[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN Auth (was VPN authentication/verification and WG re-chartering)

To: "Schliesser, Benson" <bensons at savvis.net>
Subject: Re: VPN Auth (was VPN authentication/verification and WG re-chartering)
From: "Thomas D. Nadeau" <tnadeau at cisco.com>
Date: Tue, 5 Jun 2007 10:26:45 -0400
Authentication-results: rtp-dkim-2; header.From=tnadeau@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: l3vpn at ietf.org
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1327; t=1181053616; x=1181917616; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=tnadeau@cisco.com; z=From:=20=22Thomas=20D.=20Nadeau=22=20<tnadeau@cisco.com> |Subject:=20Re=3A=20VPN=20Auth=20(was=20VPN=20authentication/verification =20and=20WG=20re-chartering) |Sender:=20 |To:=20=22Schliesser,=20Benson=22=20<bensons@savvis.net>; bh=7lxgcai1xE+Onf0ibYx0S6yEiGhs7t+9DRYof4BNaHc=; b=sAdMzc3XZcGqsYqd1fDuF9xmn33uUFS1D7XSoKtNcecWyC8bMGszD9u4J2quh+V6985quyVo J2M8t8sNYMVbRxD0CNcaFTR1rUz6Wcf4PuHNUrZXrY02LfPHXM8VgLhk;
In-reply-to: <2DC6358FAE5D5F44A12DC5ABFDA8AC4DD440CA@s228130hz1ew24.apptix-01.savvis.net>
List-help: <mailto:l3vpn-request@ietf.org?subject=help>
List-id: l3vpn.ietf.org
List-post: <mailto:l3vpn@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
References: <2DC6358FAE5D5F44A12DC5ABFDA8AC4DD440CA@s228130hz1ew24.apptix-01.savvis.net>

Sorry for replying to my own message, but I would like to encourage
discussion around VPN Auth requirements.
I would like to see discussion of the requirements first, so that
candidate solutions have a point of reference.
For instance, I would argue that there are several roles/modes of authentication that must be considered: SP-managed, user-managed, and co-managed. Each of these modes have slightly different requirements, of course, and different alerting and/or response mechanisms.

And one other thing related to an important point you raised earlier related would be two other cases: multiple SP-managed, co- managed with multiple SPs where there are multiple providers.

	--Tom

Across all of these modes the primary goal is to be assured that all sites attached to the VPN are intended and allowed to be members. Secondary goals *might* include verification that the CE was configured by the correct authority (i.e. is not a hacked or replaced device), that routes originating from the CE (or PE) are legitimate, etc. Maybe a solution for one of the secondary goals might actually solve the primary goal, too.
Any thoughts on these goals, and/or how they translate into technical
requirements?
Cheers,
-Benson

Follow-Ups:
- RE: VPN Auth (was VPN authentication/verification and WG re-chartering)
  - From: Schliesser, Benson

References:
- VPN Auth (was VPN authentication/verification and WG re-chartering)
  - From: Schliesser, Benson

Prev by Date: VPN Auth (was VPN authentication/verification and WG re-chartering)
Next by Date: RE: VPN Auth (was VPN authentication/verification and WG re-chartering)
Previous by thread: VPN Auth (was VPN authentication/verification and WG re-chartering)
Next by thread: RE: VPN Auth (was VPN authentication/verification and WG re-chartering)
Index(es):
- Date
- Thread