Re: [IPsec] TSVDIR-ish reviewofdraft-ietf-ipsecme-ikev2-fragmentation-04

Hi Joe, thank you for your suggestions. I still have some comments. On 10/22/2013 11:25 PM, Valery Smyslov wrote: I appreciate the work transport folks has done. I will also appreciate if you point out what exact lessons should be applied here and why. And you may consider PMTUD in IKE as simp

[IPsec] AD VPN: discussion kick off

Hi everyone, We spent a lot of time understanding the requirements from autodiscovery VPN solutions, and we have 3 serious proposals on the table. We have had in-depth presentations of two of them (http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03.txt and http://tools.ietf.org/html/

Re: [IPsec] Some comments on draft-detienne-dmvpn-00

Lou, Thank you for your comments, more inline. Mike. Mike Sullenberger, DSE m...@cisco.com    .:|:.:|:. Customer Advocacy  CISCO > -Original Message- > From: Lou Berger [mailto:lber...@labn.net] > Sent: Friday, October 18, 2013 3:29 PM > To: draft-detienne-dm...@to

[IPsec] Agenda for Vancouver

Below is the proposed agenda; please let Yaron and I know if there are any requested changes. --Paul Hoffman IPsecME WG agenda IETF 88, Vancouver Monday, November 4. 2013 WG staus report and update on open WG Last Calls Chairs - 15 mins Handing Over Child SAs Following Re-Authentication in IKE

Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecme-ikev2-fragmentation-04

On 10/22/2013 11:25 PM, Valery Smyslov wrote: I appreciate the work transport folks has done. I will also appreciate if you point out what exact lessons should be applied here and why. And you may consider PMTUD in IKE as simplified PLMTUD, implemented according with Section 10.4 of RFC4821.

[IPsec] Working Group Last Call: draft-kivinen-ipsecme-ikev2-rfc5996bis-01

Hi, this is to start a 3-week working group last call on the IKEv2-bis (or -bis-bis) document, ending Nov. 13. The draft is at: http://tools.ietf.org/html/draft-kivinen-ipsecme-ikev2-rfc5996bis. The main motivation behind

[IPsec] Working Group Last Call: draft-kivinen-ipsecme-signature-auth-02

Hi, this is to start a 3-week working group last call on the IKE Signature Authentication document, ending Nov. 13. The draft is at: http://tools.ietf.org/html/draft-kivinen-ipsecme-signature-auth-02. The document is a produ

Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecme-ikev2-fragmentation-04

This doc makes the case that IKEv2 should implement its own frag/reassembly mechanism, because some NATs don't pass IP fragments. First, the issue with NATs and fragments should be made more clear, especially citing existing descriptions of this issue, e.g., RFC4787. Note that NATs which do not p

[IPsec] Some comments concerning draft-amjads-ipsecme-ikev2-data-channel-00.txt

Hi, I have some comments concerning the draft. 1. As far as I understand, only one data channel can be created within one IKE SA. So, if application needs several different channels, it have to create several separate IKE SAs, performing authentication several times (probably involving

Re: [IPsec] [ippm] draft-ietf-ippm-ipsec-01 review

Hi John, all, | I reviewed draft-ietf-ippm-ipsec-01, I think the issue is important, | and I think the document is a good start. I do however have some the | doubts regarding the suggested solution to extract keying material from | IPsec. | | Here are my comments and suggestions. | | Best Regard

Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecme-ikev2-fragmentation-04

Hi Paul, attacks (e.g., overloading the receiver with false fragments). This attack is always possible both with and without fragmentation (just overloading with false full messages) and IKE is designed to withstand it. Partially. For unfragmented IKE, the cookies/SPI mitigate this if you g