Re: [IPsec] Candidate charter text is now in wiki

2018-02-09 Thread Yoav Nir 


> On 9 Feb 2018, at 18:40, Paul Wouters  wrote:
> 
> On Wed, 7 Feb 2018, Tero Kivinen wrote:
> 
>> It depends. If we do not take the item as official working group
>> chartered item, there are still few different options. You can either
>> get it processed as AD sponsored draft, or you can go individual
>> submission track.
> 
> It is a little strange we don't have an ops group for ipsec. The IPsecME
> group really functions as such.

Are there any work items to add to the charter of this group or a dedicated ops 
group?

I don’t remember any draft about how you’d go about deploying IPsec either in 
VPN or within a datacenter. Certainly not at scale. 

There is the work in I2NSF for the datacenter and there are some “software 
defined WAN” products that use IPsec for VPN, but the latter is not 
standardised.

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Candidate charter text is now in wiki

2018-02-09 Thread Paul Wouters 

On Wed, 7 Feb 2018, Tero Kivinen wrote:


It depends. If we do not take the item as official working group
chartered item, there are still few different options. You can either
get it processed as AD sponsored draft, or you can go individual
submission track.


It is a little strange we don't have an ops group for ipsec. The IPsecME
group really functions as such. Maybe something covering ops could be
added to the charter to cover these kind of items. Because I do think
everyone would prefer this type of work to happen in a WG and not as
individual/AD sponsored work.

Paul

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Candidate charter text is now in wiki

2018-02-07 Thread mohamed.boucadair 
Re-,

Fair enough.

Would it be possible to issue formal calls for each of the proposed items so 
that (hopefully) we get more feedback (support/objection)? 

Thank you.

Cheers,
Med

> -Message d'origine-
> De : IPsec [mailto:ipsec-boun...@ietf.org] De la part de Tero Kivinen
> Envoyé : mercredi 7 février 2018 11:05
> À : BOUCADAIR Mohamed IMT/OLN
> Cc : ipsec@ietf.org
> Objet : Re: [IPsec] Candidate charter text is now in wiki
> 
> mohamed.boucad...@orange.com writes:
> > I was naively expecting a formal call to assess the
> > interest/objections for each of the proposed items. Perhaps, I'm not
> > the only one in that case.
> 
> That could have been another possibility, but as I was so busy between
> the last IETF and now, I didn't have time to do it. On the other hand
> if there would have been lots of people really interested in the work
> they might have already commented on the text...
> 
> > I have one "logistic" question: if this proposed item is not
> > included in the charter, does this mean that I can proceed with the
> > code points assignment request
> > (https://datatracker.ietf.org/doc/draft-boucadair-ipsecme-ipv6-ipv4-codes/)
> > with IANA and the codes will be assigned? For the record, the only
> > comments I received were from Paul (thanks), and an updated version
> > of the draft that addresses those comments was released.
> 
> It depends. If we do not take the item as official working group
> chartered item, there are still few different options. You can either
> get it processed as AD sponsored draft, or you can go individual
> submission track.
> 
> To get the IANA numbers is separate from that as those numbers are
> allocated by expert review.
> 
> Anyways lets see if there are other people interested to taking this
> item as charter item or not.
> --
> kivi...@iki.fi
> 
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Candidate charter text is now in wiki

2018-02-07 Thread Tero Kivinen 
mohamed.boucad...@orange.com writes:
> I was naively expecting a formal call to assess the
> interest/objections for each of the proposed items. Perhaps, I'm not
> the only one in that case. 

That could have been another possibility, but as I was so busy between
the last IETF and now, I didn't have time to do it. On the other hand
if there would have been lots of people really interested in the work
they might have already commented on the text... 

> I have one "logistic" question: if this proposed item is not
> included in the charter, does this mean that I can proceed with the
> code points assignment request
> (https://datatracker.ietf.org/doc/draft-boucadair-ipsecme-ipv6-ipv4-codes/)
> with IANA and the codes will be assigned? For the record, the only
> comments I received were from Paul (thanks), and an updated version
> of the draft that addresses those comments was released. 

It depends. If we do not take the item as official working group
chartered item, there are still few different options. You can either
get it processed as AD sponsored draft, or you can go individual
submission track.

To get the IANA numbers is separate from that as those numbers are
allocated by expert review.

Anyways lets see if there are other people interested to taking this
item as charter item or not.
-- 
kivi...@iki.fi

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Candidate charter text is now in wiki

2018-02-06 Thread mohamed.boucadair 
Hi Tero, 

Thank you for the update.

I was naively expecting a formal call to assess the interest/objections for 
each of the proposed items. Perhaps, I'm not the only one in that case.

I have one "logistic" question: if this proposed item is not included in the 
charter, does this mean that I can proceed with the code points assignment 
request 
(https://datatracker.ietf.org/doc/draft-boucadair-ipsecme-ipv6-ipv4-codes/) 
with IANA and the codes will be assigned? For the record, the only comments I 
received were from Paul (thanks), and an updated version of the draft that 
addresses those comments was released.

Cheers,
Med

> -Message d'origine-
> De : Tero Kivinen [mailto:kivi...@iki.fi]
> Envoyé : mardi 6 février 2018 19:36
> À : BOUCADAIR Mohamed IMT/OLN
> Cc : ipsec@ietf.org
> Objet : RE: [IPsec] Candidate charter text is now in wiki
> 
> mohamed.boucad...@orange.com writes:
> > It seems that you missed this text for the address failure codes (Nov 13):
> > https://www.ietf.org/mail-archive/web/ipsec/current/msg11724.html
> 
> Yes, as I wanted to get some more discussion about it in the mailing
> list first. I have not seen any discussion about it since the IETF, so
> is there really enough interest for it. The charter in wiki only
> included items we discussed in the meeting.
> 
> > I'm resending it fwiw:
> >
> >RFC7296 defines a generic notification code that is related to a
> >failure to handle an internal address failure.  That code does not
> >explicitly allow an initiator to determine why a given address family
> >is not assigned, nor whether it should try using another address
> >family.  The Working Group will specify a set of more specific
> >notification codes that will provide sufficient information to the
> >IKEv2 initiator about the encountered failure.
> --
> kivi...@iki.fi

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Candidate charter text is now in wiki

2018-02-06 Thread Tero Kivinen 
mohamed.boucad...@orange.com writes:
> It seems that you missed this text for the address failure codes (Nov 13): 
> https://www.ietf.org/mail-archive/web/ipsec/current/msg11724.html   

Yes, as I wanted to get some more discussion about it in the mailing
list first. I have not seen any discussion about it since the IETF, so
is there really enough interest for it. The charter in wiki only
included items we discussed in the meeting. 

> I'm resending it fwiw:
> 
>RFC7296 defines a generic notification code that is related to a
>failure to handle an internal address failure.  That code does not
>explicitly allow an initiator to determine why a given address family
>is not assigned, nor whether it should try using another address
>family.  The Working Group will specify a set of more specific
>notification codes that will provide sufficient information to the
>IKEv2 initiator about the encountered failure.
-- 
kivi...@iki.fi

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Candidate charter text is now in wiki

2018-02-06 Thread Tero Kivinen 
David Schinazi writes:
> Here is proposed charter text for the "Mitigating privacy concerns"
> section:

As there has not been any support for this item in the mailing list I
do not think we will be adding it in the charter this time. 

> IKEv2 is currently vulnerable to the two following privacy concerns:
> 
> 1) It's not possible to run a server that obfuscates IKEv2/IPsec
> using TLS. Today thanks to RFC 8229 it is possible to run an
> IKEv2/IPsec server on TCP port 443 with TLS. However if a
> government agent tries to send an SA_INIT over that it will
> discover that this server runs IKEv2/IPsec, and may blacklist
> it. We should add a mechanism to IKEv2 that allows the server to
> only respond to SA_INIT from known entities (e.g. that possess a
> shared secret).
> 
> 2) The privacy of the initiator's identity in the presence of a man
> in the middle attacker is not protected Today an attacker with
> full control of the network can receive the IDi/IDr sent by the
> initiator in the first AUTH packet. We should add a mechanism to
> IKEv2 that allows the initiator to only send IDi/IDr to known
> entities (e.g. that possess a shared secret).
-- 
kivi...@iki.fi

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Candidate charter text is now in wiki

2017-11-28 Thread David Schinazi 
Hi Tero,

Here is proposed charter text for the "Mitigating privacy concerns" section:

IKEv2 is currently vulnerable to the two following privacy concerns:

1) It's not possible to run a server that obfuscates IKEv2/IPsec using TLS.
Today thanks to RFC 8229 it is possible to run an IKEv2/IPsec server on TCP 
port 443 with TLS.
However if a government agent tries to send an SA_INIT over that it will 
discover that this server runs IKEv2/IPsec, and may blacklist it.
We should add a mechanism to IKEv2 that allows the server to only respond 
to SA_INIT from known entities (e.g. that possess a shared secret).

2) The privacy of the initiator's identity in the presence of a man in the 
middle attacker is not protected
Today an attacker with full control of the network can receive the IDi/IDr 
sent by the initiator in the first AUTH packet.
We should add a mechanism to IKEv2 that allows the initiator to only send 
IDi/IDr to known entities (e.g. that possess a shared secret).

Thanks,
David Schinazi


> On Nov 16, 2017, at 22:35, mohamed.boucad...@orange.com wrote:
> 
> Dear Tero,
> 
> It seems that you missed this text for the address failure codes (Nov 13): 
> https://www.ietf.org/mail-archive/web/ipsec/current/msg11724.html   
> 
> I'm resending it fwiw:
> 
>   RFC7296 defines a generic notification code that is related to a
>   failure to handle an internal address failure.  That code does not
>   explicitly allow an initiator to determine why a given address family
>   is not assigned, nor whether it should try using another address
>   family.  The Working Group will specify a set of more specific
>   notification codes that will provide sufficient information to the
>   IKEv2 initiator about the encountered failure.
> 
> Cheers,
> Med
> 
>> -Message d'origine-
>> De : IPsec [mailto:ipsec-boun...@ietf.org] De la part de Tero Kivinen
>> Envoyé : vendredi 17 novembre 2017 06:21
>> À : ipsec@ietf.org
>> Objet : [IPsec] Candidate charter text is now in wiki
>> 
>> I put the candidate charter text to the wiki. This includes the
>> changes in the first two paragraphs, removes items already done, and
>> list of new items. I have not yet added the items that came too late
>> to have charter text bashed in the meeting to the wiki.
>> 
>> For those items which do not have text yet, it would be good idea if
>> those people could send new proposed text to the list so we could bash
>> those at the same time as we go and check the other pieces.
>> 
>> So read that candidate charter text and comment it on the list.
>> 
>> Wiki address is https://trac.ietf.org/trac/ipsecme/wiki/recharter2017
>> --
>> kivi...@iki.fi
>> 
>> ___
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
> 
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Candidate charter text is now in wiki

2017-11-16 Thread mohamed.boucadair 
Dear Tero,

It seems that you missed this text for the address failure codes (Nov 13): 
https://www.ietf.org/mail-archive/web/ipsec/current/msg11724.html   

I'm resending it fwiw:

   RFC7296 defines a generic notification code that is related to a
   failure to handle an internal address failure.  That code does not
   explicitly allow an initiator to determine why a given address family
   is not assigned, nor whether it should try using another address
   family.  The Working Group will specify a set of more specific
   notification codes that will provide sufficient information to the
   IKEv2 initiator about the encountered failure.

Cheers,
Med

> -Message d'origine-
> De : IPsec [mailto:ipsec-boun...@ietf.org] De la part de Tero Kivinen
> Envoyé : vendredi 17 novembre 2017 06:21
> À : ipsec@ietf.org
> Objet : [IPsec] Candidate charter text is now in wiki
> 
> I put the candidate charter text to the wiki. This includes the
> changes in the first two paragraphs, removes items already done, and
> list of new items. I have not yet added the items that came too late
> to have charter text bashed in the meeting to the wiki.
> 
> For those items which do not have text yet, it would be good idea if
> those people could send new proposed text to the list so we could bash
> those at the same time as we go and check the other pieces.
> 
> So read that candidate charter text and comment it on the list.
> 
> Wiki address is https://trac.ietf.org/trac/ipsecme/wiki/recharter2017
> --
> kivi...@iki.fi
> 
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec