[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem
From:       Vishwas Manral <vishwas.ietf () gmail ! com>
Date:       2013-05-22 2:21:57
Message-ID: CAOyVPHQ_FpgxK2bvS6pN9CnX=42Db2rSB=Q85_GGEuSMDytxAA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Paul,

I will try to get this done around the first week of June. I am currently
travelling till the end of the week.

Thanks,
Vishwas


On Tue, May 21, 2013 at 6:57 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> Document authors: when might we have the update so Sean can move this
> forwards? We are gated on this before we solicit AD-VPN protocols.
>
> --Paul Hoffman
>
> On Apr 30, 2013, at 7:52 AM, Sean Turner <turners@ieca.com> wrote:
>
> > Please incorporate the QoS issue brought up by Toby.  I'd like to make
> sure we have everything in the draft that the WG wants before issuing the
> WGLC.  I also think the TSV/RTG directorates/ADs will be interested in that.
> >
> > Can you explain the rationale for the following the changes to
> requirement #5; I'm just not following it:
> >
> > OLD:
> >
> > 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN
> peer.
> >
> > NEW:
> >
> > 5. Any of the ADVPN Peers MUST NOT have a way to get the long term
> > authentication credentials for any other ADVPN Peers. The compromise of
> an Endpoint MUST NOT affect the security of communications between other
> ADVPN Peers. The compromise of a Gateway SHOULD NOT affect the security of
> the communications between ADVPN Peers not associated with that Gateway.
> >
> > Is the first sentence still saying basically: "peers can't impersonate
> peers"?
> >
> > Nits:
> >
> > - sec 1.1: Need to add what an ADVPN is and expand the acronym
> >
> > - sec 4/1.1: The terms allied and federated environment kind of come out
> of nowhere.  Please add them to s1.1.  I just to make sure it's clear what
> the difference is between the two.
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

[Attachment #5 (text/html)]

<div dir="ltr"><div>Hi Paul,</div><div> </div><div>I will try to get this done around \
the first week of June. I am currently travelling till the end of the \
week.</div><div> </div><div>Thanks,</div><div>Vishwas</div></div><div \
class="gmail_extra"> <br><br><div class="gmail_quote">On Tue, May 21, 2013 at 6:57 \
AM, Paul Hoffman <span dir="ltr">&lt;<a href="mailto:paul.hoffman@vpnc.org" \
target="_blank">paul.hoffman@vpnc.org</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Document authors: when might we have the update so Sean can \
move this forwards? We are gated on this before we solicit AD-VPN protocols.<br> <br>
--Paul Hoffman<br>
<br>
On Apr 30, 2013, at 7:52 AM, Sean Turner &lt;<a \
href="mailto:turners@ieca.com">turners@ieca.com</a>&gt; wrote:<br> <br>
&gt; Please incorporate the QoS issue brought up by Toby.  I&#39;d like to make sure \
we have everything in the draft that the WG wants before issuing the WGLC.  I also \
think the TSV/RTG directorates/ADs will be interested in that.<br>

&gt;<br>
&gt; Can you explain the rationale for the following the changes to requirement #5; \
I&#39;m just not following it:<br> &gt;<br>
&gt; OLD:<br>
&gt;<br>
&gt; 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN       peer.<br>
&gt;<br>
&gt; NEW:<br>
&gt;<br>
&gt; 5. Any of the ADVPN Peers MUST NOT have a way to get the long term<br>
&gt; authentication credentials for any other ADVPN Peers. The compromise of an \
Endpoint MUST NOT affect the security of communications between other ADVPN Peers. \
The compromise of a Gateway SHOULD NOT affect the security of the communications \
between ADVPN Peers not associated with that Gateway.<br>

&gt;<br>
&gt; Is the first sentence still saying basically: &quot;peers can&#39;t impersonate \
peers&quot;?<br> &gt;<br>
&gt; Nits:<br>
&gt;<br>
&gt; - sec 1.1: Need to add what an ADVPN is and expand the acronym<br>
&gt;<br>
&gt; - sec 4/1.1: The terms allied and federated environment kind of come out of \
nowhere.  Please add them to s1.1.  I just to make sure it&#39;s clear what the \
difference is between the two.<br> <br>
_______________________________________________<br>
IPsec mailing list<br>
<a href="mailto:IPsec@ietf.org">IPsec@ietf.org</a><br>
<a href="https://www.ietf.org/mailman/listinfo/ipsec" \
target="_blank">https://www.ietf.org/mailman/listinfo/ipsec</a><br> \
</blockquote></div><br></div>



_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic