.

I guess my issue with this is because when I read the draft for the first time, 
I thought this would be a good idea for websites that only do HTTPS and do not 
do HTTP except to redirect to HTTPS. I thought it would allow them to signal 
this information, and allow them to defeat HTTP-based MiTM attacks. The draft 
as it stands is not a good fit for this use case, because it requires more of 
the administrator than is currently reasonable to expect.

I could propose an HSTS-light header for this use case, but I don't think 
anybody would like to have that. 

Yoav
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

[websec] Issue #42

[Yoav Nir]

Hi

This is about fetching CRLs from a domain that happens to be the same as that 
of a website. 

Obviously you can't get a CRL or an OCSP response over HTTPS. Jeff's response 
was that they should use a different domain name for the CRLs (if they want to 
deploy HSTS)

Obviously, it's too late to change AIA or CDP in existing certificates. But I 
think it goes deeper. HSTS affects what the browser is doing. Different 
resources from the same domain should all be protected by TLS. But we don't 
expect this to affect things that are outside the browser, like email or system 
updates. IMO the fetching of CRLs or OCSP responses is not part of the 
browsing, but part of the HTTPS handshake. The fact that some browsers 
implement both is besides the point. Internet Explorer uses an OS library to do 
the TLS handshake, including any checking of revocation. In fact getting the 
CRL fetch function to apply the HSTS policy would require extra effort from the 
browser implementer. 

I think we should simply say that HSTS does not apply to non-content. Fetching 
CRLs or browser software updates is not content, and HSTS should not apply to 
it.

Yoav

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [IPsec] [ipsecme] #213: In use case 2.1, direct endpoint-to-endpoint connectivity may not be possible

[Yoav Nir]

Sure. A VPN host (whether client or gateway) that is behind NAT is generally 
unreachable from a random host.

To allow random hosts to get there, the VPN host needs to punch a hole in the 
NAT by sending a binding request to a STUN server. The IP routable IP address 
and port that it uses should be stored somewhere, in case some random VPN host 
wants to contact it. It has to be stored outside the VPN host itself, because 
that host is unreachable.

So if one or both of the VPN peers are behind NAT, we need some 3rd-party or 
parties to broken the NAT traversal. We need:
 - a STUN (or STUN-like) server for punching the hole
 - storage for the discovered address and port

In SIP these functions are done by the SBC.

So just like the #214 and #217 issues, we need a 3rd party to broker the 
host-2-host tunnel that we want to set up. It's tempting to assign this 
function to a hub gateway as the VPN host already has the ability to 
authenticate to it, but that should be part of the design, not the requirements

Yoav

P.S: Sorry if my SIP/RTP terminology is off. It's all based on a cursory 
reading of a Wikipedia article.

On Mar 22, 2012, at 7:58 AM, yogendra pal wrote:

I agree to what Yoav stated, that signalling part (SIP) and media part (RTP) 
both SHOULD work even if there is NAT in the configuration today. However, I 
could not get why we need to have new NAT traversal mechanism using hub 
gateway, can you elaborate on this...

Thanks and Regards,
Yogendra Pal
Ericsson, India
+91-9686202644


On Wed, Mar 21, 2012 at 6:49 PM, Yoav Nir 
y...@checkpoint.commailto:y...@checkpoint.com wrote:
direct endpoint-to-endpoint connectivity may not be possible if both endpoints 
are NATed

Why?  There are several protocols (SIP/RTP come to mind) that manage 
endpoint-to-endpoint connectivity even when both are behind NAT. Why shouldn't 
IPsec endpoints do this?

If this requires some new NAT traversal mechanism, perhaps using a hub gateway 
in place of the SIP SBC, then this should be part of the requirements.

This mechanism is needed even if only one endpoint is NATted, otherwise we're 
constraining who the initiator has to be.

Yoav

On Mar 21, 2012, at 3:31 AM, Stephen Hanna wrote:

 Another issue. Please comment on Suggested Resolution.

 Thanks,

 Steve

 -Original Message-
 From: ipsecme issue tracker 
 [mailto:t...@tools.ietf.orgmailto:t...@tools.ietf.org]
 Sent: Tuesday, March 20, 2012 6:58 PM
 To: yaronf.i...@gmail.commailto:yaronf.i...@gmail.com; 
 draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.orgmailto:draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.org
 Subject: [ipsecme] #213: In use case 2.1, direct endpoint-to-endpoint 
 connectivity may not be possible

 #213: In use case 2.1, direct endpoint-to-endpoint connectivity may not be
 possible

 In use case 2.1, direct endpoint-to-endpoint connectivity may not be possible
 if both endpoints are NATed.

 Suggested Resolution: Mention this in section 2.1.

 --
 -+-
  Reporter:  |  Owner:  draft-ietf-ipsecme-p2p-vpn-
  yaronf.ietf@…  |  problem@…
  Type:  defect  | Status:  new
  Priority:  normal  |  Milestone:
 Component:  p2p-vpn-|   Severity:  -
  problem|   Keywords:
 Resolution:  |
 -+-

 Ticket URL: http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/213#comment:1
 ipsecme http://tools.ietf.org/ipsecme/

 ___
 IPsec mailing list
 IPsec@ietf.orgmailto:IPsec@ietf.org
 https://www.ietf.org/mailman/listinfo/ipsec
 IƧ��[�(^rC�{S�֥I�.�+r �^��

___
IPsec mailing list
IPsec@ietf.orgmailto:IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec



--


___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [ipsecme] #219: Star topology as an admin choice

[Yoav Nir]

I don't think this is an all-or-nothing choice. You might want a mesh for VoIP, 
but a star for HTTP, FTP and mail protocols. Or you may want a mesh within your 
organization, but to trunk and inspect all traffic going somewhere else.

On Mar 21, 2012, at 3:37 AM, Stephen Hanna wrote:

 Please comment.
 
 Steve
 
 -Original Message-
 From: ipsecme issue tracker [mailto:t...@tools.ietf.org] 
 Sent: Tuesday, March 20, 2012 7:04 PM
 To: yaronf.i...@gmail.com; draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.org
 Subject: [ipsecme] #219: Star topology as an admin choice
 
 #219: Star topology as an admin choice
 
 Some admins prefer a star topology so they can inspect traffic. They may
 not want to use this technology.
 
 Suggested Resolution: Mention this in the Security Considerations section.
 
 -- 
 -+-
 Reporter:   |  Owner:  draft-ietf-ipsecme-p2p-vpn-
  yaronf.ietf@…  |  problem@…
 Type:  defect   | Status:  new
 Priority:  normal   |  Milestone:
 Component:  p2p-vpn- |   Severity:  -
  problem|
 Keywords:   |
 -+-
 
 Ticket URL: http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/219
 ipsecme http://tools.ietf.org/ipsecme/
 
 ___
 IPsec mailing list
 IPsec@ietf.org
 https://www.ietf.org/mailman/listinfo/ipsec
 �jy�u$���:-jT�r��!���

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [ipsecme] #213: In use case 2.1, direct endpoint-to-endpoint connectivity may not be possible

[Yoav Nir]

direct endpoint-to-endpoint connectivity may not be possible if both endpoints 
are NATed

Why?  There are several protocols (SIP/RTP come to mind) that manage 
endpoint-to-endpoint connectivity even when both are behind NAT. Why shouldn't 
IPsec endpoints do this?

If this requires some new NAT traversal mechanism, perhaps using a hub gateway 
in place of the SIP SBC, then this should be part of the requirements.

This mechanism is needed even if only one endpoint is NATted, otherwise we're 
constraining who the initiator has to be.

Yoav

On Mar 21, 2012, at 3:31 AM, Stephen Hanna wrote:

 Another issue. Please comment on Suggested Resolution.
 
 Thanks,
 
 Steve
 
 -Original Message-
 From: ipsecme issue tracker [mailto:t...@tools.ietf.org] 
 Sent: Tuesday, March 20, 2012 6:58 PM
 To: yaronf.i...@gmail.com; draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.org
 Subject: [ipsecme] #213: In use case 2.1, direct endpoint-to-endpoint 
 connectivity may not be possible
 
 #213: In use case 2.1, direct endpoint-to-endpoint connectivity may not be
 possible
 
 In use case 2.1, direct endpoint-to-endpoint connectivity may not be possible
 if both endpoints are NATed.
 
 Suggested Resolution: Mention this in section 2.1.
 
 -- 
 -+-
  Reporter:  |  Owner:  draft-ietf-ipsecme-p2p-vpn-
  yaronf.ietf@…  |  problem@…
  Type:  defect  | Status:  new
  Priority:  normal  |  Milestone:
 Component:  p2p-vpn-|   Severity:  -
  problem|   Keywords:
 Resolution:  |
 -+-
 
 Ticket URL: http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/213#comment:1
 ipsecme http://tools.ietf.org/ipsecme/
 
 ___
 IPsec mailing list
 IPsec@ietf.org
 https://www.ietf.org/mailman/listinfo/ipsec
 IƧ��[�(^rC�{S�֥I�.�+r�^��

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [ipsecme] #214: Should gateways figure things out completely or just punt endpoints to a closer gateway?

[Yoav Nir]

I agree that this pre-supposes that the solution will involve gateways 
figuring things out for endpoints in either one step or more than one step. 
It pre-supposes a two-tier system.

We've had a presentation in Taipei that did not involve gateways, but rather 
specialized servers carrying authoritative information, with all the IPsec 
hosts, whether gateways or endpoints querying those servers. Those servers 
could be specialized IPsec information servers, dispensing PAD and SPD entries 
through a web service, or they could be the DNS system. Either way, this is a 
different model to the one that has the information flowing through the overlay 
network.

So I agree that answering this question is pre-mature. Whatever the model, 
there will be an equivalent question, but I think it's too early now.

Yoav

On Mar 21, 2012, at 9:59 PM, Stephen Hanna wrote:

Again, this issue was based on Michael Richardson’s March 12 email, which said:

The dual trunk scenario should perhaps be further motivated and
clarified.  Are there some situations where a spoke should not contact
another spoke directly, but in fact should contact a hub closer to the
other spoke.  I can see some solutions where a hub would not have
complete knowledge of the mesh, and so would in fact simply punt a
connection closer.

I hope this clarifies the issue for you.

I think that Michael is asking an important question. There are many ways to 
solve the P2P VPN problem. One way is to have satellites with little 
configuration that connect to core gateways with lots of dynamic information. A 
core gateway (a “hub” in Michael’s parlance) can download things to a satellite 
(maybe a new SPD and PAD, credentials, etc.), thus causing some traffic from 
the satellite to be sent to a different core gateway or satellite. In that 
circumstance, I think Michael’s question is about whether the core gateway that 
a satellite initially connects (which I’ll call the “initial core gateway”) to 
should be expected to have or obtain all the information needed to configure 
the satellite or whether the initial core gateway can send the satellite to 
another core gateway where it can get more information. At least, that’s how I 
understand Michael’s question. Perhaps he can affirm or deny this 
interpretation.

Personally, I think that this question is premature. It presupposes too much 
about the eventual solution. That’s why I think it should be answered in the 
solution not included in the problem statement. Apparently, Yaron doesn’t agree 
with me. I’d like to hear more from him on this matter. Does he believe that 
all solutions to this problem (or at least all the good ones) must necessarily 
employ the model that I described above? What about a solution that doesn’t 
rely on core gateways to refer satellites but instead has satellites querying 
for the information that they need? Or one that has some external entity (not 
the core gateway) configuring the satellites? In my view, there may be many 
possible P2P VPN solutions. However, I’m not an IPsec expert. Maybe this is the 
only practical approach. I’d like to hear views from Yaron and from others on 
this topic.

