Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

On 11/7/11 9:44 PM, "Michael Richardson" wrote: > >> "Praveen" == Praveen Sathyanarayan writes: >Praveen> In this solution, HUB is the trust entity that all spoke >Praveen> establish static IPSec tunnel (either using Site to site >Praveen> tunnel or spoke establish dynamic remo

Re: [IPsec] Comments on the new meshed VPN draft

Hi Yaron Sorry for taking so long to respond. My comments inline. On Oct 14, 2011, at 11:37 AM, Yaron Sheffer wrote: > I am going on vacation, but I did want to post these before. Sorry if I > cannot take part in the ensuing discussion. > Overall, this is a good start for an important set of pr

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

On 11/1/11 7:51 PM, "Keith Welter" wrote: >>Having been working for the same vendor for 10 years, I've gotten used to >> our marketing jargon. Anyway, I'd like to have some short term for the >> set of addresses that are behind a certain gateway", or "the set of >> addresses that you can reach th

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

On 11/1/11 7:49 PM, "Paul Wouters" wrote: >On Tue, 1 Nov 2011, Yoav Nir wrote: > >> >> On 11/1/11 4:53 PM, "Mark Boltz" wrote: >> >>> I agree with Paul H. that the term "encryption domain" is not really >>> fully correct

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

of doing this as long as all gateways are from that vendor, but some government users (represented by Chris Ulliot) are not willing to lock their entire government infrastructure to a single vendor. > >On Oct 29, 2011, at 3:34 PM, Yoav Nir wrote: > >> OK. So DNSSEC is off the table

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

On 10/31/11 3:30 PM, "Michael Richardson" wrote: > >> "Jorge" == Jorge Coronel writes: >Jorge> +1 > >Jorge> I agree DNSSEC cannot be assumed, its deployments have been >Jorge> marginal. > >DNSSEC is *one* *public* trusted third party. It's not the only way to >use DNS securely

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

OK. So DNSSEC is off the table. At least for now. At least with Chris's scenario, we can assume that there's an "administrative domain" that includes a "hub" and some "spokes". This "hub" has information about the addresses protected by each of the "spokes", so it makes sense that it will do the

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

Well, there is a free room between 1300-1500 on Wednesday, but then we're opposite WebSec, and I can't attend. Our best bet is to do it after the Plenary. The plenary ends at 19:30, and people might want to grab something to eat, so it would probably be best to do it at 20:00. Hope you don't h

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

On 10/26/11 9:39 PM, "Yaron Sheffer" wrote: >There is a common use case where we don't worry about malicious spokes, >i.e. where they are all trusted. > >We do worry about misconfigured spokes, but that would most likely >result in loss of connectivity, which I expect to be fixed in due time. >

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

This goes back to my previous question. What is this information that is "known to hub and all spokes" ? If the spoke knows what addresses are behind each other spoke, then we lose the scalability - that's a lot of configuration up front. If the spoke only knows the union of all addresses behin

Re: [IPsec] eap-md5 based authentication

henticated. > >Maybe, it is required for some extra authentication? > >Regards, >Prashant > >-Original Message- >From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf >Of Glen Zorn >Sent: Tuesday, October 25, 2011 3:46 PM >To: Yoav Nir >Cc: ipsec@ie

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

Chris' case is a little different, because he is willing to do some work to establish trust between the two administrative domains, so it's not really opportunistic (although doing it with OE might be a solution) So there could be some "hub gateway" that could do the introducing, perhaps over I

Re: [IPsec] eap-md5 based authentication

Hi Prashant. I think in the challenge request, the first byte is the challenge length (usually 16) followed by the challenge itself, and then followed by some server name. I guess the reasoning is that this allows the client to choose the correct password based on the server name. Yoav __

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

ryptographic routes, then make decisions based on the results >combined with a policy. > >I hope that helps! > >Chris > >-Original Message- >From: Yoav Nir [mailto:y...@checkpoint.com] >Sent: Sunday, October 23, 2011 10:37 PM >To: Ulliott, Chris; Michael Richardson;

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

Hi Chris As I've asked you off-list, I'm still trying to understand the initial condition. It's one thing if Za believes that "host 2" is behind *some* gateway, and it's only a matter of finding out which gateway that is. It's a different thing if "host 2" might also be not behind any gateway at

Re: Requirement to go to meetings

Cheaper, yes. Easier? Sure, a 5-hour flight to Paris sure beats a 12-hour flight to New York plus a 4 hour flight to Minneapolis, but you end up in Paris, and if the conference hotel is too expensive for your corporate budget (it usually is for mine), you have to go really far away to find a ho

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

hat it is missing in IKEv1 is a way to turn the host<->host tunnels >into subnet<->subnet tunnels, and that would be easy to do in IKEv2 with >the TS. > > >>> Sounds like TED: > >> >>> >http://www.cisco.com/en/US/docs/ios/12_0t/12_0

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

cs/ios/12_0t/12_0t5/feature/guide/ted.html > > Dan. > >On Thu, October 13, 2011 10:23 pm, Yoav Nir wrote: >> Hi all >> >> For years, one of the barriers to the adoption of IPsec was that >> configuration didn't scale. With thousands of peers, the PAD and SPD

[IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

Hi all For years, one of the barriers to the adoption of IPsec was that configuration didn't scale. With thousands of peers, the PAD and SPD would become unwieldy, so even where IPsec was deployed it was often built in hub-and-spoke configurations, not because policy demanded this, but because it

Re: Need help tracking down problem accessing IETF Subversion

On 9/27/11 12:45 AM, "Martin Rex" wrote: >- The server (svn.tools.ietf.org) does not seem to be sufficiently > aware of the server names that it is servicing. > > If it takes more than a server configuration file change to make it > aware of that additional hostname, then there is a software

Re: Need help tracking down problem accessing IETF Subversion

On 9/27/11 12:45 AM, "Martin Rex" wrote: > >So there seem to be two problems: > >- The server (svn.tools.ietf.org) does not seem to be sufficiently > aware of the server names that it is servicing. > > If it takes more than a server configuration file change to make it > aware of that additi

Re: Need help tracking down problem accessing IETF Subversion repository on Mac OS X

forgot to attach. tls.cap Description: tls.cap On Sep 26, 2011, at 11:11 PM, Yoav Nir wrote: > > On Sep 26, 2011, at 5:25 AM, Paul Hoffman wrote: > >> On Sep 25, 2011, at 7:20 PM, Stuart Cheshire wrote: >> >>>> % svn info https://svn.tools.ietf.org/svn/wg

Re: Need help tracking down problem accessing IETF Subversion repository on Mac OS X

On Sep 26, 2011, at 5:25 AM, Paul Hoffman wrote: > On Sep 25, 2011, at 7:20 PM, Stuart Cheshire wrote: > >>> % svn info https://svn.tools.ietf.org/svn/wg/hybi >>> svn: OPTIONS of 'https://svn.tools.ietf.org/svn/wg/hybi': SSL negotiation >>> failed: SSL error code -1/1/336032856 (https://svn.too

Re: [websec] Next rev of HSTS certificate pinning draft

On Sep 21, 2011, at 3:57 AM, Chris Palmer wrote: >> And one comment as to substance. Section 3.1 says "Have a safety net. >> Generate a backup key pair, get it signed..." I agree that this is a good >> idea for e-commerce site that lose sales on any outage. But what if I >> generate a backup

Re: [websec] Next rev of HSTS certificate pinning draft

On Sep 20, 2011, at 9:08 PM, Chris Palmer wrote: > Is attached, now in XML. The main change is that I got rid of widely > and rightly reviled pin revocation business, and replaced it with a > better idea from Trevor Perrin. Big thanks to everyone who reviewed > and commented on the previous draft

Re: Wikis for RFCs

On Sep 19, 2011, at 9:19 PM, Keith Moore wrote: > On Sep 19, 2011, at 12:27 PM, Peter Saint-Andre wrote: > >> On 9/19/11 10:14 AM, Alejandro Acosta wrote: >>> +1 >>> I also support the idea of every RFC havving the associated wiki. >> >> I think that if some people support the idea, they can ea

Re: [websec] Certificate Pinning via HSTS (.txt version)

On Sep 14, 2011, at 2:06 AM, SM wrote: > Hi Yoav, > At 11:41 13-09-2011, Yoav Nir wrote: >> Six months ago we would not have thought that Comodo or DigiNotar >> were easy to hack. In the latter case, the customers of DigiNotar >> were left out in the cold. Witho

Re: [websec] Certificate Pinning via HSTS (.txt version)

On Sep 13, 2011, at 9:15 PM, Peter Saint-Andre wrote: > On 9/12/11 5:53 PM, =JeffH wrote: >> >> This is great, thanks for posting this here. >> >> I have various comments on it I'll try to get to in the next day or so. >> >> During HSTS's gestation, various parties have discussed potential >>

Re: [websec] Certificate Pinning via HSTS

On Sep 13, 2011, at 3:54 AM, Richard L. Barnes wrote: > Hey Chris & Chris, > > This seems like a useful near-term approach, but also probably something that > might want to migrate to DANE over time. > > Is there any particular reason you're using key fingerprints instead of cert > fingerprin

Re: [IPsec] Perfect Forward secrecy

indly share your view on the above . > >Thanks and Regards >Naveen > >-Original Message----- >From: Scott Fluhrer (sfluhrer) >Sent: Friday, August 26, 2011 7:27 PM >To: Naveen B N (nbn); 'Yaron Sheffer'; 'Yoav Nir' >Cc: 'ipsec@ietf.org' >

Re: subject_prefix on IETF Discuss?

On Aug 11, 2011, at 6:58 PM, Martin Rex wrote: > Richard Kulawiec wrote: >> >> Let me start with a preamble: I think that those of us who choose >> to "drink from the firehose" by subscribing to many mailing lists > > List-Id: is only useful for folks who have either lots of time on > their han

Re: Queen Sirikit National Convention Center

On Aug 8, 2011, at 10:56 AM, Ole Jacobsen wrote: > > > Nothing is "a reasonable walk" when the average temperature is 32 C. > At least not for the "average" IETF attendee. > > (34 in April, 31 in December, lowest nightime temp 21 in December and > 27 in April-May-June). Pretty much like Tel A

[IPsec] IKEv2 and ERP

Hi At the meeting in Quebec, I gave a presentation at the hokey meeting about http://tools.ietf.org/html/draft-nir-ipsecme-erx . The draft covers using the EAP extensions for re-authentication in IKEv2. The obvious (to me) use-case is a phone connected to a 802.1x network. As you leave the bui

Re: [IPsec] Role of the IANA expert reviewer

On Aug 3, 2011, at 8:09 PM, Yaron Sheffer wrote: > Hi Yoav, > > as a coauthor on one of these documents, I find your proposal below > positively insulting. There were three author teams, and you should give > them credit for having rational reasons for publishing these documents > and moving

Re: [IPsec] Role of the IANA expert reviewer

On 8/3/11 4:55 PM, "Tero Kivinen" wrote: >Yoav Nir writes: >> There is no such consensus that protocol variants are a good thing. >> I think it's just the opposite. Although I don't think it's Tero's >> job to stop the publication of thr

Re: [IPsec] Role of the IANA expert reviewer

On Aug 2, 2011, at 5:43 PM, Paul Hoffman wrote: > I have stated my reasons why I consider allocating multiple payload numbers etc for exactly same thing a bad thing. >>> >>> The three proposals do not do "exactly the same thing": they each >>> have different cryptographic and administ

Re: A modest proposal for Friday meeting schedule

On 8/1/11 5:14 PM, "Keith Moore" wrote: >On Aug 1, 2011, at 9:39 AM, John Leslie wrote: > >> For one, I suggest we take remote-participation _seriously_ for the >> Friday meetings. Many of us are waiting-for-Godot at airports on Friday, >> and could certainly wear a headphone/mike and watch o

Re: [IPsec] Last Call: (Secure Password Framework for IKEv2) to Informational RFC

I think this is a terrible idea. IKEv2 has a way for mutual authentication with a shared key. A concern was raised that this method was vulnerable to guessing if trivial shared keys were configured. There were several proposals for a better cryptographic method. The IPsecME working group fail

Re: [IPsec] Last Call: (Secure Password Framework for IKEv2) to Informational RFC

I think this is a terrible idea. IKEv2 has a way for mutual authentication with a shared key. A concern was raised that this method was vulnerable to guessing if trivial shared keys were configured. There were several proposals for a better cryptographic method. The IPsecME working group fail

Re: [IPsec] IPsecme WG: a quick update

Alright, here's one. http://tools.ietf.org/html/draft-nir-ipsecme-erx-01 defines an extension to IKEv2 so that ERX (as defined by the HOKEY group) can be used with IKEv2. This will allow a seamless transfer from a local network protected by 802.1x to a public network where your access needs to

Re: [IPsec] DH keys calculation performance

On Jul 26, 2011, at 11:13 AM, Scott Fluhrer (sfluhrer) wrote: > > >> -Original Message- >> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf >> Of Yoav Nir >> Sent: Tuesday, July 26, 2011 6:40 AM >> To: Prashant Batra (prbatra)

Re: [IPsec] DH keys calculation performance

On Jul 25, 2011, at 11:29 PM, Prashant Batra (prbatra) wrote: > Hello, > > The DH exchange (Calculation of Public/Private key and the Secret) in > IKEV2 Initial exchange > seems to be very expensive. This is slowing down the overall IKEv2 > tunnel establishment. > Is there a way to optimize it?

Re: [websec] HSTS: Maintenance of hardcoded lists in clients

On Jul 25, 2011, at 4:28 PM, Gervase Markham wrote: > On 25/07/11 11:13, Yngve N. Pettersen wrote: >> At least one client supporting HSTS (maybe more) is using a hardcoded >> list of sites that are always HSTS enabled, as a method of countering >> the bootstrap problem. > > Is "the bootstrap pro

Re: Standards

[Helmet on] Maybe they should first move the 14 competing standards to Historic. On 7/20/11 10:17 AM, "Bert (IETF) Wijnen" wrote: >I LOVE this one. > >Bert > >On 7/20/11 8:23 AM, Yoav Nir wrote: >> Hi >> >> Very appropriate for XKCD to post thi

Standards

Hi Very appropriate for XKCD to post this just a few days before an IETF meeting. http://www.xkcd.com/927/ (For those who are not familiar with XKCD, don't miss the alt-text on the picture) Yoav ___ Ietf mailing list Ietf@ietf.org https://www.ietf.or

Re: Internet Draft Final Submission Cut-Off Today

On Jul 15, 2011, at 10:20 AM, Julian Reschke wrote: > On 2011-07-11 16:50, Internet-Drafts Administrator wrote: >> >> >> This is a reminder that the Internet Draft Final Submission (version -01 >> and up) cut-off is today, July 11, 2011. >> >> All Final Version (-01 and up) submissions are due

RE: [v6ops] draft-ietf-v6ops-6to4-to-historic

Extremist-A should be to publish a "6to4 considered dangerous" draft with lots of MUST NOT language. -Original Message- From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of Martin Rex Sent: 06 July 2011 23:50 To: Doug Barton Cc: v6...@ietf.org; ietf@ietf.org Subject:

Re: [IPsec] IPSec implementation

IPsec usually runs in kernels, so C seems to be the norm I'm not aware of any C++ implementations. On Jun 1, 2011, at 9:23 AM, Muhammad Nasir Mumtaz Bhutta wrote: > hi, > i need to change the IPSec functionality, is there any implementation of > IPSec in higher order languages like java, .net

Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

On May 7, 2011, at 3:42 AM, Qin Wu wrote: > > >> >> It seems to me RFC 4306/5996 took the concept a bit further than RFC 4301 >> ever intended (in fact I believe the text is new to RFC 5996). Presumably, >> when we talk about identity-based policy decisions, we refer to >> http://tools.iet

RE: How to pay $47 for a copy of RFC 793

Yup. Years ago, when I was at university, I learned that the best way to find an article was to google the author's name, find his or her personal website, and the article would probably be linked from there. Worked about 75% of the time. Yoav -Original Message- From: ietf-boun...@ie

Re: How to pay $47 for a copy of RFC 793

A bargain! RFC 5996 goes for $58. Does it come leather-bound with the title gold-stamped on the cover? On May 9, 2011, at 1:06 AM, Bob Braden wrote: I just discovered an astonishing example of misinformation, shall we say, in the IEEE electric power community. There is an IEEE standards docume

Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

On May 5, 2011, at 11:41 PM, Yaron Sheffer wrote: Hi, I think we are going down a rathole on the issue of "authenticated identity". Most IKE gateways, like many other security devices, normally make policy decisions based on groups. I will provide secure connectivity to anyb...@this-isp.com

Re: [IPsec] Clarification needed on ipv6 address assignment

Hi Balaji.J For the most part, a VPN gateway uses sufficiently few addresses (hundreds or a few thousands) that IPv6 is not necessary. This is the reason that there was little interest in changing the way IPv6 addresses are assigned in CONFIG payloads. There's also the idea that with IPv6 ther

Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

On May 5, 2011, at 9:17 AM, Dan Harkins wrote: > > Hello, > > On Wed, May 4, 2011 10:45 pm, Yoav Nir wrote: >> >>> >> >> OK. I see what you mean. Certificates are not necessarily better. She >> might have a certificate with a subject like >

Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

On May 4, 2011, at 11:45 PM, Dan Harkins wrote: > > RFC 5996 says in section 2.16: > > "When the initiator authentication uses EAP, it is possible that the > contents of the IDi payload is used only for Authentication, > Authorization, and Accounting (AAA) routing purposes and selecting

Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

Hi Dan, On May 4, 2011, at 9:47 PM, Dan Harkins wrote: > > On Tue, May 3, 2011 10:30 pm, Yoav Nir wrote: > [snip] >> The Authenticator needs the true identity to make policy decisions. > > Well then DO NOT use EAP for authentication. > > Dan. I'm sure I don&

Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

On May 4, 2011, at 9:18 AM, Qin Wu wrote: > Hi, > - Original Message - > From: "Yoav Nir" > To: "Qin Wu" > Cc: > Sent: Wednesday, May 04, 2011 1:30 PM > Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00 > > >> >>

Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

On May 4, 2011, at 4:50 AM, Qin Wu wrote: >>> - I am missing the "authenticated peer identity", which I would assume >>> should arrive from the AAA server. This should be the basis of RFC4301 >>> policy decisions on the IKE gateway. Does ERP provide this identity? >> >> The EAP-Initiate/Re-aut

Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

On May 2, 2011, at 11:54 PM, Yaron Sheffer wrote: > [Responding to IPsec only:] > > Hi Yoav, > > thanks for the new draft. I'm afraid one needs to read RFC5296bis before > commenting, but here's a few questions anyway: > > - Sending the domain in the IKE_SA_INIT response obviously contradicts

[IPsec] New I-D: draft-nir-ipsecme-erx-00

Hi. Qin and I have just posted the subject draft. The title is "An IKEv2 Extension for Supporting ERP", although it has nothing to do with enterprise resource planning. This draft brings the ERP extension for EAP, which is developed by the Hokey group into the IKEv2 authentication exchange, a

Re: [IPsec] Proposal for the secure password authentication method problem

On Apr 12, 2011, at 3:17 PM, Tero Kivinen wrote: > This kind of framework would allow using any of the secure password > authentication methods in a way where they can co-exist in the same > implementation. If the implementation is done properly, then it might > be even possible to make it so that

Re: [TICTOC] IPSec Tunnel for PTP - discussion on the mike

On Mar 31, 2011, at 6:39 PM, Bhatia, Manav (Manav) wrote: > Yoav Nir (from IPSecME) had raised a point suggesting that RFC4301 doesn't > mandate all traffic to go via the IPSec tunnel and one could implement > policies such that PTP traffic doesn't go via the tunnel. This i

[IPsec] PSK with IKEv2

Hi all Yesterday, the IESG has started last call on three documents: - draft-harkins-ipsecme-spsk-auth-03 - draft-shin-augmented-pake-03 - draft-kuegler-ipsecme-pace-ikev2-05 All three seek to improve the authentication in IKEv2 when using pre-shared keys, as compared with RFC 5996. The IPsecME

PSK with IKEv2

Hi all Yesterday, the IESG has started last call on three documents: - draft-harkins-ipsecme-spsk-auth-03 - draft-shin-augmented-pake-03 - draft-kuegler-ipsecme-pace-ikev2-05 All three seek to improve the authentication in IKEv2 when using pre-shared keys, as compared with RFC 5996. The IPsecME

Re: [IPsec] New Version Notification for draft-kivinen-ipsecme-ikev2-minimal-00

Hi Tero. IKEv2 has an underlying assumption that peers are always available to respond (for example to liveness check). If you're doing a special profile for minimal implementation that are not always available (because they're in a low-power mode), you should also profile the server that talks

Re: I-D Action:draft-housley-two-maturity-levels-04.txt

On Mar 16, 2011, at 1:08 AM, Brian E Carpenter wrote: >> >> To make clear which documents were issued under the original regime >> and which were issued under the new, there should probably be >> an obvious gap in the number range (going to 5 digit or 6 digit numbers). > > Oh, have you any guess

Re: [IPsec] I-D Action:draft-ietf-ipsecme-failure-detection-06.txt

Hi all. This version includes remarks by Magnus Nyström. To see the differences, follow this link: http://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-failure-detection-06 Yoav On Mar 10, 2011, at 10:15 PM, wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > di

Re: [IPsec] New Version Notification for draft-kivinen-ipsecme-ikev2-minimal-00

I also agree that this draft is useful, and I support its going forward, either as a WG document or as an individual document. While data communications may originate from either side (sensor notifies controller, controller queries sensor, controller sends command to actuator), I think it is r

Re: [IPsec] HOKEY draft draft-ietf-hokey-rfc5296bis

On Mar 7, 2011, at 5:58 PM, Tero Kivinen wrote: > Yoav Nir writes: >> A bigger problem is that this text says that IKEv2 needs to be >> updated, but there is no draft for this update, nor has there been >> any message to this list about this proposed change. >>

[IPsec] SHA-512/256

Hi all RFC 4868 specifies some HMAC-SHA2 algorithms for IPsec: 12AUTH_HMAC_SHA2_256_128 [RFC4868] 13AUTH_HMAC_SHA2_384_192 [RFC4868] 14AUTH_HMAC_SHA2_512_256 [RFC4868] Last year some researchers working for Intel published

Re: [IPsec] HOKEY draft draft-ietf-hokey-rfc5296bis

On Mar 6, 2011, at 11:25 AM, Yoav Nir wrote: > > There's peer-initiated ERP (which would require peer-initiated IKE?) and > multiple simultaneous operations. I think it may come to a somewhat larger > draft. Sorry. peer=remote access client, so peer-initiated IKE is th

[IPsec] HOKEY draft draft-ietf-hokey-rfc5296bis

Hi all I have just read the subject draft, and found this in section 6 (and similar text in the introduction): Note that to support ERP, lower-layer specifications may need to be revised. Specifically, the IEEE802.1x specification must be revised to allow carrying EAP messages of the n

Re: What If....

On Mar 1, 2011, at 5:00 AM, John Levine wrote: >>> http://www.ntia.doc.gov/frnotices/2011/fr_ianafunctionsnoi_02252011.pdf >> >> I'm glad to see they are up to date: > >> "Paper submissions should include a three and one-half inch computer >> diskette in HTML, ASCII, Word or WordPerfect format

Re: XKCD - Nanobots

Yup. It's posted (right after mine) On Feb 28, 2011, at 12:39 PM, Chris Elliott wrote: > Bob, et al.: > > I took the liberty of informing Randall that he hit the IETF list on his > forum here: > > http://forums.xkcd.com/viewtopic.php?f=7&t=68893 > > May take a bit for my post to get approved.

Re: XKCD - Nanobots

On Feb 28, 2011, at 10:40 AM, Bob Hinden wrote: > Pete, > > On Feb 27, 2011, at 11:32 PM, Pete Resnick wrote: > >> I'm sorry, but how could this *not* be posted to the IETF list? >> >> > > I did a rough calculation and think they would have not run out of IPv6 > addres

[IPsec] Putting issue #202 to rest

Hi all. Last week, I submitted version -05 of the failure detection draft. The last two versions both revolved around rewriting section 9.2 I hope this version is something all of us can live with. If I don't get any objections by this week-end, I will close issue #202, and ask Paul & Yaron to

Re: [IPsec] Failure Detection - issue #202

w draft. Thanks for all the work done so far! > > --Paul Hoffman On Feb 11, 2011, at 11:54 AM, IETF I-D Submission Tool wrote: > > A new version of I-D, draft-ietf-ipsecme-failure-detection-04.txt has been > successfully submitted by Yoav Nir and posted to the IETF reposito

Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha-protocol-03.txt

Hi Yaron I think this addresses the issues well. However, there is one more thing. Section 3 is currently in skeleton form and needs to be expanded a lot. For example, RFC 6027 says the following: o It requires multiple parallel SAs, for which the peer has no use. Section 2.8 of [RFC59

[IPsec] Fwd: Failure Detection - issue #202

Adding the IPsec list. Begin forwarded message: From: Frederic Detienne mailto:f...@cisco.com>> Date: February 1, 2011 9:37:33 PM GMT+02:00 To: Paul Hoffman mailto:paul.hoff...@vpnc.org>> Cc: Yoav Nir mailto:y...@checkpoint.com>>, Pratima Sethi mailto:pse...@cisco.co

[IPsec] Failure Detection - issue #202

Hi all. Following last week's conf call, Scott Moonen has proposed text to resolve issue #202. The idea is to remove section 9.4 entirely, and change section 9.2 as follows: OLD: 9.2. QCD Token Transmission A token maker MUST NOT send a QCD token in an unprotected message for an exist

Re: [IPsec] I-D Action:draft-ietf-ipsecme-failure-detection-03.txt

On Jan 30, 2011, at 10:00 AM, Yoav Nir wrote: (13) Page 8, the last line is an orphan. Not sure what you mean. It says "In any case, the lack of a QCD_TOKEN notification MUST NOT be taken" and then continues on the next page. OK. Now that Yaron has helped me figure out what an &

Re: [IPsec] I-D Action:draft-ietf-ipsecme-failure-detection-03.txt

Hi Scott. Thanks for your comments. My replies inline. On Jan 12, 2011, at 10:45 PM, Scott C Moonen wrote: Comments on the draft, mostly editorial in nature: (1) There are still some blockquotes that start with excessive first-line indents, eg., the three quotes on page 5. Those are intentio

Re: [IPsec] WG Last Call on draft-ietf-ipsecme-failure-detection

Hi Keith. Thanks for the comments. My responses inline. On Jan 19, 2011, at 2:36 AM, Keith Welter wrote: 1. The last paragraph of section 2 seems to be making an argument against supporting QCD. Would it be possible to add a counterpoint or to reword the paragraph? When I got to the end of

Re: [IPsec] WG Last Call on draft-ietf-ipsecme-failure-detection

I'd like to also point out that Scott and Keith have pointed out some nits in the spec (on the 12th and 19th of January respectively), which will also be included in the final version. Yoav On Jan 27, 2011, at 6:42 PM, Paul Hoffman wrote: > This message closed out the WG LC. There remains one

Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-02

Hi Keith. Generally, the process goes something like this: - You write a draft (done!) - You present it on the mailing list (done!) - Usually, you ask for a time slot to present at a face-to-face meeting (not mandatory, but helps). The best is if you present it yourself, but if you don't plan to

Re: [IPsec] IKEv2 Diffie Hellman retry logic

1. Yes 2. No. In that case, the correct response in NO PROPOSAL CHOSEN. 3. That is not correct processing. First the responder should match the SA payload to its own policy. If a match it found, the responder can compare the DH group in the matched proposal to the one in the KE payload Th

Re: Poster sessions

We can have as high a barrier as necessary to ensure there are no more than, say, 12 posters. On Jan 11, 2011, at 3:39 AM, John C Klensin wrote: > +1. Very strongly. > > Whether the logistics of space and times could be worked out or > not, poster sessions strike me as a really bad idea and Fr

Re: [IPsec] IPsec on ubuntu linux server 8.04

Hi Kaushal. This mailing list is about the IKE and IPsec protocols, not some particular implementation. IIRC on Ubuntu you can install either StrongSwan or racoon, with StrongSwan being the default on recent versions. I suggest you seek support either at the StrongSwan site ( http://www.stron

Re: [IPsec] Question about TS construction on IKEv2 initiator

Hi Gaurav There's a 1-octet field called "Number of TSs", so there can be at most 255 traffic selectors for each of initiator and responder. And yes, as many selectors are allowed as you need to describe your policy. In practice, some implementations can't handle complex policies, and require

Re: Poster sessions

On Jan 10, 2011, at 1:09 PM, Henk Uijterwaal wrote: > > The costs for a poster session are almost 0. Isn't this something we > can just try? I don't agree that the costs are zero. You can't have the poster session last all week long, because the presenter may want to go to other sessions. So

Re: Poster sessions

On Jan 10, 2011, at 1:22 PM, Loa Andersson wrote: > ALl, > > what is here called "poster session" reminds me a awful lot of the > bar bof's we been running for a long time. No coincidence. There's been a lot of criticism of these bar BoFs, and we keep looking for better ways to present new ide

Re: Poster sessions

On Jan 10, 2011, at 11:31 AM, Lars Eggert wrote: > Hi, > > On 2011-1-8, at 19:41, R. B. wrote: >> I'm really in a rush, but I want to send my 0.02 too. I like the idea of a >> poster session, since a single I-D could go unobserved in the churn of other >> I-Ds. > > many areas have open meeting

[IPsec] Issue #202: Token makers generating the same tokens without synchronized DB

Greetings. We have just submitted version -03 of the draft. This closes issues, #198, #199, #200, and #201. Which leaves us with just one issue: #202 = Issue #202: Token makers generating the same tokens without synchronized DB Section 10.4 of the draft has a use-case where a cluster

Re: Poster sessions

On Jan 6, 2011, at 11:26 AM, Alessandro Vesely wrote: > I've never attended an IETF meeting. Why? Because it seems to me quite > unlikely to have a chance to say something useful by going there. I mean > useful with respect to a problem that I consider important. That is, not > just a minimal

Re: FCC IPv6 Working Paper Released

Sigh. You'd think they would have learned by now. "A native IPv6 network will restore end-to-end connectivity with a vastly expanded address space..." On Jan 5, 2011, at 11:56 PM, Richard L. Barnes wrote: This seems like a document that might interest some on this list... From: "Robert Cannon

Re: BCP request: WiFi at High-Tech Meetings

On Jan 4, 2011, at 5:55 PM, Phillip Hallam-Baker wrote: > It could be the 11a support. > > Or it might well be the vendor that supplies the 11a equipment. > > At home I have a box with 7 defunct WiFi routers that I discarded after they > started to fail. Specifically the wireless side of the r

Re: [IPsec] Failure Detection - Issue #200

Reminder... On Dec 26, 2010, at 11:38 AM, Yoav Nir wrote: > Hi all. > > Issue #200 is about some text in section 8 ("Interaction with Session > Resumption"). The text says that a rebooted peer (and thus a defunct SA) may > go undetected for the lifetime of the SA. Ho

Re: Question about Prague

Thanks On Dec 30, 2010, at 2:15 PM, Ray Pelletier wrote: > > On Dec 30, 2010, at 4:38 AM, Yoav Nir wrote: > >> Hi >> >> The Prague meeting is still nearly 3 months away, but I'm wondering why >> there's only a date yet. >> >> No hotel,

Question about Prague

Hi The Prague meeting is still nearly 3 months away, but I'm wondering why there's only a date yet. No hotel, no registration, no details. Some of us need to get the corporate wheels or authorization moving. Thanks Yoav ___ Ietf mailing list Ietf@

[IPsec] Failure Detection - Issue #200

Hi all. Issue #200 is about some text in section 8 ("Interaction with Session Resumption"). The text says that a rebooted peer (and thus a defunct SA) may go undetected for the lifetime of the SA. However, RFC 5996 says that at some point, a peer that did not receive incoming traffic on a part

<    9   10   11   12   13   14   15   16   17   18   >