Re: [IPsec] AD re-review of draft-ietf-ipsecme-ad-vpn-problem

Mon, 03 Jun 2013 10:29:52 -0700 

On 6/3/13 1:02 PM, Vishwas Manral wrote:

Hi Sean,
My comments are inline:

Please incorporate the QoS issue brought up by Toby.I'd like to make

sure we have everything in the draft that the WG wants before issuing

the WGLC.I also think the TSV/RTG directorates/ADs will be interested

in that.

VM> I can incorporate it if the Working Group thinks the QoS parts
should be part of the aDVPN solution.
Yeah it wasn't clear to me whether it should be part of the aDVPN solution. Maybe the chairs can chime in on this one. 


Can you explain the rationale for the following the changes to

requirement #5; I'm just not following it:

OLD:

5. One ADVPN peer MUST NOT be able to impersonate another ADVPNpeer.

NEW:

5. Any of the ADVPN Peers MUST NOT have a way to get the long term

authentication credentials for any other ADVPN Peers. The compromise of

an Endpoint MUST NOT affect the security of communications between other

ADVPN Peers. The compromise of a Gateway SHOULD NOT affect the security

of the communications between ADVPN Peers not associated with that Gateway.

Is the first sentence still saying basically: "peers can't impersonate

peers"?

VM> Yes thats the idea in my view. Steve Hanna may have more omments on
this. Steve?
Okay I guess that makes sense it just seems a little wordy but not worth holding the draft up for. 


Nits:

- sec 1.1: Need to add what an ADVPN is and expand the acronym

VM> Should something like the below suffice:

VM> ADVPN - Auto Discovery Virtual Private Network (ADVPN) is VPN
solution that enables a large number of systems to communicate directly,
with minimal configuration and operator intervention using IPsec to
protect communication between them.


yes


- sec 4/1.1: The terms allied and federated environment kind of come out

of nowhere.Please add them to s1.1.I just to make sure it's clear

what the difference is between the two.

VM> Here is what I will add to 1.1.

VM> Allied and Federated Environments - Environments where we have
multiple different organizations that have close association and need to
connect to each other.


that'll work.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to