Thanks,

Steve

From: ipsec-boun...@ietf.orgmailto:ipsec-boun...@ietf.org 
[mailto:ipsec-boun...@ietf.org] On Behalf Of Vishwas Manral
Sent: Wednesday, March 21, 2012 3:18 PM
To: Stephen Hanna
Cc: IPsecme WG
Subject: Re: [IPsec] [ipsecme] #214: Should gateways figure things out 
completely or just punt endpoints to a closer gateway?

Hi Steve,

This is unclear to me. Isn't it routing that we send a packet across to a 
closer gateway/ router? What does everything mean in the question below?

If we are talking about say security and routing, I think that is true. The 
logical gateway (could be multiple interactions and devices) should be able 
to provide the functionality.

Thanks,
Vishwas
On Tue, Mar 20, 2012 at 6:33 PM, Stephen Hanna 
sha...@juniper.netmailto:sha...@juniper.net wrote:
Please comment on Suggested Resolution. Note that Yaron has
already supplied his comment below.

Steve

-Original Message-
From: ipsecme issue tracker 
[mailto:t...@tools.ietf.orgmailto:t...@tools.ietf.org]
Sent: Tuesday, March 20, 2012 6:59 PM
To: yaronf.i...@gmail.commailto:yaronf.i...@gmail.com; 
draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.orgmailto:draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.org
Subject: [ipsecme] #214: Should gateways figure things out completely or just 
punt endpoints to a closer gateway?

#214: Should gateways figure things out completely or just punt endpoints to a
closer gateway?

 Suggested Resolution: We should not specify this in the problem statement.
 It should be specified in the solution.

 YS: sounds like a requirements-level question to me.

--
-+-
 Reporter:  |  Owner:  draft-ietf-ipsecme-p2p-vpn-
 yaronf.ietf@…  |  problem@…
 Type:  defect  | Status:  new
 

Re: [IPsec] [ipsecme] #218: Exhaustive configuration

[Yoav Nir]

+1

Not only IP addresses, but actual peers may come and go. A user database 
changes every day as employees (for example) come and go.

On Mar 21, 2012, at 9:26 PM, Vishwas Manral wrote:

Hi Steve,

Like I mentioned the problem is not just exhaustive configuration but also the 
fact that configuration parameters like IP address change.

I agree we should expand the section you mention below.

Thanks,
Vishwas

On Tue, Mar 20, 2012 at 6:37 PM, Stephen Hanna 
sha...@juniper.netmailto:sha...@juniper.net wrote:
Keeping you entertained in the week before IETF 83...

Steve

-Original Message-
From: ipsecme issue tracker 
[mailto:t...@tools.ietf.orgmailto:t...@tools.ietf.org]
Sent: Tuesday, March 20, 2012 7:03 PM
To: yaronf.i...@gmail.commailto:yaronf.i...@gmail.com; 
draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.orgmailto:draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.org
Subject: [ipsecme] #218: Exhaustive configuration

#218: Exhaustive configuration

 Exhaustive configuration can work fine if there are good automated
 configuration protocols.

 Suggested Resolution: Exhaustive configuration doesn't scale for
 constrained devices in large networks. Explain this in section 3.1.

--
-+-
 Reporter:   |  Owner:  draft-ietf-ipsecme-p2p-vpn-
 yaronf.ietf@…  |  problem@…
Type:  defect   | Status:  new
 Priority:  normal   |  Milestone:
Component:  p2p-vpn- |   Severity:  -
 problem|
 Keywords:   |
-+-

Ticket URL: http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/218
ipsecme http://tools.ietf.org/ipsecme/

___
IPsec mailing list
IPsec@ietf.orgmailto:IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.orgmailto:IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Some comments to the draft-ietf-ipsecme-p2p-vpn-problem-00

[Yoav Nir]

On Mar 14, 2012, at 8:00 AM, Tero Kivinen wrote:

 In section 2.1 where there is dicsussion about the endpoint to
 endpoint vpn use case, it should be noted, that this might require
 different temporary credentials. Endpoints (especially remote access
 users) do use passwords or similar credentials which cannot be
 forwarded. I.e. if the shared secret is used to authenticate the end
 node to the gateway, that same shared secret cannot be given to the
 another end point as that would allow it to impersonate the first
 peer. Also the endpoint most likely cannot access the same AAA server
 than what security gateway does, so if peer uses EAP to authenticate
 itself to the security gateway, the endpoint to endpoint vpn cannot
 use the same credentials.

Users use passwords, but endpoints can use PSKs and certificates. PSKs should 
be pairwise, so they have to be provisioned dynamically. It's all part of 
having to create the PAD entries dynamically. If we anyway have to provision 
peer's IP address/locator and identity (DN, username) we might as well also 
provision a PSK.

If we really want to authenticate users, we need to use EAP to authenticate to 
some trusted (by whom?) server. Then we can extend that authentication to other 
endpoints and gateways that are not connected to the same AAA server, perhaps 
using some mechanism like tickets or session resumption or ERP, or by having 
the gateway provision the shared secrets for the client and the other peers.

 This means that we might need to add creation of temporary credentials
 to the protocol.

I think that unless we are going to mandate a system based solely on 
certificates, that's a given.

 In section 3.1 exhaustive configuration I think it is incorrect to
 claim it does not scale, as if the configuration is pushed to all
 devices using some kind of out of band configuration tool it is
 completely possible to make extreamly large setups. Dynamic updates
 do cause some problems there, as every change might require policy to
 be pushed to every single node. I think the main problem with this
 setup is that it requires that out of band configuration system, and
 those are proprietary which means you cannot use implementations from
 different vendors. 

Take a company the size of IBM. They have 400,000 employees. Probably hundreds 
of thousands of smartphones, hundreds of thousands of PCs, and thousands of VPN 
gateways. It doesn't make sense that each smartphone holds the entire PAD for 
all this, and we haven't even mentioned partners and customers yet.  You could 
keep a kind of star topology, where the phones are secondary nodes, and they 
connect to some primary nodes (using IKE or something else). When they need to 
connect to some other primary or secondary node, they get that information from 
the primary node.

And you can have the primary nodes know everything, or make it hierarchical or 
DNS-based or something else entirely. This discovery mechanism is a big part of 
the charter item, and I think it should avoid having to push the entire policy 
to each endpoint.

 In section 3.2 about star topology it should be noted, that quite
 often adminstrators do require star topology because they want to do
 some kind of inspection for all traffic inside the vpn. This kind of
 policy might make it impossible to do endpoint to endpoint
 connections, and might limit which kind of gateway to gateway cases
 are allowed.

That's a matter of policy. Sometimes they want to inspect traffic going in and 
out of their organizational VPN, but not traffic flowing within it. So traffic 
from the Maastricht office can flow freely to the Quebec City office, and 
doesn't have to go through the New York datacenter. But traffic going to 
Facebook needs to be scanned, and goes through the datacenter.

 I do not see how the last paragraph in section 3.2 does not seem to
 belong there:
 
   The challenge is how to build large scale, fully meshed IPsec
   protected networks that can dynamically change with minimum
   administrative overhead.
 
 The section 3.2 talks about existing star topology solutions, and
 making large scale fully meshed network is not even in scope for such
 systems.

I think the point of section 3.2 is that stars are defined partly because 
they're easier (just one credential to configure on each satellite). The 
challenge is to overcome the difficulty in defining a mesh.

 
 In section 3.2 we should also mention that with proprietary approaches
 it is not clear whether they implement all checks required by the
 IPsec architecture, i.e tunnel exit checks, firewall rules, security
 policy checks etc. They might do those, or they might skip them...
 
 
 In general the current use case description was quite good, and I
 think this document is good start. 


___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: Add a link to the HTML version in i-d-announce mails ?

[Yoav Nir]

Even better, also add the XML2RFC output if it's available at the same time:  
http://tools.ietf.org/id/draft-name.html

for example, (just picking my own latest draft as an example): 
http://tools.ietf.org/id/draft-nir-websec-extended-origin-02.html

I don't know which drafts get this version (perhaps those submitted along with 
XML?), but they're sure easier to read than TXT.

Yoav

On Mar 6, 2012, at 3:41 PM, Xavier Marjou wrote:

 As a subscriber of the i-d-annou...@ietf.org list, I generally prefer
 reading the HTML version of the draft rather than the TXT version.
 
 I thus often need to manually rewrite the TXT link to fetch the HTML
 version of the draft. I can not believe I'm the only one.
 
 Hence, would it be possible to also include a link like
 http://tools.ietf.org/html/draft-name in the mail of the announced
 draft?
 
 Cheers,
 Xavier

___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: Add a link to the HTML version in i-d-announce mails ?

[Yoav Nir]

The XML2RFC version is not linked from there. If that was added to the Other 
versions field, that would be great.

On Mar 6, 2012, at 5:11 PM, Xavier Marjou wrote:

 With a link like https://datatracker.ietf.org/doc/draft-name/ (e.g.
 https://datatracker.ietf.org/doc/draft-nir-websec-extended-origin/ ),
 I will most often then click again on the html top right link. But I'm
 fine with it too.
 
 On Tue, Mar 6, 2012 at 3:12 PM, Russ Housley hous...@vigilsec.com wrote:
 I would be much happier with a link to the datatracker HTML version:
 https://datatracker.ietf.org/doc/draft-name/
 
 Would this meet your needs?
 
 Russ
 
 
 On Mar 6, 2012, at 8:41 AM, Xavier Marjou wrote:
 
 As a subscriber of the i-d-annou...@ietf.org list, I generally prefer
 reading the HTML version of the draft rather than the TXT version.
 
 I thus often need to manually rewrite the TXT link to fetch the HTML
 version of the draft. I can not believe I'm the only one.
 
 Hence, would it be possible to also include a link like
 http://tools.ietf.org/html/draft-name in the mail of the announced
 draft?
 
 Cheers,
 Xavier
 
 ___
 Ietf mailing list
 Ietf@ietf.org
 https://www.ietf.org/mailman/listinfo/ietf
 
 Scanned by Check Point Total Security Gateway.

___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: Add a link to the HTML version in i-d-announce mails ?

[Yoav Nir]

On Mar 6, 2012, at 11:44 PM, Julian Reschke wrote:

 On 2012-03-06 16:26, Yoav Nir wrote:
 The XML2RFC version is not linked from there. If that was added to the 
 Other versions field, that would be great.
 ...
 
 Indeed. HTMLized plain text is progress over plain text, but properly 
 generated HTML is better.
 
 But I fear we're getting close to our beloved permathread.

Pictures in RFCs?
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

[IPsec] P2P VPN Problem Statement - why is this hard?

[Yoav Nir]

Hi Steve

On Mar 6, 2012, at 11:54 PM, Stephen Hanna wrote:

 So please review this short document and send comments.

While the draft does a good job of describing use cases, and certain inadequate 
solutions, I think it's missing a description of why this is hard.

Even if we accept the solution of a star topology, where a satellite needs only 
have one single tunnel, there are really two choices:
 1. that each satellite know about all the protected networks of all the 
gateways in the configuration, or
 2. that satellites send all traffic to the core or hub gateways. This 
includes clear traffic (as in HTTP to facebook.com). This increased the load 
even more.

If you don't want #2, then the satellite still needs to know about every IP 
address whether it is protected by some gateway (and therefore needs to go in 
the tunnel), or not (and so packets with that destination should go out in the 
clear). Since the protected networks change, this requires that information to 
propagate throughout the network, and dynamic updates to SPD

If we don't want a star topology, the gateways or endpoints still need to know 
what is or is not encrypted. They also need to either know about all peers, or 
be able to find the peer and (securely) learn how it should authenticate. 
Either way, without a star topology, you need dynamic updates to PAD.

I think the draft should mention this.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt

[Yoav Nir]

Hi Tobias,

Replies inline.

On Mar 3, 2012, at 6:07 PM, Tobias Gondrom wrote:

 Hello Yoav,
 
 thank you for the interesting draft.
 
 hat=individual
 
 I have a few points as feedback:
 - the 3-tupel of origin consists of real parameters (protocol, URL, 
 port), while the introduction of the 4th tupel feels like an artificial 
 parameter extension as it is not mapped to anything visible to the 
 client and in fact will be spliced by the middle-server (vpn server). 
 This makes me very hesitant, whether this would be a good idea.

As far as the client is concerned, there is only one server. If that server 
does not give any hints to the client, it's going to treat all these different 
resources as belonging to the same origin. So it does map to something the 
server sends.

 - As Adam mentioned that there will be migration problems.
 At the moment all browsers and other systems operate on the SOP with 
 3-tupel to compare for identity. It will be difficult (read: near 
 impossible) to enforce that all deployed systems out there shall from 
 now on be compliant with a 4-tupel and no longer assume identity of two 
 sites when only the first three parameters are equal.
 
 So, although I agree that economic reasons are absolutely viable reasons 
 for such an idea, I have concerns that this draft is only a workaround 
 for certain closed areas (i.e. where a company can basically enforce 
 that all accessing clients are in fact updated using such a 4-tupel 
 policy) but will create severe consistency issues in the Internet where 
 you would then see a mix of 3-tupel and 4-tupel clients, with the risk 
 of messing up the predictability of handling of SOP.

Actually, SSL VPNs are deployed where the company has no control over the 
clients. Sure you can enforce that users only use one kind of browser, but 
typically SSL VPNs are deployed so as to support any type of client, from 
phones to desktop. Companies that have that level of control tend to equip 
their employees with laptops that run IPsec VPNs. 

However, these SSL VPN portals exist today, and hide multiple servers behind a 
single hostname and port. Typically these will be mostly internal servers with 
a few external ones. For example, our deployment has the mail server (OWA), the 
internal Wiki, The automated build system, the SAP web application, and the web 
application of an external service provider that delivers lunch. These are not 
just random sites on the Internet, but specific servers that the administrator 
has chosen. The way these are deployed now, the lunch service provider can 
steal the cookies from the mail server, or script it. Having the SSL VPN server 
provide this extra information might help security (if the browsers use that 
information). It won't make it worse.

 Maybe a question regarding the use cases:
 As in general, systems use sub-domains for such purpose (as explained by 
 you and James), I am wondering whether there are other scenarios (beyond 
 VPN) that may need this 4th origin parameter?

I guess any HTTP reverse proxy may hide multiple servers behind it. Reverse 
proxies are used for caching, load balancing, access control to web 
application. Even CDNIs are a type of reverse proxy. I believe that SSL VPNs 
are a little different. The other types of reverse proxy are typically 
installed and maintained by experts. SSL VPNs are installed and maintained by 
people whose knowledge of networking can range from NOC team material to the 
CEOs nephew who's really good with computers. So I think all reverse proxies 
could benefit from a 4th origin parameter, but I think most of the others can 
work around that need, while some SSL VPN customers can't.

Yoav

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

[Yoav Nir]

On Feb 26, 2012, at 2:44 AM, Mark Nottingham wrote:

 
 
 I proposed a plan that I think might allow us to make progress
 on that. I believe we could.
 
 OK, great. 
 
 Could you please explain why you think tying this effort to HTTP/2.0 is 
 necessary to achieve that? To me that's the critical bit, and I still haven't 
 seen the reasoning (perhaps I missed it).

I think I have *an* answer to this, though probably not *the* answer.

There's two stages to adoption - implementation and roll-out. Obviously you 
can't roll out new authentication before the browsers and servers implement 
it. For my website, I wouldn't roll out new auth if only one or two of the 
browsers out there implemented it. Even if all the big ones (IE, Firefox, 
Chrome, Opera) did, I would still have to provide a backwards compatibility 
authentication scheme to support older browsers. This would lead to both 
inconsistent UI and to ugly javascript that detects the browser version, and 
makes the roll-out slower.

If any HTTP/2.0 browser is bound to have new authentication it makes things 
much easier.

This could be circumvented by adding request headers that advertise 
capabilities, but I don't think we like those much.

Yoav


___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

[Yoav Nir]

On Feb 24, 2012, at 5:02 PM, Paul Hoffman wrote:

 On Feb 24, 2012, at 4:54 AM, Stephen Farrell wrote:
 
 Proposals for new HTTP authentication schemes are in scope.
 
 How would a plan like the following look to folks:
 
 - httpbis is chartered to include auth mechanism work as
 per the above (or whatever text goes into the charter)

snip/

 
 Might that be a way forward that'll give enough folks
 enough of what they want/need?
 
 
 It would, but I would like to give a counter-proposal that I think will use 
 people's different talents better:
 
 - new wg on developing http authentication mechanisms is chartered soon (BoF 
 in Paris); call it the ham wg
 - httpbis is chartered to follow the work of the ham wg and is required to 
 make sure that the authentication framework in http 2.0 works for as many of 
 the proposals from the ham wg as possible
 - ham wg is responsible for most of what you list above
 - http2.0 document says the mandatory to implement auth mechanisms are named 
 in that RFC over there, which comes from the ham wg
 
 There will be overlap in wg membership, but not nearly as much as would be 
 needed for your proposal.

I like the idea, but there is always the danger of the HAM working group either 
getting stuck with multiple non-interoperable proposals like we've seen at 
IPsecME with the PAKE work.

There is also the possibility of getting stuck with conflicting requirements. 
For example, there will be a need to use existing user databases 
(RADIUS/DIAMETER servers, LDAP directories), but that is hard to reconcile with 
the preference for ZKPs.

I'm not really worried, because HTTP/2.0 is bound to take a long time, and 
there will be plenty of opportunity for chair and ADs to step in and intervene 
if the wg actually does that.

On a more technical note, we are 12 days past the cutoff date for new BoF 
session requests, so it's probably too late for a BoF in Paris. 

Yoav

___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: IETF Last Calls and Godwin-like rules

[Yoav Nir]

On Feb 16, 2012, at 4:09 PM, Måns Nilsson wrote:

 Subject: IETF Last Calls and Godwin-like rules Date: Thu, Feb 16, 2012 at 
 09:04:03AM -0500 Quoting John C Klensin (john-i...@jck.com):
 
 ...
 
 first appearance of many no-information I support this
 endorsements from people and constituencies who are not regular
 participants on the IETF list should immediately trigger a state
 in which all further statements from that side would be
 ignored or would end the discussion entirely?
 
 Yes, I see the difficulties in figuring out the details of such
 a rule and implementing it and am mostly joking.   Mostly.
 
 I support this. 

+1
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: IETF Last Calls and Godwin-like rules

[Yoav Nir]

On Feb 16, 2012, at 4:04 PM, John C Klensin wrote:

 A current Last Call has apparently brought on another of the
 please tell all your friends to send in supportive notes, even
 if they don't say much of anything substantive campaigns that
 we see from time to time.  When those notes come from people who
 do not routinely participate on IETF lists, they provide very
 little real information unless we have suddenly taken up voting
 or otherwise counting notes.  Whatever we might otherwise think
 of company positions, a note that said I work for xyz and we
 need this and intend to implement and deploy it would be real
 information that the community could consider where I am an
 individual and +1 does not.   Sadly, such endorsements,
 especially from people who are not active IETF participants, add
 to the noise and might prevent someone who was still genuinely
 trying to understand the pros and cons (presumably including all
 of the IESG) from seeing a new and substantive argument, no
 matter how well-grounded.
 
 I note that there are some folks in the community who seem to
 favor these campaigns when they like the cause and not if they
 do not.
 
 But I wonder whether, in the interest of noise reduction and/or
 support of our no voting, even by active participants
 position, there be any sympathy for a Godwin-like rule that the
 first appearance of many no-information I support this
 endorsements from people and constituencies who are not regular
 participants on the IETF list should immediately trigger a state
 in which all further statements from that side would be
 ignored or would end the discussion entirely?
 
 Yes, I see the difficulties in figuring out the details of such
 a rule and implementing it and am mostly joking.   Mostly.

Because we don't vote, the show of support with all the +1s really doesn't 
amount to much. I don't think even promises to implement carry much weight at 
last call. By the time some proposal has gone to last call, especially IETF 
last call, the issue of whether this will be useful to someone should have 
already been settled.

I think that an endorsement like I work for Cisco and we intend to implement 
this in every one of our products is useful. But it's not nearly as useful as 
this is a terrible idea, and doing this will prevent IPv6 from ever gaining 
traction. The objections raised in last call are really the point, not the 
endorsements.

Yoav


___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: IETF Last Calls and Godwin-like rules

[Yoav Nir]

On Feb 16, 2012, at 4:48 PM, Roger Jørgensen wrote:

 On Thu, Feb 16, 2012 at 3:34 PM, Yoav Nir y...@checkpoint.com wrote:
 snip
 I think that an endorsement like I work for Cisco and we intend to 
 implement this in every one of our products is useful. But it's not nearly 
 as useful as this is a terrible idea, and doing this will prevent IPv6 from 
 ever gaining traction. The objections raised in last call are really the 
 point, not the endorsements.
 
 
 Think I've read somewhere that the ground of good engineering (the E
 in IETF) are being able to argue against your own idea, search and
 look for flaws in it, and all in the name of testing it to see how it
 can be made even better, is it good enough? Or simple to consider the
 bigger picture, can my idea hurt the rest no matter how good it is?
 There are great and very good ideas out there that isolated are
 fantastic, but considered in just a bit bigger picture are horrible,
 they've ruin everything around them.

I agree. IPv4 forever using CGNs may work for a lot of people and a lot of 
uses. If people remain double- or triple-natted it won't matter a bit to the 
big web sites. 

It's far more important to hear what is not going to work with this solution.

It's great if you can find such deficiencies in your own ideas, but we still 
need design reviews, code reviews, QA departments and IETF last calls so that 
others can get at your idea.
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: Variable length internet addresses in TCP/IP: history

[Yoav Nir]

On Feb 15, 2012, at 1:56 AM, Bob Hinden wrote:

 Martin,
 
 On Feb 14, 2012, at 2:45 PM, Martin Rex wrote:
 
 Brian E Carpenter wrote:
 
 Martin,
 
 One the one hand, the IETF was frowning upon NATs when they were
 developed outside of the IETF.  But if you look at the IETFs
 (lack of) migration plan, the translation that you need in order
 to make old-IPv4 interoperate with new-IPv6, is actually worse than
 an IPv4 NAT.
 
 I'm sorry, but *any* coexistence between RFC791-IPv4-only hosts and
 hosts that are numbered out of an address space greater than 32 bits
 requires some form of address sharing, address mapping, and translation.
 It doesn't matter what choice we made back in 1994. Once you get to the
 point where you've run out of 32 bit addresses and not every node can
 support 32 bit addresses, you have the problem.
 
 But what is your point?
 
 With a fully backwards compatible transparent addressing scheme,
 a much larger fraction of the nodes would have switched to actively
 use IPv6 many years ago.
 
 Right, just like they could have deployed dual stack many years ago too.
 
 The deployment problem was not due to technical issues, it was because the 
 Internet changed to only deploy new technology that generated revenue in the 
 short term.  After a lot of thought, I have come to the conclusion that it 
 wouldn't have mattered what the IETF did, we would still be facing the same 
 problems.  It wouldn't be seriously deployed until IPv4 address ran out.
 
 These if we had only done foo discussions all miss the biggest deployment 
 factor.

I disagree with that. With things that take considerable effort to develop and 
deploy, any sane business or agency would do a cost/benefit analysis, and not 
deploy unless they can see how it pays off. 

Smaller projects sometimes go under the radar. Maybe the cost-benefit analysis 
says it's not worth doing a cost-benefit analysis. When investment is low, 
people do things even without assurances that those would in fact be needed. 
I'll leave example from our employer out of this thread.

If adding support for the next IP version in products was easy (say, 1-2 
man-years for an OS, and 1-2 man months for an application), then Windows XP, 
Mac OS 10.1 and whatever Linux was running at the time and Solaris 2.9 would 
have had the support, and applications would follow quickly, long before IPv4 
addresses became scarce.

Yoav
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: [therightkey] Paris too soon for a meeting...

[Yoav Nir]

On Feb 12, 2012, at 10:19 PM, Kai Engert wrote:

 On 12.02.2012 01:57, Stephen Farrell wrote:
 If folks wanna meet during IETF week then I'd suggest a doodle
 poll to pick a time slot.
 
 How about this?
 http://www.doodle.com/8c5s43ayqbrft5rm

That's about it, but usually we do this after the preliminary agenda has been 
posted. Also, Friday after 18:00 is a non-starter.
___
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey

Re: Room sharing in Paris?

[Yoav Nir]

Hi Kevin

You can register at https://www.ietf.org/meeting/register.html
You can hold off on paying until early March.

That will give you the ability to edit the meeting wiki:
https://www.ietf.org/registration/MeetingWiki/wiki/ietf83

You can easily add a page there for what you're looking for.

Alternatively, you can register to the 83attendees list, and ask there. Note, 
however, that there are currently about 290 people on the list, and there has 
been no traffic. That's less than a third of the people going to the meeting
https://www.ietf.org/mailman/listinfo/83attendees

On Jan 23, 2012, at 10:04 PM, Kevin P. Fleming wrote:

 Is there an appropriate list/wiki/etc. to discuss possible room sharing 
 arrangements? I'm not going to be able to register for the event until I 
 get this worked out, so I can use the meeting-specific attendees list 
 for that purpose.
 
 If there is no such place, I'll state here that I'm interested in 
 discussing sharing a double room for IETF 83 in Paris from March 25th 
 through 31st. Contact me off-line to discuss.
 
 -- 
 Kevin P. Fleming
 Digium, Inc. | Director of Software Technologies
 Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming
 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
 Check us out at www.digium.com  www.asterisk.org
 ___
 Ietf mailing list
 Ietf@ietf.org
 https://www.ietf.org/mailman/listinfo/ietf
 
 Scanned by Check Point Total Security Gateway.

___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev2-cpext4femto-00.txt

[Yoav Nir]

So if I understand this correctly, the notarized data contains the acceptable 
mode and the allowed member groups, signed (and time-limited?) by the SeGW.

The tunneled protocol between the FAP and the core network would change, so 
that instead of the FAP sending unsubstantiated claims, it would replay the 
notarized data from the SeGW. Wouldn't this require an update of both core 
network components, SeGW and FAPs?

I would think that the SeGW could instead look at the decrypted protocol 
between the FAP and the core network  (it is decrypting it after all), and 
block it if it contains lies. A change like this would require modifying only 
the SeGW. I may be showing some serious firewall vendor bias here...

Anyway, yes, your clarification helped me very much.

Regarding the term notarized, I would prefer not to bring in a new term that 
is burdened with other meaning. But legal notaries are obscure enough that it 
doesn't matter much. Perhaps some explanation as to what it means in the draft 
would help.


You are correct in the draft, that it is out of scope for the working group 
what the exact content of the new attribute is. However, the CP payload is 
contained in the biggest packet of all of IKE - the IKE_AUTH packets. Can you 
tell us how large these attributes may be? Since IKE is still UDP-only, size 
matters very much.

Thanks

Yoav


From: zong.zaif...@zte.com.cn [mailto:zong.zaif...@zte.com.cn]
Sent: 21 January 2012 11:08
To: Yoav Nir
Cc: ipsec@ietf.org
Subject: 答复: Re: [IPsec] [IPSec]: New Version Notification for 
draft-zong-ipsecme-ikev2-cpext4femto-00.txt


Hi Yoav:

Thank you for your email. Regarding to your question on what is the malicious 
FAP lying about, I would like to give you some further background. In real 
femto deployment, not every mobile terminal is allowed to attach via an FAP. In 
fact, in the real deployment, there are 3 kinds of FAPs: open mode FAP, close 
mode FAP, and hybrid mode FAP. The open mode means that the FAP is open to 
everyone, close mode means the FAP only allows a closed group of members to 
access, and the hybrid mode means that the FAP is open to everyone, but only a 
closed group of members will have higher priority or have authority to visit 
certain resources.

According to some SDO (e.g. 3GPP), the access control of the mobile terminals 
attaching via a FAP is done in core network, thus, it is the core network that 
decide whether the mobile terminal can attach to an FAP. In order to help the 
core network make decision on whether the mobile terminal can attach to an FAP, 
the FAP needs to send information, such as the mode of the FAP, and the allowed 
member group of the FAP, to the core network. A compromised FAP could send 
false mode and false allowed member group to the core network, so that a not 
allowed mobile terminal could be allowed by the core network.

I wish the above clarification helps you understand the problem.

Regarding to the term notarized, since I am green to this group, I am not sure, 
do you prefer to replace the notarize with signature? Please let me know, thank 
you!


BR
Zaifeng




Yoav Nir y...@checkpoint.com

2012-01-21 15:30

收件人
zong.zaif...@zte.com.cn zong.zaif...@zte.com.cn
zong.zaif...@zte.com.cn
抄送
ipsec@ietf.org ipsec@ietf.org
主题
Re: [IPsec] [IPSec]: New Version Notification for
draft-zong-ipsecme-ikev2-cpext4femto-00.txt





Hi Zaifeng

Reading your draft, I'm trying to understand the problem you are solving. It is 
about the FAP being compromised and sending false information through the 
tunnel.

What is the malicious FAP lying about?
How does sending some information (does notarized mean signed?) from the 
SeGW to the (compromised) FAP help?

One general comment: notarized is a legal term, similar to signature. 
Although there is some analogy between the legal concept of signature and the 
digital signatures, such analogies only go so far. Using such a borrowed term 
has IMHO led to more confusion than clarity. I would rather not use legal terms 
in protocols (although protocol is also a borrowed term)

Thanks,

Yoav

On Jan 20, 2012, at 8:40 AM, zong.zaif...@zte.com.cn 
zong.zaif...@zte.com.cn wrote:


 Hi Folks:

 There is a new draft available that some of you may be interested
 in looking at.

 The draft is available via the following link:
 http://www.ietf.org/id/draft-zong-ipsecme-ikev2-cpext4femto-00.txt

 Please send your comments to the list. Thanks!


 BR
 Zaifeng



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [websec] preparing for Paris

[Yoav Nir]

I believe that Alexey has requested a session on 19-Dec.

On Jan 17, 2012, at 7:08 PM, Peter Saint-Andre wrote:

 Just a friendly reminder that WG sessions for IETF 83 need to be
 scheduled less than 2 weeks from now:
 
 http://www.ietf.org/meeting/cutoff-dates-2012.html#IETF83
 
 Peter

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] #34: HSTS cache manipulation and misuse by server enabled by wildcard cert

[Yoav Nir]

Interesting. 

But I don't see how subdomains help. If I have a website called 
charcount-5.example.com, and I use a wildcard *.example.com certificate, the 
HSTS entry is still written for charcount-5.example.com. Adding subdomains 
would affect *.charcount-5.example.com, not 0-H.example.com.

I wouldn't want to force the includeSubdomains, as there may be valid reasons 
to have a subdomain of example.com that is HTTP, whereas the decision on buying 
a wildcard certificate is a matter of cost and convenience.

Yoav

On Jan 15, 2012, at 4:52 AM, websec issue tracker wrote:

 #34: HSTS cache manipulation and misuse by server enabled by wildcard cert
 
 See..
 
 The Double-Edged Sword of HSTS Persistence and Privacy --  by Mikhail
 Davidov
 http://haxsys.net/2011/04/the-double-edged-sword-of-hsts-persistence-and-
 privacy/
 
 summary:
 
 This technique allows a web app on one domain to surreptitiously send a
 message to another web app on another domain via manipulation of the HSTS
 cache...
 
 If server wields a wildcard cert, eg for *.example.com, then example.com
 can create any number of subdomains of example.com, with any subdomain
 name, and then direct user agents to fetch resources from these
 subdomains. If HSTS Policy is returned for each of these subdomains, and
 includeSubDomains is not used, then any number of entries will be created
 in in the user agent's HSTS store. E.g., an web page like the below would
 accomplish this..
 
   [img]https://charcount-5.example.com/setbit.png[/img]  -- this
 stores the char count of the msg
 
   [img]https://0-H.example.com/setbit.png[/img]
   [img]https://1-E.example.com/setbit.png[/img]
   [img]https://2-L.example.com/setbit.png[/img]
   [img]https://3-L.example.com/setbit.png[/img]
   [img]https://4-O.example.com/setbit.png[/img]
 
 
 These entries can be read back by some other web application under some
 other domain name by causing the user agent to send HTTP requests to
 example.com in order to brute-force the character count subdomain name --
 the server responds whether the name is available over just http -- which
 means it is a miss, or over HTTPS, which is a hit..
 
   http://charcount-1.trackingexampledomain.com/getbit.png [ Server: HTTP ]
   http://charcount-2.trackingexampledomain.com/getbit.png [ Server: HTTP ]
   http://charcount-3.trackingexampledomain.com/getbit.png [ Server: HTTP ]
   http://charcount-4.trackingexampledomain.com/getbit.png [ Server: HTTP ]
   http://charcount-5.trackingexampledomain.com/getbit.png [ Server: HTTPS!
 ]   -- msg char count is 5
 
 Then the web app can brute force each character of the message in a
 similar fashion.
 
 the original message-sending domain web app can clear the cached message
 by causing the user agent to re-request resources from the same dubdomains
 and returning a HSTS header for each with max-age=0.
 
 For a resolution, Mikhail suggests..
 
 My proposal is to amend the draft to force the includeSubDomains flag on
 wildcard certificates. This would limit them to only one entry in the
 browsers HSTS database and make the technique above prohibitively
 expensive to non-CA owners as a separate signed SSL certificate would be
 needed for every bit of information stored and limit encoding options.
 
 -- 
 -+-
 Reporter:   |  Owner:  draft-ietf-websec-strict-transport-
  jeff.hodges@…  |  sec@…
 Type:  defect   | Status:  new
 Priority:  major|  Milestone:
 Component:  strict-  |Version:
  transport-sec  |   Keywords:
 Severity:  Active WG|
  Document   |
 -+-
 
 Ticket URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/34
 websec http://tools.ietf.org/websec/
 
 ___
 websec mailing list
 websec@ietf.org
 https://www.ietf.org/mailman/listinfo/websec
 IƧ��[�(^rC�{S�֥I�.�+r�^��

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [IPsec] Large Scale VPN

[Yoav Nir]

Hן Mike
On Dec 22, 2011, at 3:16 AM, Mike Sullenberger wrote:

 Everyone,
 
 I noticed that in the four vendor presentations in the P2P VPN - side
 meeting in TAIPEI that none of vendors chose to extend or augment IKE/IPsec
 to solve this class of problems.  This is not to say that vendors haven't
 chosen to extend IKE/IPsec to solve other classes of issues, I.e. XAuth and
 Mode-config.
 
 My firm belief is that IKE/IPsec is at the wrong level to solve or
 standardize the creation of encrypted dynamic mesh networks.  DMVPN, as one
 example, has for over 8 years solved this issue by using protocols that are
 specifically designed for the different needs for creating encrypted dynamic
 mesh networks.  If you modify IKE/IPsec to perform these functions then you
 will end up having to add (redo) the functionality of already existing
 protocols in IKE/IPsec and the result will not be able to do as good a
 job.

I believe that IPsec tunnels work very well. The current standards lack two 
things:
 1. The ability to discover how to get to some address (what is the next gateway
to which I should establish a tunnel
 2. The ability to establish trust between two gateways. It's not enough to 
find 
an IP address for the next hop, you also need to learn how to 
authenticate 
it.

Routing protocols can do #1 on real networks. Running them on tunnels seems to
be like using links as metaphors for tunnels. But that's just my bias.
They don't do much for #2 unless you extend them, and then you might as well 
extend any other protocol.

 
   1. I have no problem with creating a problem statment including use
  cases, but I am not sure how usefull this will be coming from the
  ipsecME WG when the solution for the problem statement shouldn't
  be done in IKE/IPsec.

I think the solution is for the IPsecME group regardless of whether it is in 
IKE, in a web service, or in a combination of mGRE, NHRP and OSPF. This is 
about building large scale IPsec VPNs, and that's the job of the IPsecME group, 
even if it involves extending a routing protocol.

   2. I don't see how nor why the ipsecME WG should be involved in vendors
  publishing an informational RFCs about their solutions. I didn't think
  that there is a need for a WG's approval or help to publish an
  informational RFC.
 
  Note, we (Cisco) have said that we are willing to submit an
  informational RFC about DMVPN and having it ready by August 2012 is
  fine.

The term I used was review and help publish. It's going to be an 
Informational document describing an existing technology. Of course the WG has 
no input on the technical issues in DMVPN. The comments you'll be able to get 
from the group are along the lines of section #3 is not clear, or could you 
rephrase section 2.3 in RFC 4301 terminology?, not let's change the encoding 
here to XML

   3. Again I firmly believe that a standardized solution to encrypted
  dynamic mesh networks should not be done by modifying IKE/IPsec.
  Therefore the ipsecME WG is the not the right IETF WG to analyze and
  or select a solution.

I think otherwise, regardless of the specific technology.

   4. At least three vendors (Cisco, Juniper and Alcatel) have very
  successfully implemented large-scale encrypted dynamic mesh networks
  by using IKE/IPsec for encryption, GRE for protocol independent
  tunneling, NHRP for endpoint discovery and Routing protocols (even
  static routing) for the routing/forwarding of data traffic (subnets)
  through the encrypted tunnels.

I seem to remember from the Juniper presentation that they did not use GRE 
(except as a Cisco compatibility feature - Check Point has that too). No idea 
about Alcatel
 
 I therefore vote against this change to the ipsecME WG charter.
 
 -1
 
 Thanks,
 
 Mike Sullenberger
 
 If we want Paul and Yaron to take this to our AD, we need to show
 that there are more people who think these work items are a good
 idea. More people than just me and MCR.  So please show your
 support (or objections!) soon. An I think this is a good idea,
 I think we should use ternary logic, or +1 is all it takes.
 
 Yoav
 
 On Dec 8, 2011, at 10:06 PM, Yoav Nir wrote:
 
 Agree. How about:
 
 In an environment with many IPsec gateways and remote clients that
 share an established trust infrastructure (in a single
 administrative domain or across multiple domains), customers want
 to get on-demand point-to-point IPsec capability for efficiency.
 However, this cannot be feasibly accomplished only with today's
 IPsec and IKE due to problems with address lookup, reachability,
 policy configuration, etc.
 
 The IPsecME working group will handle this large scale VPN problem
 by delivering the following:
 
 * The working group will create a problem statement document
  including use cases, definitions and proper requirements for
  discovery and updates. This document would be solution-agnostic.
  Should reach WG last call

Re: [IPsec] Question about ECDSA cert usage for IKEv2 auth

[Yoav Nir]

On Dec 22, 2011, at 9:07 PM, Gaurav Poothia wrote:

Hello,
The basic IKEv2 cert auth mechanism for RSA (from RFC 5996) seems to be to hash 
using SHA-1 before signing.

However when using ECDSA certs for IKEv2 I am trying to make sure I am reading 
RFC 4754 correctly when it says the following:
“Moreover, ECDSA cannot be specified for IKEv2
   independently of an associated hash function since IKEv2 does not
   have a transform type for hash functions.  For this reason, it is
   necessary to specify the hash function as part of the signature
   algorithm.  Furthermore, the elliptic curve group must be specified
   since the choice of hash function depends on it as well.  As a
   result, it is necessary to specify three signature algorithms, named
   ECDSA-256, ECDSA-384, and ECDSA-521.  Each of these algorithms
   represents an instantiation of the ECDSA algorithm using a particular
   elliptic curve group and hash function.  The three hash functions are
   specified in [SHS].  For reasons of consistency, this document
   defines the signatures for IKE in the same way.

Digital
   Signature
   AlgorithmElliptic Curve GroupHash Function
  --------
   ECDSA-256  256-bit random ECP groupSHA-256
   ECDSA-384  384-bit random ECP groupSHA-384
   ECDSA-521  521-bit random ECP groupSHA-512”

Does this mean we proceed just like RSA here but hash with SHA-256 and not 
SHA-1 for ECDSA-256 cert and then proceed to sign as usual.
Similarly use SHA-384 and SHA-512 for ECDSA-384 and ECDSA-521 respectively.
Is that the correct reading of this excerpt?

Hi Gaurav

This is pretty much correct. With ECDSA you first hash with the specified hash 
function, and then sign the hash with the ECDSA group. Note how the numbers 
almost match up, so the size of the has is exactly the size of the buffer to be 
signed.

This is different from RSA, where the hash is much shorter than the buffer to 
be signed. Even the longest hash anyone uses has only a 512-bit output, while 
1024-bit signatures are considered too short these days, and 512-bit signatures 
are apparently grounds for blacklisting a CA. With RSA you use the 
RSASSA-PKCS1-v1_5 signature scheme, and that includes an identifier for the 
hash algorithm, so you can use any hash you want.

Hope this helps

Yoav



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[openssl.org #2663] Apparent bug in the x86 ghash function

[Yoav Nir via RT]

Hi

I've compiled a recent SNAP of OpenSSL 1.0.1 (from 18/12). I am pretty sure 
that the assembly language code generated for the ghash function (in 
ghash-x86.s) is incorrect.

The gcm_init_4bit() function generates a 16-entry table of 128-bit values, to 
be used as a multiplication table. The first value is always zero, while the 
others usually aren't.

The supposedly equivalent gcm_init_clmul() function does not touch indexes 2-16 
of the table, and pushes two usually non-zero entries into the first two 
entries of the table.

Notice how %edx holds a pointer to the Htable, while %eax holds a pointer to H. 
The final two lines of the function put a value in the first ((%edx)) and 
second (16(%edx)) positions of the table. Clearly, this is wrong.

.globl  gcm_init_clmul
.type   gcm_init_clmul,@function
.align  16
gcm_init_clmul:
.L_gcm_init_clmul_begin:
movl4(%esp),%edx
movl8(%esp),%eax
call.L010pic
.L010pic:
popl%ecx
leal.Lbswap-.L010pic(%ecx),%ecx
movdqu  (%eax),%xmm2
pshufd  $78,%xmm2,%xmm2
pshufd  $255,%xmm2,%xmm4
movdqa  %xmm2,%xmm3
psllq   $1,%xmm2
pxor%xmm5,%xmm5
psrlq   $63,%xmm3
pcmpgtd %xmm4,%xmm5
pslldq  $8,%xmm3
por %xmm3,%xmm2
pand16(%ecx),%xmm5
pxor%xmm5,%xmm2
movdqa  %xmm2,%xmm0
movdqa  %xmm0,%xmm1
pshufd  $78,%xmm0,%xmm3
pshufd  $78,%xmm2,%xmm4
pxor%xmm0,%xmm3
pxor%xmm2,%xmm4
.byte   102,15,58,68,194,0
.byte   102,15,58,68,202,17
.byte   102,15,58,68,220,0
xorps   %xmm0,%xmm3
xorps   %xmm1,%xmm3
movdqa  %xmm3,%xmm4
psrldq  $8,%xmm3
pslldq  $8,%xmm4
pxor%xmm3,%xmm1
pxor%xmm4,%xmm0
movdqa  %xmm0,%xmm3
psllq   $1,%xmm0
pxor%xmm3,%xmm0
psllq   $5,%xmm0
pxor%xmm3,%xmm0
psllq   $57,%xmm0
movdqa  %xmm0,%xmm4
pslldq  $8,%xmm0
psrldq  $8,%xmm4
pxor%xmm3,%xmm0
pxor%xmm4,%xmm1
movdqa  %xmm0,%xmm4
psrlq   $5,%xmm0
pxor%xmm4,%xmm0
psrlq   $1,%xmm0
pxor%xmm4,%xmm0
pxor%xmm1,%xmm4
psrlq   $1,%xmm0
pxor%xmm4,%xmm0
movdqu  %xmm2,(%edx)
movdqu  %xmm0,16(%edx)
ret
.size   gcm_init_clmul,.-.L_gcm_init_clmul_begin
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [IPsec] Large Scale VPN

[Yoav Nir]

Hi all

If we want Paul and Yaron to take this to our AD, we need to show that there 
are more people who think these work items are a good idea. More people than 
just me and MCR.  So please show your support (or objections!) soon. An I 
think this is a good idea, I think we should use ternary logic, or +1 is 
all it takes.

Yoav

On Dec 8, 2011, at 10:06 PM, Yoav Nir wrote:
 
 Agree. How about:
 
 In an environment with many IPsec gateways and remote clients that share an 
 established trust infrastructure (in a single administrative domain or across 
 multiple domains), customers want to get on-demand point-to-point IPsec 
 capability for efficiency. However, this cannot be feasibly accomplished only 
 with today's IPsec and IKE due to problems with address lookup, reachability, 
 policy configuration, etc.
 
 The IPsecME working group will handle this large scale VPN problem by 
 delivering the following:
 
 * The working group will create a problem statement document including use 
 cases, definitions and proper requirements for discovery and updates. This 
 document would be solution-agnostic. Should reach WG last call around October 
 2012.
 
 * The working group will review and help publish Informational documents 
 describing current vendor proprietary solutions. These should be ready for 
 IETF last call by August 2012.
 
 * The working group will choose a common solution for the discovery and 
 update problems that will satisfy the requirements in the problem statement 
 document. The working group may standardize one of the vendor solutions, a 
 combination, an superset of such a solution, or a new protocol.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] Large Scale VPN

[Yoav Nir]

Hi all.

The discussion has died down a bit, so I thought I'd chime in with proposed 
charter text. What do people think of the following?  The first paragraph is 
taken from Steve's email of 18-Nov.

Yoav


In an environment with many IPsec gateways and remote clients that share an 
established trust infrastructure (in a single administrative domain or across 
multiple domains), customers want to get on-demand mesh IPsec capability for 
efficiency. However, this cannot be feasibly accomplished only with today's 
IPsec and IKE due to problems with address lookup, reachability, policy 
configuration, etc.

The IPsecME working group will handle this large scale VPN problem by 
delivering the following:

* The working group will create a problem statement document including use 
cases, definitions and proper requirements for discovery and updates. This 
document would be solution-agnostic. Should reach WG last call around October 
2012.

* The working group will review and help publish Informational documents 
describing current vendor proprietary solutions. These should be ready for IETF 
last call by August 2012.

* The working group will choose a common solution for the discovery and update 
problems that will satisfy the requirements in the problem statement document. 
The working group may consider multiple proposals, and then choose one to bring 
to the standards track.
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Large Scale VPN

[Yoav Nir]

On Dec 8, 2011, at 6:04 PM, Paul Hoffman wrote:

 
 On Dec 8, 2011, at 1:55 AM, Yoav Nir wrote:
 
 In an environment with many IPsec gateways and remote clients that share an 
 established trust infrastructure (in a single administrative domain or 
 across multiple domains), customers want to get on-demand mesh IPsec 
 capability for efficiency. However, this cannot be feasibly accomplished 
 only with today's IPsec and IKE due to problems with address lookup, 
 reachability, policy configuration, etc.
 
 I don't think mesh is a well-defined term here. How about point-to-point?

point to point sounds to me too much like the old host-to-host IPsec idea that 
never quite took off. I know this is part of Chris's use case, but I don't 
think that's our main focus. I can live with either point-to-point or mesh, but 
either way we'll have to define it in the first deliverable.

 
 The IPsecME working group will handle this large scale VPN problem by 
 delivering the following:
 
 * The working group will create a problem statement document including use 
 cases, definitions and proper requirements for discovery and updates. This 
 document would be solution-agnostic. Should reach WG last call around 
 October 2012.
 
 * The working group will review and help publish Informational documents 
 describing current vendor proprietary solutions. These should be ready for 
 IETF last call by August 2012.
 
 * The working group will choose a common solution for the discovery and 
 update problems that will satisfy the requirements in the problem statement 
 document. The working group may consider multiple proposals, and then choose 
 one to bring to the standards track.
 
 We would need a deadline for the last item. I suggest December 2013.

Works for me. I was hesitant to suggest a date.
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Large Scale VPN

[Yoav Nir]

On Dec 8, 2011, at 8:14 PM, Yaron Sheffer wrote:

 We as a group can commit to deliverable #1 and #3 (problem statement and 
 standardized solution). But deliverable #2 (vendor protocols) is mostly 
 out of our hands.

That's why I used review and help rather than write or produce.

 So before we approve this charter, I would like to 
 hear from people that represent vendors that they can commit to publish 
 such a draft for their favorite solution. With a mostly complete -00 
 draft in, say, 4/2012. Please respond to the list or privately to Paul 
 and myself.
 
 Also, I suggest to replace the sentence The working group may consider 
 multiple proposals, and then choose one to bring to the standards 
 track. by The working group may standardize one of the vendor 
 solutions, a combination of several, or a new protocol. The latter is 
 clearer, at least to me.

Agree. How about:

In an environment with many IPsec gateways and remote clients that share an 
established trust infrastructure (in a single administrative domain or across 
multiple domains), customers want to get on-demand point-to-point IPsec 
capability for efficiency. However, this cannot be feasibly accomplished only 
with today's IPsec and IKE due to problems with address lookup, reachability, 
policy configuration, etc.

The IPsecME working group will handle this large scale VPN problem by 
delivering the following:

* The working group will create a problem statement document including use 
cases, definitions and proper requirements for discovery and updates. This 
document would be solution-agnostic. Should reach WG last call around October 
2012.

* The working group will review and help publish Informational documents 
describing current vendor proprietary solutions. These should be ready for IETF 
last call by August 2012.

* The working group will choose a common solution for the discovery and update 
problems that will satisfy the requirements in the problem statement document. 
The working group may standardize one of the vendor solutions, a combination, 
an superset of such a solution, or a new protocol.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Preparing a charter change for P2P VPN

[Yoav Nir]

On Nov 21, 2011, at 10:09 PM, Stephen Hanna wrote:

 The conclusion of Wednesday night's P2P VPN side meeting
 was that we would start a new thread on the proposed
 ipsecme charter change and resolve the open questions
 by email. Let's start off with the text that came out
 of Wednesday's meeting and the questions raised there.
 
 The text from the meeting describing the problem to
 be solved was:
 
 In an environment with many IPsec gateways and remote
 clients that share an established trust infrastructure
 (in a single administrative domain or across multiple
 domains), customers want to get on-demand mesh IPsec
 capability for efficiency. However, this cannot be
 feasibly accomplished only with today's IPsec and IKE
 due to problems with address lookup, reachability,
 policy configuration, etc.
 
 And the main open questions from the meeting were:
 
 * Should we create a problem statement and requirements
  draft?

Yes, but I wouldn't mind if that PS/Requirements/Use-case document never got 
published. It's a means, not an end.

 * Should we create a Standards Track document with
  the solution or just document existing proprietary
  vendor solutions in Informational RFCs?

Both.

Yoav
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IKEv2 and ERP

[Yoav Nir]

On Aug 6, 2011, at 10:37 PM, Yoav Nir wrote:

 Hi
 
 At the meeting in Quebec, I gave a presentation at the hokey meeting about 
 http://tools.ietf.org/html/draft-nir-ipsecme-erx .
 
 The draft covers using the EAP extensions for re-authentication in IKEv2. The 
 obvious (to me) use-case is a phone connected to a 802.1x network. As you 
 leave the building, the same phone automatically using IKEv2 over a 3G 
 network without the user authenticating, by using the handed-over keys from 
 802.1x.
 
 ERP (RFC 5296) works in two cases:
 1. when the new AAA backend and the old AAA backend are the same, and
 2. when they are different - you connect to a local EAP server
 
 There is an open question here. Obviously, when you use EAP for 802.1x or PPP 
 or some other network access, you often connect to a local Authenticator that 
 is not the same as your home network. But is this relevant in IKEv2?  IKEv2 
 is used over the Internet. Why would you ever want to connect to a server 
 other than your home (or a server that relies on the same AAA backend)
 
 In other words: is there a use-case for connecting to a local rather than a 
 home server in IKE, a use-case that uses EAP.
 
 My feeling is that the answer is no, and there were some phone operators in 
 the room who agreed with me. Someone did bring up the case of host-to-host 
 IPsec, but I don't think that ever uses EAP.
 
 Does anybody have different thoughts about this?

(crickets)

As there were no replies to this email, and as there was pretty much an 
uncalled consensus at the HOKEY meeting, I have submitted version -02 of the 
draft with an extra paragraph in section 3.2 to explain that roaming to a 
different EAP server scenario is probably not relevant.

http://www.ietf.org/internet-drafts/draft-nir-ipsecme-erx-02

I would be happy for this to become a working group item, but if not, I would 
like to take it to our ADs (not sure which one, as this involves both IPsecME 
and HOKEY). I would also appreciate any suggestions for the Security 
Considerations section, other than just moving the rest of section 3.2 into it.

Yoav
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] P2P VPN - Side Meeting

[Yoav Nir]

On Nov 18, 2011, at 2:06 AM, Nico Williams wrote:

 On Wed, Nov 16, 2011 at 8:17 PM, Yoav Nir y...@checkpoint.com wrote:
 On Nov 17, 2011, at 9:31 AM, Paul Wouters wrote:
 But seriously, IPsec tunnels are based on RFC 4301 and there SPDs and PADs 
 are static, so there is only one peer where a particular source IP might 
 come from.
 
 Openswan supports MARKing the packet based on which SPI the packet
 came out of, ip_conntrack then follows its around and reply packets
 get the MARK as well, so we know which tunnel to send it to despite the
 overlapping IP address on the client end. We even provide a setsockopt()
 option so you MARK your socket before connecting to 192.168.1.1 and the
 kernel knows which SPI to send the packet to. And each IPsec policy can
 optin to allowing a range that would overlap.
 
 Yeah, we do something similar. We are a stateful firewall, so every packet 
 is associated with a connection (well defined for TCP, SCTP; kind of bogus 
 for UDP), and every connection is associated with a tunnel, so outbound 
 packets get to use the correct SA (or at least one matching the SA that 
 inbound packets came through).
 
 Oh, this is good news.  It means you're both close to having RFC5660
 implemented :)

Yeah, except without those pesky APIs. :-)
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] P2P-VPN - Side Meeting - Announcement

[Yoav Nir]

Posting again with a different subject so that this doesn't drown in the other 
back and forth. Please do not reply to this message.

Hi.

Steve has come up with a formulation for the subject for discussion tonight:

In an environment with many IPsec gateways and remote clients that share an 
established trust infrastructure (single domain or multi-domain), customers 
want to get full mesh IPsec connectivity for efficiency. However, this cannot 
be feasibly accomplished only with today's IPsec and IKE due to problems with 
address lookup, reachability, policy configuration, etc. We aim to solve this 
problem in an interoperable manner using IPsec and IKE and other new or 
existing IETF standards.

The draft does contain other use cases, which I will mention in my 
presentation, but the above use case will get most of the attention. 

Those of you wishing to download the presentation material:
- Original format (1.3 MB)
http://dl.dropbox.com/u/28687906/P2P-VPN.zip

- Converted to PDF (56.3 MB)
http://dl.dropbox.com/u/28687906/P2P-VPN-PDF.zip

During the Plenary meeting (16:30-19:30 local time) I will be in the Jabber 
room most of the time, so if you remote participants want to test it, and say 
hi, go ahead.

Otherwise see y'all at 20:00 in room 101D.

Yoav

On Nov 14, 2011, at 10:09 AM, Yoav Nir wrote:

 Hi all
 
 This is to announce a side meeting about peer to peer VPN, as described in 
 our recently published draft: 
 http://tools.ietf.org/html/draft-nir-ipsecme-p2p-00
 
 In the meeting we will discuss the use case of directly connecting two IKE 
 implementations that already have a path of trust between them, for example 
 turning star topologies into meshes. The introduction of strangers (AKA 
 opportunistic encryption) is explicitly out of scope for this meeting.
 
 Where:   TICC building, room 101-D
 When:Wednesday, 16-Nov, at 20:00 (8:00 PM) local time
 Jabber:  xmpp:ipse...@jabber.ietf.org?join
 Streaming audio: http://ietf82streaming.dnsalias.net/ietf/ietf824.m3u
 
 Tentative Agenda:
 - A 20-minute presentation about the draft
 - 3-5 really short presentations about existing proprietary (or not) solutions
 - Open discussion on the problem (which will inevitably get into solutions)
 - Next Steps (this is when we ask the who will edit/contribute/review)
 
 Note:
 the streaming audio may or may not work. They don't switch off the audio 
 after hours, but you won't get support from the NOC team either.
 If that fails, we'll try to make do with Skype ( 
 http://portal.campaigncc.org/SkypeConferencing ), but that is at best a 
 best-effort solution.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] P2P VPN - Side Meeting

[Yoav Nir]

OK. A dumber but more practical question: Do you have any idea how we can get 
microphones? 

The projector is indeed here, but the microphones seem to be missing.

Keeping the audio stream running all night doesn't help if the mikes are gone...

On Nov 16, 2011, at 7:13 PM, Stephen Hanna wrote:

 I think we will benefit greatly if we focus tonight's
 meeting mainly on discussion of and perhaps agreement
 on the PROBLEM TO BE SOLVED.
 
 Comparison and analysis of proposed solutions should
 wait until we have agreed on the problem statement
 and the requirements derived from that. And, as we've
 just seen, it's very hard to have a clear discussion
 of different alternative proposals without having
 those proposals described in detail as Internet-Drafts.
 
 The goal of the 7 minute presentations of solutions
 tonight (as I understand it) is simply to show that
 there are some interesting solutions out there, not
 to promote comparisons of them. I already regret
 the decision to include those solutions on the agenda
 since we've now spent lots of time insulting each
 others' approaches without actually understanding them.
 
 Please let's skip more shouting matches about solutions
 tonight. We don't have enough facts on the table.
 Instead, let's focus on discussing which problem
 we should be trying to solve.
 
 Thanks,
 
 Steve
 
 -Original Message-
 From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf
 Of Frederic Detienne
 Sent: Wednesday, November 16, 2011 4:24 AM
 To: Yoav Nir
 Cc: ipsec@ietf.org WG; Tero Kivinen; Mike Sullenberger
 Subject: Re: [IPsec] P2P VPN - Side Meeting
 
 
 You are mixing everything up. It is too much work to correct you over
 email. I will try to help you at the meeting.
 
 regards,
 
  fred
 
 On 16 Nov 2011, at 15:35, Yoav Nir wrote:
 
 OK.
 
 Routing protocols are not security protocols. That's fine. Neither is
 HTTP.
 
 BGPSEC and SIDR implement a layer of security on top of BGP to
 overcome this issue, and that may be used in the Internet.
 
 OSPF and NHRP are designed to be used in closed environments
 (corporate networks), where everyone is assumed to be playing nice,
 so there has never been as much requirement for a security layer, and
 in fact there is no security layer to NHRP.
 
 When you extend NHRP to an overlay network over the Internet, as you
 do with GRE, you are still fine as long as everybody plays nice. With
 the obvious example of a corporate network with tunnels to the branches
 in New York, London, Paris, and Shang-hai you're still fine, because
 all the gateways are configured by the same person or organization, or
 at least they are part of the same hierarchy, although by this point
 you may need to be worried about misconfiguration.
 
 With a multiple-administrative-domain use case, all bets are off.
 What would prevent a gateway anywhere from claiming responsibility for
 the addresses of the facebook.com server?  That would cause several bad
 things:
 - that gateway gets access to all facebook traffic in the entire
 overlay network
 - all the gateways have to work extra hard encrypting facebook
 content for no reason at all.
 
 This is a real problem regardless of whether we use IPsec tunnels or
 GRE tunnels. Neither IKE nor NHRP has a secure routing layer. Whichever
 solution we pick (as a working group) we will still need to develop a
 security layer, which may or may not be based on what the BGP people
 are doing.
 
 This is especially important for cross-domain use cases, but would be
 very helpful for same-domain as well.
 
 Yoav
 
 On Nov 16, 2011, at 3:11 PM, Frederic Detienne wrote:
 
 
 Security is a matter of architecture and end-to-end design. Several
 mechanisms are used to achieve an efficient balance with complexity.
 Features and security protocols are only building blocks.
 
 IPsec and IKE are not the only features that protect a network and
 routing as a security policy really is not a problem until shown
 otherwise.
 
 Again, I urge you to be specific because there is nothing tangible
 in your claims. I understand what you mean but if you rationalized it,
 you would see your intuition fools you.
 
 
 On 16 Nov 2011, at 14:17, Yoav Nir wrote:
 
 
 On Nov 16, 2011, at 1:45 PM, Tero Kivinen wrote:
 
 Yoav Nir writes:
 So you still didn't explain what GRE does better than modern
 IPsec
 tunneling?
 
 I think GRE (or any tunnel that is not IPsec - like L2TP) allows
 them to avoid having to deal with RFC 4301 stuff like SPD. The
 only
 selector they need is for the GRE tunnel (protocol 43?) or the
 L2TP
 tunnel (UDP 1701).
 
 I.e. bypass the security mechanishms provided the security
 protocol.
 
 Yes!
 
 That means that your security policy is effectively determined by
 the routing protocol.
 
 I.e. move the security from the security protocol to something
 else
 which is not a security protocol. Is this really something we want
 to
 do?
 
 Define we
 
 Who is going to make sure the end result is secure

Re: [IPsec] P2P VPN - Side Meeting

[Yoav Nir]

On Nov 17, 2011, at 2:17 AM, Michael Richardson wrote:

 
Mike I am not sure where you are getting a set of extended
Mike access-lists. There aren't any extended access-lists added.
Mike If a packet is routed through the tunnel it is encapsulated
Mike and then encrypted. There isn't any access-list necessary. 
 
 Oh, I'm sorry, I thought you were creating a secure network!
 
 What you are saying is that you are creating an overlay network, where
 different sites can impersonate each other!

Not necessarily. If your device drops packets that come through the wrong 
tunnel, you're safe. Typically in a complex network you will allow multiple 
paths through the overlay network, and then some spoofing can happen.

Mike I have worked some with other vendor's IPsec when
Mike troubleshooting interaction issues.  I still believe that
Mike IPsec at the base is not a good tunneling protocol.
 
 CISCO IOS IPsec is a poor tunneling protocol.
 Many other vendors do a better job.

Ohhh (blush)

But seriously, IPsec tunnels are based on RFC 4301 and there SPDs and PADs are 
static, so there is only one peer where a particular source IP might come from. 
That is good for security, but poor for traffic engineering. We would like to 
have more than one path through the overlay network, and that requires some 
kind of routing protocol. And yes, such a routing protocol needs to be secure 
and not degenerate into a free-for-all. Whether any vendor provides that now is 
a subject for (intense) debate.
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] P2P VPN - Side Meeting

[Yoav Nir]

On Nov 17, 2011, at 9:31 AM, Paul Wouters wrote:

 On Thu, 17 Nov 2011, Yoav Nir wrote:
 
 Not necessarily. If your device drops packets that come through the wrong 
 tunnel, you're safe. Typically in a complex network you will allow multiple 
 paths through the overlay network, and then some spoofing can happen.
 
 So you want privacy, not security. IPsec is meant to deliver both.

No, I want security, and this goes back to the administrative domain issue. If 
I have installed and configured all of the gateways in the overlay network, I 
could trust them enough to have the packets routed through any of them. With 
that assumption gone, I agree that your peer can spoof you.

 
 CISCO IOS IPsec is a poor tunneling protocol.
 Many other vendors do a better job.
 
 Ohhh (blush)
 
 Don't worry, we have interop issues with checkpoint too :) 
 I'll buy dinner to the firs person showing me how to use the gui tools
 to build rfc1918/XX - 0/0 on tcp 443 tunnel. Heck, I'll buy dinner
 if you can do it with the cli command too.

I think this can be accomplished by adding some table entries in user.def, and 
the support database has instructions on this, but I'll admin that it's obscure 
enough that I can't find that out from here.

The UI is designed according to marketing requirements to answer what they 
believe customer needs are. I think that is true for all vendors.


 But seriously, IPsec tunnels are based on RFC 4301 and there SPDs and PADs 
 are static, so there is only one peer where a particular source IP might 
 come from.
 
 Openswan supports MARKing the packet based on which SPI the packet
 came out of, ip_conntrack then follows its around and reply packets
 get the MARK as well, so we know which tunnel to send it to despite the
 overlapping IP address on the client end. We even provide a setsockopt()
 option so you MARK your socket before connecting to 192.168.1.1 and the
 kernel knows which SPI to send the packet to. And each IPsec policy can
 optin to allowing a range that would overlap.

Yeah, we do something similar. We are a stateful firewall, so every packet is 
associated with a connection (well defined for TCP, SCTP; kind of bogus for 
UDP), and every connection is associated with a tunnel, so outbound packets get 
to use the correct SA (or at least one matching the SA that inbound packets 
came through).

 
 That is good for security, but poor for traffic engineering. We would like 
 to have more than one path through the overlay network, and that requires 
 some kind of routing protocol. And yes, such a routing protocol needs to be 
 secure and not degenerate into a free-for-all. Whether any vendor provides 
 that now is a subject for (intense) debate.
 
 If you need that, just run GRE with BGP on your routers connected with
 simple static IPsec tunnels. Don't degrade the IPsec security within
 the tunnels.

I think that is a narrow, IPsec-centric view. It says that IPsec is secure and 
does not support dynamic SPDs in order to be secure. If you need dynamic 
tunnels, then use GRE, and then it's BGP (or RIP or OSPF) problem.

For network administrators (and thus vendors) it's their problem: they want 
both the security and the ability to get around failed links and nodes that 
routing provides for the Internet.

I would be happy to have an IKE/IPsec-only solution. But I don't think there is 
one now.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: Plagued by PPTX again

[Yoav Nir]

On Nov 15, 2011, at 5:55 PM, Ray Bellis wrote:

 On 15 Nov 2011, at 16:26, Bob Hinden wrote:
 
 +1
 
 The Datatracker does officially support PPTX, so I don't believe it's 
 unreasonable to use it.  If you don't like that policy, I'm not sure where 
 you would take that up.
 
 It also hadn't occurred to me that people might actually prefer PPT over the 
 more open PPTX format.

It may be open, but there are fewer implementations. Yes, Open/Neo/LibreOffice 
supports it, but those presentations run much slower than equivalent PPT.

___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: Plagued by PPTX again

[Yoav Nir]

On Nov 16, 2011, at 2:28 AM, Martin Rex wrote:

 todd glassey wrote:
 
 Marshall Eubanks wrote:
 
 Should the system reject PPTX files ? If people can't read them, why
 are we accepting them ?
 
 I would appreciate if that datatracker simply rejected PPTX on upload.
 
 It is several mangnitudes more efficient to have the uploaded simply
 select a different option on save rather than to bother dozens of
 consumers with having to spend hours and/or $$ to obtain a computing
 environment that is capable of visualizing PPTX.

I agree in principle, but I have just converted a .pptx presentation (with some 
animations that will be lost) into PDF.

The PPTX was 250K, the PDF is 2MB. 8 times as much. I know that bandwidth is 
cheap and all, but I really don't like the inefficiency.
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: [IPsec] P2P VPN - Side Meeting

[Yoav Nir]

On Nov 15, 2011, at 12:12 PM, Frederic Detienne wrote:

 
 On 15 Nov 2011, at 12:05, Yoav Nir wrote:
 
 Hi Frederic
 
 Inline...
 
 On Nov 15, 2011, at 11:42 AM, Frederic Detienne wrote:
 
 Hi Yoav,
 
 We will be there (following offline with you for the details).
 
 I do not think there is a need to spend 20 minutes on the draft which 
 everyone should have read. There are three vague points in it and 10 min 
 seem largely sufficient.
 
 20 minutes includes time spent on hellos, introductions, asking if everyone 
 has read the draft, jabber scribe, testing the audio, and all other kinds of 
 administrivia. You've been to IETF sessions before, and you know how that 
 goes.
 
 absolutely. Then we agree on the 20 min.
 
 At this stage several vendors think they have a fair understanding of the 
 requirements and a gap analysis is much more productive and constructive. I 
 have just asked Chris Ulliott to provide his feedback in case audio fails 
 on us. We can factor his reply in the discussions.
 
 To me the biggest gap in existing solutions is that they require kludges 
 like GRE tunnels and route-based VPN, and also that they don't cover the 
 provisioning of credentials. GRE tunnels and route-based VPNs I consider a 
 kludge because you are then required to treat VPN tunnels as interfaces. 
 Interfaces are much more resource intensive when compared to simple SAs, and 
 most operating systems are very limited in the number of interfaces that 
 they support.
 
 These are all very vague but generally misinformed statements.

I'm sorry if they have offended you or your company. 

My point remains, that IPsec does define a mechanism for tunneling packets. 
It's called tunnel mode IPsec. That Cisco and perhaps other vendors choose to 
use other tunneling mechanisms such as GRE when they need some fancy features 
such as peer discovery or dynamic protected domain discovery, tells me that 
something is lacking in IPsec tunnels. That is what I meant by kludge.

It may be that the problem with IPsec tunnels is not in the tunnels themselves, 
but that there are no configuration protocols associated with them, such as the 
routing protocols or such as NHRP that can be used with GRE tunnels. 

I will take your word that using GRE+NHRP can scale as far as anyone would 
like. However, in evaluating solutions, we should not automatically go with the 
analogy that IPsec VPNs are like overlay networks on top of the Internet, and 
that tunnels are analogous to links. GRE is an overhead that is added to every 
packet. NHRP is yet another protocol that needs to be implemented and carried 
over the IPsec SA. All that should be compared with cost and complexity of 
potential extensions to IKE and IPsec that would carry the same information.

We will have plenty of opportunity to discuss these things at the meeting on 
Wednesday, but just to make things clear, I am not advocating any solution, and 
I have no unsubmitted draft with some extension to IKE. The purpose of the 
meeting is to review the use cases and the solutions that currently exist. If 
anyone intends to pull out a new never-before-published solution that's fine as 
well, but I have no such intentions.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] P2P VPN - Side Meeting

[Yoav Nir]

Hi Mike

On Nov 15, 2011, at 6:25 PM, Mike Sullenberger wrote:

 Hi Yoav,
 
Please see inline.
 
 Mike.
 
 On Nov 15, 2011, at 12:12 PM, Frederic Detienne wrote:
 
 
 On 15 Nov 2011, at 12:05, Yoav Nir wrote:
 
 Hi Frederic
 
 Inline...
 
 On Nov 15, 2011, at 11:42 AM, Frederic Detienne wrote:
 
 Hi Yoav,
 
 We will be there (following offline with you for the details).
 
 I do not think there is a need to spend 20 minutes on the draft
 which everyone should have read. There are three vague points in
 it and 10 min seem largely sufficient.
 
 20 minutes includes time spent on hellos, introductions, asking
 if everyone has read the draft, jabber scribe, testing the audio,
 and all other kinds of administrivia. You've been to IETF sessions
 before, and you know how that goes.
 
 absolutely. Then we agree on the 20 min.
 
 At this stage several vendors think they have a fair
 understanding of the requirements and a gap analysis is much more
 productive and constructive. I have just asked Chris Ulliott to
 provide his feedback in case audio fails on us. We can factor his
 reply in the discussions.
 
 To me the biggest gap in existing solutions is that they require
 kludges like GRE tunnels and route-based VPN, and also that they
 don't cover the provisioning of credentials. GRE tunnels and
 route-based VPNs I consider a kludge because you are then required
 to treat VPN tunnels as interfaces. Interfaces are much more
 resource intensive when compared to simple SAs, and most operating
 systems are very limited in the number of interfaces that they
 support.
 
 These are all very vague but generally misinformed statements.
 
 I'm sorry if they have offended you or your company.
 
 My point remains, that IPsec does define a mechanism for tunneling
 packets. It's called tunnel mode IPsec. That Cisco and perhaps
 other vendors choose to use other tunneling mechanisms such as GRE
 when they need some fancy features such as peer discovery or dynamic
 protected domain discovery, tells me that something is lacking in
 IPsec tunnels. That is what I meant by kludge.
 
 It may be that the problem with IPsec tunnels is not in the tunnels
 themselves, but that there are no configuration protocols associated
 with them, such as the routing protocols or such as NHRP that can be
 used with GRE tunnels.
 
 I will take your word that using GRE+NHRP can scale as far as anyone
 would like. However, in evaluating solutions, we should not
 automatically go with the analogy that IPsec VPNs are like overlay
 networks on top of the Internet, and that tunnels are analogous to
 links. GRE is an overhead that is added to every packet. NHRP is yet
 another protocol that needs to be implemented and carried over the
 IPsec SA. All that should be compared with cost and complexity of
 potential extensions to IKE and IPsec that would carry the same
 information.
 
 
 We use other tunnel mechanisms (GRE), because IPsec tunneling mode
 is lacking in functionality. For example, when you use GRE for the
 tunneling you also reduce the IPsec SA's that are needed to describe
 the traffic for IPsec to encrypt.  If you use IPsec tunnel mode only
 then for each pairing of subnets behind each peer you need a separate
 IPsec SA. For example if there are 5 subnets each behind two peers
 then you need up to 25 SA pairs to describe exactly what needs to be
 encrypted and nothing more.  If you tunnel the data traffic first then
 you only need 1 SA pair for all traffic, since IPsec encrypts the
 tunnel itself and not the traffic within the tunnel. 

This was correct in IKEv1, but in IKEv2 you can have a bunch of ranges for each 
traffic selector. Regardless, it has long been a (undocumented) practice, by 
more than one vendor, to negotiate universal tunnels, so that a single IPsec SA 
can be used for all the traffic between two peers. 

 What you call other fancy features is what I call functional separation.
 IPsec does encryption well, but in reality it does a fairly poor job of 
 tunneling. So lets have IPsec do what it does well and have GRE do what
 it does well and that is tunneling.  Then you add NHRP do to next-hop
 resolution, which is what it was specifically designed to do, so that 
 you can dynamically find peers and dynamically build new GRE tunnels
 protected by IPsec.  Note, NHRP runs through the GRE tunnel so the
 single IPsec SA, since it encrypts the tunnel, also protects NHRP.
 Finally you add a routing protocol to advertise the reachablity of
 subnets/networks through the tunnel.  Again this all goes through
 tunnel so the single IPsec SA protects this traffic as well.
 
 Basically you now have a system where you are using the proper tool
 to do the job that it was designed to do and that it does best. If you
 were to to try to overload these functions back into IPsec/IKE then
 you would end up with a less efficient system.

I agree that this is a solution, but I don't agree that this is necessarily the 
best solution. I'm also missing

Re: [IPsec] P2P VPN - Side Meeting UNCLASSIFIED

[Yoav Nir]

On Nov 15, 2011, at 7:36 PM, Ulliott, Chris wrote:

 Classification:UNCLASSIFIED
 
 The problem with a single SA is that it usually means a single key (what ever 
 form that takes) such that a compromise of a single spoke puts all traffic at 
 risk... So what ever solution we go for - we need to keep one eye on the 
 security requirements...
 
 Chris

Hi Chris

I don't mean a single SA for the whole configuration. I mean a single SA for 
every pair of gateways, rather than lots of SAs, one for each pair of subnets.
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

[Yoav Nir]

On Nov 15, 2011, at 10:52 PM, Michael Richardson wrote:

 
 Mark == Mark Boltz mark.bo...@stonesoft.com writes:
Mark With all due respect to Cisco, the larger problem we're trying
Mark to address, is in part the fact that DMVPN and ACVPN are
Mark vendor specific implementations. And the goal of the
Mark implementation we're seeking is *large scale* P2P VPNs.  
 
 Assume that they are available on a wide variety of platforms, what is
 broken in the technology?

I don't know, but I've been told
that ACVPN and DMVPN both rely on NHRP and GRE tunnels. I have also heard (and 
please someone correct me if I'm wrong) that they don't interoperate. So the 
tools are apparently not enough.

Mark Picture a hypothetical where a larger interest desires an
Mark IPsec VPN, in, say the airline industry. We're talking about
Mark several thousand aircraft from several manufacturers. All in
 
 We've been through all of this 15 years ago with AIAG's ANX.

You really want to tout that experience as a success story?

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] P2P VPN - Side Meeting

[Yoav Nir]

OK.

Routing protocols are not security protocols. That's fine. Neither is HTTP.

BGPSEC and SIDR implement a layer of security on top of BGP to overcome this 
issue, and that may be used in the Internet.

OSPF and NHRP are designed to be used in closed environments (corporate 
networks), where everyone is assumed to be playing nice, so there has never 
been as much requirement for a security layer, and in fact there is no security 
layer to NHRP.

When you extend NHRP to an overlay network over the Internet, as you do with 
GRE, you are still fine as long as everybody plays nice. With the obvious 
example of a corporate network with tunnels to the branches in New York, 
London, Paris, and Shang-hai you're still fine, because all the gateways are 
configured by the same person or organization, or at least they are part of the 
same hierarchy, although by this point you may need to be worried about 
misconfiguration.

With a multiple-administrative-domain use case, all bets are off. What would 
prevent a gateway anywhere from claiming responsibility for the addresses of 
the facebook.com server?  That would cause several bad things:
 - that gateway gets access to all facebook traffic in the entire overlay 
network
 - all the gateways have to work extra hard encrypting facebook content for no 
reason at all.

This is a real problem regardless of whether we use IPsec tunnels or GRE 
tunnels. Neither IKE nor NHRP has a secure routing layer. Whichever solution we 
pick (as a working group) we will still need to develop a security layer, which 
may or may not be based on what the BGP people are doing.

This is especially important for cross-domain use cases, but would be very 
helpful for same-domain as well.

Yoav

On Nov 16, 2011, at 3:11 PM, Frederic Detienne wrote:

 
 Security is a matter of architecture and end-to-end design. Several 
 mechanisms are used to achieve an efficient balance with complexity. Features 
 and security protocols are only building blocks.
 
 IPsec and IKE are not the only features that protect a network and routing as 
 a security policy really is not a problem until shown otherwise.
 
 Again, I urge you to be specific because there is nothing tangible in your 
 claims. I understand what you mean but if you rationalized it, you would see 
 your intuition fools you.
 
 
 On 16 Nov 2011, at 14:17, Yoav Nir wrote:
 
 
 On Nov 16, 2011, at 1:45 PM, Tero Kivinen wrote:
 
 Yoav Nir writes:
 So you still didn't explain what GRE does better than modern IPsec
 tunneling?
 
 I think GRE (or any tunnel that is not IPsec - like L2TP) allows
 them to avoid having to deal with RFC 4301 stuff like SPD. The only
 selector they need is for the GRE tunnel (protocol 43?) or the L2TP
 tunnel (UDP 1701). 
 
 I.e. bypass the security mechanishms provided the security protocol. 
 
 Yes!
 
 That means that your security policy is effectively determined by
 the routing protocol.
 
 I.e. move the security from the security protocol to something else
 which is not a security protocol. Is this really something we want to
 do?
 
 Define we
 
 Who is going to make sure the end result is secure?
 
 The customer
 
 
 
 
 Scanned by Check Point Total Security Gateway.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec