[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: VPN Auth (was VPN authentication/verification and WG re-chartering)

To: "Thomas D. Nadeau" <tnadeau at cisco.com>
Subject: RE: VPN Auth (was VPN authentication/verification and WG re-chartering)
From: "Schliesser, Benson" <bensons at savvis.net>
Date: Tue, 5 Jun 2007 11:03:08 -0500
Cc: l3vpn at ietf.org
In-reply-to: <1908BCC0-EDCB-4B24-940C-F0F8A6B9F82E@cisco.com>
List-help: <mailto:l3vpn-request@ietf.org?subject=help>
List-id: l3vpn.ietf.org
List-post: <mailto:l3vpn@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
Thread-index: AcenfZKqvcWh8Zl+QDuDvb72LGh26AADDKdA
Thread-topic: VPN Auth (was VPN authentication/verification and WG re-chartering)

Tom-

That's a good point. It can (easily) be argued that these multi-SP cases
are actually the most important for VPN authentication to address...
Certainly, the trust models are complicated. I.e. who owns the customer
relationship, who is managing the service(s), etc. But in any case,
there are too many contributors in the VPN for things to just work
without occasional error. VPN authentication is very valuable in this
environment.

Cheers,
-Benson




> -----Original Message-----
> From: Thomas D. Nadeau [mailto:tnadeau at cisco.com] 
> Sent: Tuesday, June 05, 2007 3:27 PM
> To: Schliesser, Benson
> Cc: l3vpn at ietf.org
> Subject: Re: VPN Auth (was VPN authentication/verification 
> and WG re-chartering)
> 
> 
> > Sorry for replying to my own message, but I would like to encourage
> > discussion around VPN Auth requirements.
> >
> >> I would like to see discussion of the requirements first, so that
> >> candidate solutions have a point of reference.
> >
> > For instance, I would argue that there are several roles/modes of
> > authentication that must be considered: SP-managed, 
> user-managed, and
> > co-managed. Each of these modes have slightly different  
> > requirements, of
> > course, and different alerting and/or response mechanisms.
> 
> 	And one other thing related to an important point you raised
> earlier related would be two other cases: multiple SP-managed, co- 
> managed
> with multiple SPs where there are multiple providers.
> 
> 	--Tom
> 
> 
> > Across all of these modes the primary goal is to be assured that all
> > sites attached to the VPN are intended and allowed to be members.
> > Secondary goals *might* include verification that the CE was  
> > configured
> > by the correct authority (i.e. is not a hacked or replaced 
> device),  
> > that
> > routes originating from the CE (or PE) are legitimate, etc. Maybe a
> > solution for one of the secondary goals might actually solve the  
> > primary
> > goal, too.
> >
> > Any thoughts on these goals, and/or how they translate into 
> technical
> > requirements?
> >
> > Cheers,
> > -Benson
>

References:
- Re: VPN Auth (was VPN authentication/verification and WG re-chartering)
  - From: Thomas D. Nadeau

Prev by Date: Re: VPN Auth (was VPN authentication/verification and WG re-chartering)
Next by Date: Re: VPN Auth (was VPN authentication/verification and WG re-chartering)
Previous by thread: Re: VPN Auth (was VPN authentication/verification and WG re-chartering)
Next by thread: Re: VPN Auth (was VPN authentication/verification and WG re-chartering)
Index(es):
- Date
- Thread