From hartmans-ietf at mit.edu Sun Jan 2 14:05:31 2005 From: hartmans-ietf at mit.edu (Sam Hartman) Date: Sun Jan 2 14:05:30 2005 Subject: [anonsec] Re: request for posts on separate WG vs. merged In-Reply-To: (Michael Richardson's message of "Fri, 31 Dec 2004 18:50:39 -0500") References: <419E366E.5020800@isi.edu> <20041119181617.GZ473487@binky.central.sun.com> <419E40D4.4090203@isi.edu> <419E4289.9000006@isi.edu> <4636.1101847634@marajade.sandelman.ottawa.on.ca> <41ADEF83.8030706@isi.edu> Message-ID: >>>>> "Michael" == Michael Richardson writes: Michael> My question: would you wish to *AVOID* making certain Michael> queries if you knew that DNS wasn't over BTNS? If so, Michael> then you need to make the ability to notify the Michael> applications about the BTNS status. I have to agree that long-term applications need to be able to know whether BTNS is being used. Applications also need to be able to know when the BTNS identity of the peer changes. There are lots of ways of implementing this. One way is to provide notifications to an application. Another way is to allow an application to make policy assertions like "this traffic selecter will use BTNS and once the peer identity is established it must not change until this policy assertion is removed." There are significant issues that would need to be worked through for either approach. For the policy approach, you would need to make sure that BTNS policy could not be used to subvert normal IPsec policy. You'd also need to consider denial of service and conflicts between different applications' policies. For the notification approach, you would need to figure out how to track enough state to notify applications. --Sam From Nicolas.Williams at sun.com Sun Jan 2 18:04:19 2005 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Sun Jan 2 18:07:40 2005 Subject: [anonsec] Re: request for posts on separate WG vs. merged In-Reply-To: References: <419E366E.5020800@isi.edu> <20041119181617.GZ473487@binky.central.sun.com> <419E40D4.4090203@isi.edu> <419E4289.9000006@isi.edu> <4636.1101847634@marajade.sandelman.ottawa.on.ca> <41ADEF83.8030706@isi.edu> Message-ID: <20050103020419.GI184117@binky.central.sun.com> Yes, IPsec APIs are necessary for BTNS to shine. But that's really true of IPsec as well, at least for applications beyond tunnels or transport mode SAs authenticated with host credentials. Some platforms have some such APIs, but a generic specification (like rfc2743, but probably not like rfc2744) would be good to have. Generic IPsec APIs, BTNS, channel bindings to IPsec -- the IETF needs all of these, and look, we are aware of this and are working towards all three. I'm not too concerned if these work items progress at different speeds, as long as they progress. Nico -- From paul.hoffman at vpnc.org Sun Jan 2 18:51:45 2005 From: paul.hoffman at vpnc.org (Paul Hoffman / VPNC) Date: Sun Jan 2 18:53:13 2005 Subject: [anonsec] Re: request for posts on separate WG vs. merged In-Reply-To: <20050103020419.GI184117@binky.central.sun.com> References: <419E366E.5020800@isi.edu> <20041119181617.GZ473487@binky.central.sun.com> <419E40D4.4090203@isi.edu> <419E4289.9000006@isi.edu> <4636.1101847634@marajade.sandelman.ottawa.on.ca> <41ADEF83.8030706@isi.edu> <20050103020419.GI184117@binky.central.sun.com> Message-ID: At 8:04 PM -0600 1/2/05, Nicolas Williams wrote: >Yes, IPsec APIs are necessary for BTNS to shine. But that's really true >of IPsec as well Fully agree. Further, I don't see why you would have them in one without the other. --Paul Hoffman, Director --VPN Consortium From hartmans-ietf at mit.edu Mon Jan 17 09:05:44 2005 From: hartmans-ietf at mit.edu (Sam Hartman) Date: Mon Jan 17 09:05:51 2005 Subject: [anonsec] Status Message-ID: I realize there has not been much apparent activity. I have been working on a few things behind the scenes. First, I've been discussing the idea of a BTNS working group with Russ, the IESG and IAB. I'm trying to understand concerns and respond to them. Most of my time has been spend understanding RFC 2401bis, its processing model and the implications for BTNS. I think careful thought is going to have to be given to how any application profiles use of IPsec to help some higher layer under the 2401bis model. I believe this work is important both for BTNS and for the channel bindings interests. Thinking about PAD and SPD interactions is also going to be tricky. I've also been thinking about potential working group chairs. I realize I've been letting things drag out especially if we want to have something established by IETF 62. There's a lot of stuff to learn as a new AD. I do hope to have some more concrete status to the list in a few days. --Sam From gregory-ietf at earthlink.net Wed Jan 26 15:01:14 2005 From: gregory-ietf at earthlink.net (Gregory M Lebovitz) Date: Wed Jan 26 15:02:18 2005 Subject: [anonsec] Status In-Reply-To: References: Message-ID: <6.1.2.0.0.20050126150047.01f34ec0@mail.earthlink.net> Sam, any update on this yet? Or did I accidently delete it? At 09:05 AM 1/17/2005, Sam Hartman wrote: >I realize there has not been much apparent activity. I have been >working on a few things behind the scenes. > >First, I've been discussing the idea of a BTNS working group with >Russ, the IESG and IAB. I'm trying to understand concerns and respond >to them. > >Most of my time has been spend understanding RFC 2401bis, its >processing model and the implications for BTNS. I think careful >thought is going to have to be given to how any application profiles >use of IPsec to help some higher layer under the 2401bis model. I >believe this work is important both for BTNS and for the channel >bindings interests. Thinking about PAD and SPD interactions is also >going to be tricky. > > >I've also been thinking about potential working group chairs. > >I realize I've been letting things drag out especially if we want to >have something established by IETF 62. There's a lot of stuff to >learn as a new AD. > >I do hope to have some more concrete status to the list in a few days. > >--Sam > >_______________________________________________ From hartmans-ietf at mit.edu Thu Jan 27 13:43:01 2005 From: hartmans-ietf at mit.edu (Sam Hartman) Date: Thu Jan 27 13:44:21 2005 Subject: [anonsec] Status In-Reply-To: <6.1.2.0.0.20050126150047.01f34ec0@mail.earthlink.net> (Gregory M. Lebovitz's message of "Wed, 26 Jan 2005 15:01:14 -0800") References: <6.1.2.0.0.20050126150047.01f34ec0@mail.earthlink.net> Message-ID: >>>>> "Gregory" == Gregory M Lebovitz writes: Gregory> Sam, any update on this yet? Or did I accidently delete Gregory> it? I think I've found someone who would be willing to help lead a discussion on charter and/or chair a second BOF. I need to write up mail to Joe discussing this and some suggestions for the charter. Then hopefully we will bring it to the list.