Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-10-17 Thread Tommy Pauly
; > > -Original Message- > From: IPsec [mailto:ipsec-boun...@ietf.org <mailto:ipsec-boun...@ietf.org>] > On Behalf Of Hu, Jun (Nokia - US) > Sent: Friday, October 07, 2016 2:09 PM > To: Tommy Pauly; Valery Smyslov; Yoav Nir > Cc: IPsecME WG; Daniel Migault

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-10-11 Thread Hu, Jun (Nokia - US)
TCP sessions for a single >CHILD_SA? From: tpa...@apple.com [mailto:tpa...@apple.com] Sent: Tuesday, October 11, 2016 5:35 PM To: Hu, Jun (Nokia - US) Cc: Valery Smyslov; Yoav Nir; IPsecME WG; Daniel Migault; Paul Wouters Subject: Re: [IPsec] New version of TCP Encapsulation draft, request for adopt

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-10-11 Thread Tommy Pauly
niel Migault; Paul Wouters >> Subject: Re: [IPsec] New version of TCP Encapsulation draft, request for >> adoption >> >> I was reading the draft again, and had similar problem as below; Draft states >> that SA state should be independent of TCP state and it allows mul

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-10-11 Thread Hu, Jun (Nokia - US)
7, 2016 2:09 PM > To: Tommy Pauly; Valery Smyslov; Yoav Nir > Cc: IPsecME WG; Daniel Migault; Paul Wouters > Subject: Re: [IPsec] New version of TCP Encapsulation draft, request for > adoption > > I was reading the draft again, and had similar problem as below; Draft st

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-10-07 Thread Hu, Jun (Nokia - US)
I was reading the draft again, and had similar problem as below; Draft states that SA state should be independent of TCP state and it allows multiple TCP sessions between two peers even when there is only one IKE_SA; I assume this means for a given tunnel, different SA could belong to different

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Hu, Jun (Nokia - US)
Thanks all for the clarification. > -Original Message- > From: tpa...@apple.com [mailto:tpa...@apple.com] > Sent: Monday, May 23, 2016 5:28 PM > To: Hu, Jun (Nokia - US) > Cc: Paul Wouters; IPsecME WG > Subject: Re: [IPsec] New version of TCP Encapsulation draft, requ

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Hu, Jun (Nokia - US)
> From: Paul Wouters [mailto:p...@nohats.ca] > Sent: Monday, May 23, 2016 4:26 PM > To: Hu, Jun (Nokia - US) > Cc: IPsecME WG > Subject: Re: [IPsec] New version of TCP Encapsulation draft, request for > adoption > > On Mon, 23 May 2016, Hu, Jun (Nokia - US) wrote: >

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Paul Wouters
On Mon, 23 May 2016, Hu, Jun (Nokia - US) wrote: To get past middleware boxes that tend to not touch "real" TLS traffic but mangle anything else. [HJ] so there is middle box that will only allow TLS traffic (and dropping all plain tcp traffic)? that sounds pretty extreme, but even in such

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Samy Touati
Migault; Paul Wouters; Tommy Pauly >> Subject: Re: [IPsec] New version of TCP Encapsulation draft, request for >> adoption >> >> >> > On 23 May 2016, at 9:39 AM, Valery Smyslov <sva...@gmail.com> wrote: >> > >> > Hi Tommy, >> > >&g

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Yoav Nir
> On 23 May 2016, at 9:39 AM, Valery Smyslov wrote: > > Hi Tommy, > > thank you for clarifications. One more point. The draft is silent about > what the responder is supposed to do with the stream prefix. > Should it check it? In this case what should it do if the prefix is >

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Valery Smyslov
Hi Paul, thank you for clarifications. One more point. The draft is silent about what the responder is supposed to do with the stream prefix. Should it check it? In this case what should it do if the prefix is different from "IKEv2"? Discard the TCP session? Or should it ignore the prefix

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Paul Wouters
On Mon, 23 May 2016, Valery Smyslov wrote: thank you for clarifications. One more point. The draft is silent about what the responder is supposed to do with the stream prefix. Should it check it? In this case what should it do if the prefix is different from "IKEv2"? Discard the TCP session? Or

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Valery Smyslov
ynir.i...@gmail.com> Cc: "Paul Wouters" <p...@nohats.ca>; "Daniel Migault" <daniel.miga...@ericsson.com>; "IPsecME WG" <ipsec@ietf.org> Sent: Friday, May 20, 2016 9:11 PM Subject: Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-20 Thread Tommy Pauly
Hi Valery, Thanks for your reply! I think these are good points that we can clarify in future versions, although we can address these once it is a working group document. Responses inline. Best, Tommy > On May 16, 2016, at 11:53 PM, Valery Smyslov wrote: > > Hi Tommy, > >

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-17 Thread Valery Smyslov
Hi Tommy, sorry for late reply. I'm mostly OK with the last version of the draft. Few comments. It is a bit unclear how Stream Prefix is intended to be used with TLS. Is it insterted at the beginning of the TLS data stream? Then, I think some text should be added describing a situation when

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-16 Thread Daniel Migault
Hi Tommy, Thank you very much for the response. They are addressing all my concerns. BR, Daniel On Mon, May 16, 2016 at 4:15 PM, Tommy Pauly wrote: > Hi Paul, Daniel, > > Thanks for the comments! Responses inline. > > I'd like to also hear feedback from people who brought up

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-16 Thread Tommy Pauly
Hi Paul, Daniel, Thanks for the comments! Responses inline. I'd like to also hear feedback from people who brought up issues last time if possible (Valery regarding inclusion of TLS, Tero regarding the 3GPP spec conformity, and Yoav regarding the magic value) to validate that this draft is

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-06 Thread Paul Wouters
On Fri, 6 May 2016, Daniel Migault wrote: s/IPSec/IPsec If Tommy could also fix that auto-correct for my iphone, that would be great too :) "This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP." This seems to indicates that the method should only

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-06 Thread Daniel Migault
Hi, I have read the draft. TCP encapsulation is a topic that matters, and I would like different vendors to implement a standard version of this. I think the draft is in good shape to be adopted and discussed as a WG document. I am volunteering to continue reviewing the draft and contribute to