[IPsec] P2P VPN Problem Statement - why is this hard?
Hi Steve On Mar 6, 2012, at 11:54 PM, Stephen Hanna wrote: > So please review this short document and send comments. While the draft does a good job of describing use cases, and certain inadequate solutions, I think it's missing a description of why this is hard. Even if we accept the solution of a star topology, where a satellite needs only have one single tunnel, there are really two choices: 1. that each satellite know about all the protected networks of all the gateways in the configuration, or 2. that satellites send all traffic to the "core" or "hub" gateways. This includes clear traffic (as in HTTP to facebook.com). This increased the load even more. If you don't want #2, then the satellite still needs to know about every IP address whether it is protected by some gateway (and therefore needs to go in the tunnel), or not (and so packets with that destination should go out in the clear). Since the protected networks change, this requires that information to propagate throughout the network, and dynamic updates to SPD If we don't want a star topology, the gateways or endpoints still need to know what is or is not encrypted. They also need to either know about all peers, or be able to find the peer and (securely) learn how it should authenticate. Either way, without a star topology, you need dynamic updates to PAD. I think the draft should mention this. Yoav ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] Call for agenda items
We have one active draft, and that might take up most of our hour. However, we have often had time to have short (5 minutes or less) quick presentations on other topics. A proposed agenda is: 5 min: WG intro 45 min: draft-ietf-ipsecme-p2p-vpn-problem issues 5 min: draft-kivinen-ipsecme-oob-pubkey issues Are there other IPsec-related topics for the meeting? --Paul Hoffman ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Please Comment on New P2P VPN Problem Statement
Yes, please do comment on the draft. Before commenting, read the whole draft. For extra points: start different threads of the comments with different subject lines. We will discuss this draft at the upcoming IETF meeting in Paris. By "discuss", I do *not* mean "have the draft introduced to us": I do mean "talk about issues with the draft and things that should be added". Given that there are weeks between now and the meeting, Yaron and I will be somewhat ruthless in preventing Steve from doing much intro in his presentation, and instead insist that he focus on open issues. This will give the folks in the room the maximum amount of time to discuss issues. This WG has one active draft in front of it; it is not too much of us to expect you to read it before coming to the meeting. --Paul Hoffman ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Please Comment on New P2P VPN Problem Statement
Hi Steve, I agree to the need of standardization for a large scale point-to-point solution. 1. I guess the problem statement is not just about lessening the number of configuration commands but also the fact that static configuration may not work in some cases. The spokes may get new addresses every time they come up (using DHCP/ PPPoE) and hence the communication end point identifiers change. 2. I am not sure but the use cases do not come out very clearly to me. The most important part of the communication is of end-sites communicating to the gateway hub router. In a typical enterprise deployment that would mean a branches connected to the campus/ data center. This tunnel is permanent. Mainly to access resources at the back end. There could be redundancy here to provide HA. 3. We then optionally require communication between end sites and such communication may be temporary or permanent. For such cases we want to be able to unburden the gateway so as to not cause overload. 4. We could have multiple gateways work in a cluster mode to serve a set of end-sites and to provide HA. 5. The clusters may in turn communicate with each other. We as HP would love to participate in this draft as well as any solution document that is produced. Thanks, Vishwas On Tue, Mar 6, 2012 at 1:54 PM, Stephen Hanna wrote: > In case you didn't notice, I have posted the -00 version > of the P2P VPN problem statement. The URL is below. > Please review and comment. > > I'm especially interested in getting feedback on the > use cases in this document. As previously agreed, they > are based on the use cases in section 2.2 of the > previous problem statement draft. I have tried to > clarify those use cases, especially by providing > definitions of terms and using those terms consistently > throughout the document. > > After we reach consensus on the use cases, we can move > on to defining requirements derived from those use cases. > But I see no point in talking about requirements before > we've agreed on a clear description of the problems > that we are trying to solve. > > So please review this short document and send comments. > > Thanks, > > Steve > > -Original Message- > From: i-d-announce-boun...