[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
From: Vishwas Manral <vishwas.ietf () gmail ! com>
Date: 2013-05-22 2:21:57
Message-ID: CAOyVPHQ_FpgxK2bvS6pN9CnX=42Db2rSB=Q85_GGEuSMDytxAA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Paul,
I will try to get this done around the first week of June. I am currently
travelling till the end of the week.
Thanks,
Vishwas
On Tue, May 21, 2013 at 6:57 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> Document authors: when might we have the update so Sean can move this
> forwards? We are gated on this before we solicit AD-VPN protocols.
>
> --Paul Hoffman
>
> On Apr 30, 2013, at 7:52 AM, Sean Turner <turners@ieca.com> wrote:
>
> > Please incorporate the QoS issue brought up by Toby. I'd like to make
> sure we have everything in the draft that the WG wants before issuing the
> WGLC. I also think the TSV/RTG directorates/ADs will be interested in that.
> >
> > Can you explain the rationale for the following the changes to
> requirement #5; I'm just not following it:
> >
> > OLD:
> >
> > 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN
> peer.
> >
> > NEW:
> >
> > 5. Any of the ADVPN Peers MUST NOT have a way to get the long term
> > authentication credentials for any other ADVPN Peers. The compromise of
> an Endpoint MUST NOT affect the security of communications between other
> ADVPN Peers. The compromise of a Gateway SHOULD NOT affect the security of
> the communications between ADVPN Peers not associated with that Gateway.
> >
> > Is the first sentence still saying basically: "peers can't impersonate
> peers"?
> >
> > Nits:
> >
> > - sec 1.1: Need to add what an ADVPN is and expand the acronym
> >
> > - sec 4/1.1: The terms allied and federated environment kind of come out
> of nowhere. Please add them to s1.1. I just to make sure it's clear what
> the difference is between the two.
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi Paul,</div><div> </div><div>I will try to get this done around \
the first week of June. I am currently travelling till the end of the \
week.</div><div> </div><div>Thanks,</div><div>Vishwas</div></div><div \
class="gmail_extra"> <br><br><div class="gmail_quote">On Tue, May 21, 2013 at 6:57 \
AM, Paul Hoffman <span dir="ltr"><<a href="mailto:paul.hoffman@vpnc.org" \
target="_blank">paul.hoffman@vpnc.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Document authors: when might we have the update so Sean can \
move this forwards? We are gated on this before we solicit AD-VPN protocols.<br> <br>
--Paul Hoffman<br>
<br>
On Apr 30, 2013, at 7:52 AM, Sean Turner <<a \
href="mailto:turners@ieca.com">turners@ieca.com</a>> wrote:<br> <br>
> Please incorporate the QoS issue brought up by Toby. I'd like to make sure \
we have everything in the draft that the WG wants before issuing the WGLC. I also \
think the TSV/RTG directorates/ADs will be interested in that.<br>
><br>
> Can you explain the rationale for the following the changes to requirement #5; \
I'm just not following it:<br> ><br>
> OLD:<br>
><br>
> 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN peer.<br>
><br>
> NEW:<br>
><br>
> 5. Any of the ADVPN Peers MUST NOT have a way to get the long term<br>
> authentication credentials for any other ADVPN Peers. The compromise of an \
Endpoint MUST NOT affect the security of communications between other ADVPN Peers. \
The compromise of a Gateway SHOULD NOT affect the security of the communications \
between ADVPN Peers not associated with that Gateway.<br>
><br>
> Is the first sentence still saying basically: "peers can't impersonate \
peers"?<br> ><br>
> Nits:<br>
><br>
> - sec 1.1: Need to add what an ADVPN is and expand the acronym<br>
><br>
> - sec 4/1.1: The terms allied and federated environment kind of come out of \
nowhere. Please add them to s1.1. I just to make sure it's clear what the \
difference is between the two.<br> <br>
_______________________________________________<br>
IPsec mailing list<br>
<a href="mailto:IPsec@ietf.org">IPsec@ietf.org</a><br>
<a href="https://www.ietf.org/mailman/listinfo/ipsec" \
target="_blank">https://www.ietf.org/mailman/listinfo/ipsec</a><br> \
</blockquote></div><br></div>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic