[IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
Sean Turner <turners@ieca.com> Tue, 30 April 2013 14:53 UTC
Return-Path: <turners@ieca.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFFF921F9B84 for <ipsec@ietfa.amsl.com>; Tue, 30 Apr 2013 07:53:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.265
X-Spam-Level:
X-Spam-Status: No, score=-102.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVah+BA0wNwv for <ipsec@ietfa.amsl.com>; Tue, 30 Apr 2013 07:53:07 -0700 (PDT)
Received: from gateway02.websitewelcome.com (gateway02.websitewelcome.com [69.41.242.20]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2A521F9AB9 for <ipsec@ietf.org>; Tue, 30 Apr 2013 07:53:02 -0700 (PDT)
Received: by gateway02.websitewelcome.com (Postfix, from userid 5007) id 8BDC2C732526; Tue, 30 Apr 2013 09:52:53 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway02.websitewelcome.com (Postfix) with ESMTP id DCD50C7320FA for <ipsec@ietf.org>; Tue, 30 Apr 2013 09:52:52 -0500 (CDT)
Received: from [128.107.52.236] (port=50255 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1UXBvN-000465-ES; Tue, 30 Apr 2013 09:52:57 -0500
Message-ID: <517FDAC7.8080701@ieca.com>
Date: Tue, 30 Apr 2013 08:52:55 -0600
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: ipsec@ietf.org, draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [128.107.52.236]:50255
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 6
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2013 14:53:20 -0000
Please incorporate the QoS issue brought up by Toby. I'd like to make sure we have everything in the draft that the WG wants before issuing the WGLC. I also think the TSV/RTG directorates/ADs will be interested in that. Can you explain the rationale for the following the changes to requirement #5; I'm just not following it: OLD: 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN peer. NEW: 5. Any of the ADVPN Peers MUST NOT have a way to get the long term authentication credentials for any other ADVPN Peers. The compromise of an Endpoint MUST NOT affect the security of communications between other ADVPN Peers. The compromise of a Gateway SHOULD NOT affect the security of the communications between ADVPN Peers not associated with that Gateway. Is the first sentence still saying basically: "peers can't impersonate peers"? Nits: - sec 1.1: Need to add what an ADVPN is and expand the acronym - sec 4/1.1: The terms allied and federated environment kind of come out of nowhere. Please add them to s1.1. I just to make sure it's clear what the difference is between the two.
- [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn… Sean Turner
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Paul Hoffman
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Vishwas Manral
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Vishwas Manral
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Sean Turner
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Vishwas Manral
- Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad… Manral, Vishwas