Re: [IPsec] [ipsecme] #217: Temporary credentials

2012-03-26 Thread Michael Richardson
Geoffrey == Geoffrey Huang ghu...@juniper.net writes: Geoffrey My initial inclination is to say that won't fly: that many Geoffrey deployments still require preshared key authentication. Geoffrey Rather, they would object to certificates because of Geoffrey perceived complexity.

Re: [IPsec] [ipsecme] #217: Temporary credentials

2012-03-26 Thread Yoav Nir
On Mar 26, 2012, at 9:52 AM, Michael Richardson wrote: Geoffrey == Geoffrey Huang ghu...@juniper.net writes: Geoffrey My initial inclination is to say that won't fly: that many Geoffrey deployments still require preshared key authentication. Geoffrey Rather, they would object to

Re: [IPsec] FW: [ipsecme] #211: We should talk more about why this is a hard problem.

2012-03-26 Thread Michael Richardson
I agree: it's not a hard problem. It's an annoying problem, and the lack of a dynamic solution causes poor experiences for users. For a relatively static group of non-moving leaf gateways, even a very large group, a bit of scripting could generate most of the full mesh policy, and normal IKEv2

Re: [IPsec] [ipsecme] #213: In use case 2.1, direct endpoint-to-endpoint connectivity may not be possible

2012-03-26 Thread Michael Richardson
Yoav == Yoav Nir y...@checkpoint.com writes: Yoav direct endpoint-to-endpoint connectivity may not be possible Yoav if both endpoints are NATed Yoav Why? There are several protocols (SIP/RTP come to mind) that Yoav manage endpoint-to-endpoint connectivity even when both are

Re: [IPsec] [ipsecme] #214: Should gateways figure things out completely or just punt endpoints to a closer gateway?

2012-03-26 Thread Michael Richardson
Stephen == Stephen Hanna sha...@juniper.net writes: Stephen I think that Michael is asking an important question. There Stephen are many ways to solve the P2P VPN problem. One way is to Stephen have satellites with little configuration that connect to Stephen core gateways with

Re: [IPsec] [ipsecme] #214: Should gateways figure things out completely or just punt endpoints to a closer gateway?

2012-03-26 Thread Michael Richardson
{fat fingers let previous email got away too soon, ignore} Stephen == Stephen Hanna sha...@juniper.net writes: Stephen I think that Michael is asking an important question. There Stephen are many ways to solve the P2P VPN problem. One way is to Stephen have satellites with little

Re: [IPsec] [ipsecme] #215: Should traffic flow through the gateway while a shortcut is being established?

2012-03-26 Thread Michael Richardson
Stephen == Stephen Hanna sha...@juniper.net writes: Stephen #215: Should traffic flow through the gateway while a Stephen shortcut is being Stephen established? Yes. No traffic should be delayed or dropped if it can be delivered. This entire system is an optional *optimization*!

Re: [IPsec] [ipsecme] #216: Multiple interfaces or mobile endpoint

2012-03-26 Thread Michael Richardson
I think that whenever a node moves from the point of view of it's primary connection, that it should tear down all auxiliary tunnels. Due to the movement of the node, it may be impossible to communicate with the end-points of the auxiliary tunnels (due to NAT restricted-cone at one end or the

Re: [IPsec] [ipsecme] #216: Multiple interfaces or mobile endpoint

2012-03-26 Thread Michael Richardson
Vishwas == Vishwas Manral vishwas.i...@gmail.com writes: Vishwas Branch routers have 3G/ 4G interfaces as backups for the Vishwas primary interface Vishwas and sometimes even multiple 3G/ 4G interfaces with no wired Vishwas interface at Vishwas all to the backend. Vishwas,

Re: [IPsec] [ipsecme] #214: Should gateways figure things out completely or just punt endpoints to a closer gateway?

2012-03-26 Thread Yoav Nir
On Mar 26, 2012, at 10:47 AM, Michael Richardson wrote: Yaron == Yaron Sheffer yaronf.i...@gmail.com writes: Yaron I don't want to speak for MCR, but I think you are taking his Yaron question too far towards the implementation aspects. What I Yaron read in the question is, do we

Re: [IPsec] New Version Notification for draft-kivinen-ipsecme-oob-pubkey-00.txt

2012-03-26 Thread Daniel Migault
I also support the draft Daniel On Tue, Mar 6, 2012 at 5:37 AM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Mar 5, 2012, at 3:26 AM, Tero Kivinen wrote: I just posted following document. I think I would like to get few minutes in Paris to explain this document, and see wheter there is any

Re: [IPsec] [ipsecme] #214: Should gateways figure things out completely or just punt endpoints to a closer gateway?

2012-03-26 Thread Michael Richardson
Yoav == Yoav Nir y...@checkpoint.com writes: You didn't take my comments too far; I think you realized that I was in fact saying two things: 1) when traffic is redirected, MUST it be redirected directly to the real endpoint? (There might be issues of in-band double NAT

Re: [IPsec] FW: [ipsecme] #211: We should talk more about why this is a hard problem.

2012-03-26 Thread Vishwas Manral
I agree. -Vishwas On Mon, Mar 26, 2012 at 1:12 AM, Michael Richardson mcr+i...@sandelman.cawrote: I agree: it's not a hard problem. It's an annoying problem, and the lack of a dynamic solution causes poor experiences for users. For a relatively static group of non-moving leaf gateways,

Re: [IPsec] [ipsecme] #216: Multiple interfaces or mobile endpoint

2012-03-26 Thread Daniel Migault
My understanding is that there are two things, that may be considered independently: - configuring IPsec layer - defining which route the communication should take I don't understand why only one tunnel should be used. A mobile node, when it detects a new interface, should be able to add

Re: [IPsec] [ipsecme] #216: Multiple interfaces or mobile endpoint

2012-03-26 Thread Tero Kivinen
Daniel Migault writes: My understanding is that there are two things, that may be considered independently: - configuring IPsec layer - defining which route the communication should take I don't understand why only one tunnel should be used. A mobile node, when it detects a new

[IPsec] draft-nir-ipsecme-erx

2012-03-26 Thread Yoav Nir
Hi This is about my presentation from the IPsecME meeting today (which for some reason is not on the website) Anyways, RFC 5266 mentions that RFC 4306 must be updated to carry ERP messages. This caused some controversy a year ago, but regardless, I did think of a use case, so I partnered with

Re: [IPsec] draft-nir-ipsecme-erx

2012-03-26 Thread Yoav Nir
On Mar 26, 2012, at 6:43 PM, Tero Kivinen wrote: Yoav Nir writes: This is about my presentation from the IPsecME meeting today (which for some reason is not on the website) Anyways, RFC 5266 mentions that RFC 4306 must be updated to carry ERP messages. This caused some controversy a year

Re: [IPsec] [ipsecme] #217: Temporary credentials

2012-03-26 Thread Tero Kivinen
Geoffrey Huang writes: It's starting to sound like existing methods, to be sure. I'm skeptical of introducing yet another form of authentication. This would add to the complexity of the overall system. To frame it in terms of a requirement, I propose that any leaf-to-leaf communication has