@ietf.org [mailto:i-d-announce-boun...@ietf.org] > On Behalf Of internet-dra...@ietf.org > Sent: Tuesday, March 06, 2012 11:01 AM > To: i-d-annou...@ietf.org > Cc: ipsec@ietf.org > Subject: I-D ACTION:draft-ietf-ipsecme-p2p-vpn-problem-00.txt > > A new Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the IP Security Maintenance and Extensions > Working Group of the IETF. > >Title : Point to Point VPNs Problem Statement >Author(s) : S. Hanna >Filename : draft-ietf-ipsecme-p2p-vpn-problem >Pages : 13 >Date : March 6, 2012 > > This document describes the problem of enabling a large number of > systems to communicate directly using IPsec to protect the traffic > between them. Manual configuration of all possible tunnels is too > cumbersome in such cases, so an automated method is needed. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-ipsecme-p2p-vpn-problem > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > ___ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] Please Comment on New P2P VPN Problem Statement
In case you didn't notice, I have posted the -00 version of the P2P VPN problem statement. The URL is below. Please review and comment. I'm especially interested in getting feedback on the use cases in this document. As previously agreed, they are based on the use cases in section 2.2 of the previous problem statement draft. I have tried to clarify those use cases, especially by providing definitions of terms and using those terms consistently throughout the document. After we reach consensus on the use cases, we can move on to defining requirements derived from those use cases. But I see no point in talking about requirements before we've agreed on a clear description of the problems that we are trying to solve. So please review this short document and send comments. Thanks, Steve -Original Message- From: i-d-announce-boun...@ietf.org [mailto:i-d-announce-boun...@ietf.org] On Behalf Of internet-dra...@ietf.org Sent: Tuesday, March 06, 2012 11:01 AM To: i-d-annou...@ietf.org Cc: ipsec@ietf.org Subject: I-D ACTION:draft-ietf-ipsecme-p2p-vpn-problem-00.txt A new Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Maintenance and Extensions Working Group of the IETF. Title : Point to Point VPNs Problem Statement Author(s) : S. Hanna Filename : draft-ietf-ipsecme-p2p-vpn-problem Pages : 13 Date : March 6, 2012 This document describes the problem of enabling a large number of systems to communicate directly using IPsec to protect the traffic between them. Manual configuration of all possible tunnels is too cumbersome in such cases, so an automated method is needed. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsecme-p2p-vpn-problem Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] EAP AKA on USIM
Hello Prashant, the strongSwan open source project has a software implementation of the EAP-AKA 3GPP2 algorithm: http://git.strongswan.org/?p=strongswan.git;a=tree;f=src/libcharon/plugins/eap_aka_3gpp2;hb=HEAD Regards Andreas On 06.03.2012 12:21, Prashant Batra (prbatra) wrote: > Hello, > > Not sure if this is the right place to ask this, but I am not getting > > any other mailing list. > > Can someone point me to a software implementation of EAP-AKA algorithm > > (calculation of IK/CK/RES/MAC) on USIM, > > when the sim gets a EAP-Challenge request. > > Thanks, > > Prashant == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] I-D ACTION:draft-ietf-ipsecme-p2p-vpn-problem-00.txt
A new Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Maintenance and Extensions Working Group of the IETF. Title : Point to Point VPNs Problem Statement Author(s) : S. Hanna Filename : draft-ietf-ipsecme-p2p-vpn-problem Pages : 13 Date : March 6, 2012 This document describes the problem of enabling a large number of systems to communicate directly using IPsec to protect the traffic between them. Manual configuration of all possible tunnels is too cumbersome in such cases, so an automated method is needed. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsecme-p2p-vpn-problem Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] EAP AKA on USIM
Hello, Not sure if this is the right place to ask this, but I am not getting any other mailing list. Can someone point me to a software implementation of EAP-AKA algorithm (calculation of IK/CK/RES/MAC) on USIM, when the sim gets a EAP-Challenge request. Thanks, Prashant ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec