[IPsec] Opsdir last call review of draft-ietf-ipsecme-eddsa-04

2017-11-28 Thread Joel Jaeggli 
Reviewer: Joel Jaeggli
Review result: Ready

I reviewed  draft-ietf-ipsecme-eddsa on behalf of the opsdir during it's IETF
Last call.

This standards track draft introduces an importance change in the IKE
negotiation in that the sender can indicate that it hash algorithms which do
not require prehashing and can instead operate on arbitrary length data.

It also goes on to make a more strong requirement then RFC 8032 (which is
informational) that:

" The pre-hashed versions of Ed25519 and Ed448 (Ed25519ph and Ed448ph
   respectively) MUST NOT be used in IKE."

Changes to IKE negotiation require careful review, but I am satisfied that this
explicit signal improves the handling of support for the edwards curves.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Can one IPsec SA be established via two internet ports on one device?

2018-11-19 Thread joel jaeggli 


> On Nov 19, 2018, at 11:19, Linda Dunbar  > wrote:
> 
> IPsec experts, 
>  
> In the following diagram, CPE1 has two internet ports, A1 by one service 
> provider, A2 by another service provider.
> CPE2 also have two ports facing two different internet service providers
>  
> Question: can I establish ONE IPsec SA between CPE1 & CPE2? (i.e. between 
> 10.1.1.1 & 10.1.2.1)?
> But the actual packets sent out from A1 port has to use A1 as Source-Address, 
> and using B1 or other public address as Destination address.


If in your example the source and destination IPs are sourced loopbacks that 
are part of a prefix exported to  the the isp(s) in each site then you could in 
fact have one association…

If the CPEs are using a provider assigned ip for tunnel termination  you’re 
going to need 4.

We do the former all the time with sites multi-homed via bgp.

>  
> Or is it necessary to have one IPsec SA between A1<->B1, one IPsec SA between 
> A1<->B2, one IPsec SA between A2<->B1, and one IPsec SA between A2<->B2?
>
>  
> 
>  
> Thanks, Linda Dunbar
> ___
> IPsec mailing list
> IPsec@ietf.org 
> https://www.ietf.org/mailman/listinfo/ipsec 
> 
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Minutes from Atlanta meeting

2012-11-23 Thread joel jaeggli 

On 11/23/12 5:41 PM, Will Liu (Shucheng) wrote:

Thanks for your efforts.

Btw, is there a voice recording for IPsec session?


http://www.ietf.org/audio/ietf85/

Will



-Original Message-
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
Paul Hoffman
Sent: Tuesday, November 13, 2012 10:40 AM
To: IPsecme WG
Subject: [IPsec] Minutes from Atlanta meeting

Carl Wallace did a fine job of taking minutes. I cleaned them up just a tad;
they are at
.

Please send corrections *only* for things that are wrong in the minutes. If
you want to discuss a topic from the minutes, please start a new thread.
Thanks in advance!

--Paul Hoffman
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec