Melinda, My comments are inline.
Mike ----- Original Message ----- From: Melinda Shore To: [email protected] Sent: Monday, November 28, 2011 5:44 PM Subject: Re: [IPsec] Discovery (Was: Preparing a charter change for P2P VPN) On 11/28/2011 04:31 PM, Michael Ko wrote: > To establish a secure connection between two authorized network nodes, > some of the critical management tasks that are required include the > following: > 1. Discover if the network nodes that a user is authorized to access are > currently online and active. (One can always resort to timeouts to > determine if the peer is online or not, but being able to ascertain the > status of the peer quickly would be nice.) > 2. Discover the functional attributes associated with these authorized > network nodes. > 3. Discover the location of the authorized network nodes. (E.g., current > IP address) > 4. Determine if accessing the network node requires going through a > relay (e.g., TURN). Discover the location of the relay if it is needed. > 5. Determine the parameters needed to establish a secure connection > between the two network nodes. > 6. Discover, via inquiry or advertisement, other authorized network > nodes as they become active and available. > If we use the hub as the entity to provide this "discovery" function, > then the statement "hubs can receive information from the spokes about > what addresses the spoke gateways protect" comes closest to meeting the > requirment, although the information to be "discovered" include the > above list and goes beyond just addresses. Could you go into more detail about what you mean by "user" here, and what "authorized" means? [mk] A "user" is a network node that wants to connect with a peer node, preferably in a direct end-to-end connection. (If you can suggest a better term than "user" that will cause less confusion, I will use it instead.) A "user" may not be "authorized" to connect with all peer nodes in the domain. Are you going out and querying an authorization system? [mk] The peer node determines which nodes are authorized to connect with it. So the user is not querying an authorization system per se, but since there can be many many peer nodes, it would be nice if a "user" can find out which peer nodes it is authorized to access. So it is more like a central repository for information rather than an authorization system. Are you expecting that a pile of attributes is going to be returned as the result of an authentication? [mk] With the central repository, the administrator determines what attributes are to be stored. A "user" can query for only the attributes that it is interested in. So for example, a "user" first authenticates with the central repository. It can then uploads its own attributes or downloads attributes of peer nodes that it is authorized to access. In this case one of the attributes that a peer node will upload would be the list of nodes that are authorized to access it. Is a "user" some sort of authenticated credential, or something along the lines of an NAI, or an IP address, or ... ? [mk] A "user" will have an IP address, but whether it has an NAI depends on the domain where it belongs. And for determining access authorization, a "user" will need to have a "user name" or some unique identification in the domain since the peer node will not know the IP address of a mobile "user". Melinda _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
