From owner-ipsec-policy@mail.vpnc.org Fri Jul 11 06:37:13 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA24216 for ; Fri, 11 Jul 2003 06:37:13 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6B9r7qt074874 for ; Fri, 11 Jul 2003 02:53:07 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6B9r74G074873 for ipsec-policy-bks; Fri, 11 Jul 2003 02:53:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from laposte.rennes.enst-bretagne.fr (laposte.rennes.enst-bretagne.fr [192.44.77.17]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6B9r6qt074852 for ; Fri, 11 Jul 2003 02:53:06 -0700 (PDT) (envelope-from Francis.Dupont@enst-bretagne.fr) Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id h6B9qwR29714; Fri, 11 Jul 2003 11:52:58 +0200 Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.12.3/8.12.3) with ESMTP id h6B9q3of028421; Fri, 11 Jul 2003 11:52:03 +0200 (CEST) (envelope-from dupont@givry.rennes.enst-bretagne.fr) Message-Id: <200307110952.h6B9q3of028421@givry.rennes.enst-bretagne.fr> From: Francis Dupont To: Charles Lynn cc: ipsec-policy@vpnc.org Subject: Re: IKEv2 selectors for IPsec? (re-sent in ipsec-policy) In-reply-to: Your message of Thu, 26 Jun 2003 10:38:06 EDT. <20030626143806.880D316484@wolfe.bbn.com> Date: Fri, 11 Jul 2003 11:52:03 +0200 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: IPv6 uses header chaining for extensions, IPv4 protocols are named "next header types". Filtering is used for QoS classification, firewall and IPsec. Standard filtering is done on the 5-tuple, i.e., source and destination addresses, "upper layer/transport" protocol, source and destination ports. This raises a lot of issues: - what is a "upper layer/transport" protocol? - protocol specific selectors (in place of ports)? - how to get the tuple for packets in transit? In IPv6, next header types are divided into 3 classes: - final protocols, i.e., protocols which don't include a next header field and are always at the end of the extension header chain. Note this is the default, i.e., an unknown protocol is considered as final. Examples are UDP, TCP, OSPF, no-next-header (59), mobility header, etc. - extension header protocols which are always in a middle of the extension header chain and which have a next header field which gives the type of the following header. Predefined extension header protocols are hop-by-hop options header (0!), destination options header, routing header, fragment header, AH, ESP and IPCOMP. - encapsulation protocols which are at the end of the extension header chain but with a payload which is an IP packet. Examples are 4 (IPv4 over IP), 41 (IPv6 over IP), GRE, 94, etc. Some protocols like ICMP can carry an IP packet in some cases (ICMP errors, ICMP redirect) but usually they are considered as final for simple filtering, i.e., by everything at the exception of some firewalls. All final and considered as final protocols are "upper layer/transport" protocols. The second issue, protocol specific selectors, has to be solved per protocols. Current transport protocols use ports. ICMP, IGMP, ICMPv6 can use the type/code pair which fits perfectly. The mobility header of Mobile IPv6 can use the message type (consider this as an official request). Fragmentation, ESP or IPCOMP can hide the 5-tuple, to be more accurate: - the "upper layer/transport" header can be in another fragment than the first one, for instance this sequence is legal: 1: , , 2: , , , For an intermediate node, there are only three kinds of fragments, first, last and intermediate. - even if ESP can use the null cipher, an intermediate node has no way to know this, so the only visible thing in ESP is the SPI. We have to distinguish between intermediate nodes, which are not supposed to perform reassembly or to be able to look inside ESP payloads, and end-nodes (original source or final destination), which have access to the whole clear packet. Of course, an intermediate node which is collocated with a firewall can get a part or all of end-node properties. So when an extension header protocol is transparent (fragment, ESP and IPCOMP for end-nodes, all others in any context) it should *not* be considered as an "upper layer/transport" protocol just because there is always another one in packets, and filtering over more than one protocol is not simple. So AH and an extension header version of the mobile header should not be considered as valid "upper layer / transport" protocols. The last case is encapsulation, including the hidden encapsulation used by mobile IPv6 with the home address option and the routing header of type 2 (cf. draft-deering-ipv6-encap-addr-deletion-00.txt). Again the context, i.e., intermediate node or end node, is very important: usually an encapsulation protocol is considered as final but in an end node it can be associated with a virtual interface and filtering can be applied to the outer header or to the inner header. For instance in Mobile IPv6 the mobility entities work with inner headers, i.e., home addresses, and not with outer headers, i.e., care-of addresses. Regards Francis.Dupont@enst-bretagne.fr From owner-ipsec-policy@mail.vpnc.org Tue Jul 15 04:14:34 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA02956 for ; Tue, 15 Jul 2003 04:14:33 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6F7Zuqt039132 for ; Tue, 15 Jul 2003 00:35:56 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6F7Zu7Z039131 for ipsec-policy-bks; Tue, 15 Jul 2003 00:35:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6F7Zsqt039098 for ; Tue, 15 Jul 2003 00:35:55 -0700 (PDT) (envelope-from mcr@sandelman.ottawa.on.ca) Received: from sandelman.ottawa.on.ca ([2002:51a0:4ed::1]) by noxmail.sandelman.ottawa.on.ca (8.11.6p2/8.11.6) with ESMTP id h6F7ZiW13343 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK) for ; Tue, 15 Jul 2003 03:35:46 -0400 (EDT) Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id h6F7ZhCN002829 for ; Tue, 15 Jul 2003 09:35:44 +0200 To: ipsec-policy Subject: meeting in Vienna Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Tue, 15 Jul 2003 09:35:43 +0200 Message-ID: <2828.1058254543@marajade.sandelman.ottawa.on.ca> From: Michael Richardson Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Luis claims that there is a timeslot for IPSP, but I can't find it on the agenda. I hope Luis will post the time/location! If not, then we can organize a lunch/dinner BOF maybe. ] At IETF57 in Wien, Austria | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[ From owner-ipsec-policy@mail.vpnc.org Tue Jul 15 05:14:27 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA08146 for ; Tue, 15 Jul 2003 05:14:27 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6F8gkqt047062 for ; Tue, 15 Jul 2003 01:42:47 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6F8gkZO047061 for ipsec-policy-bks; Tue, 15 Jul 2003 01:42:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6F8gjqt047035 for ; Tue, 15 Jul 2003 01:42:45 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h6F8Z93j003316; Tue, 15 Jul 2003 04:35:09 -0400 Received: from berkshire.research.att.com (raptor.research.att.com [135.207.23.32]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h6F8gVV17550; Tue, 15 Jul 2003 04:42:32 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 9308E7B4D; Tue, 15 Jul 2003 10:42:30 +0200 (CEST) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Michael Richardson Cc: ipsec-policy Subject: Re: meeting in Vienna Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 15 Jul 2003 10:42:30 +0200 From: "Steven M. Bellovin" Message-Id: <20030715084230.9308E7B4D@berkshire.research.att.com> Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: In message <2828.1058254543@marajade.sandelman.ottawa.on.ca>, Michael Richardso n writes: > > >Luis claims that there is a timeslot for IPSP, but I can't find it on the >agenda. I hope Luis will post the time/location! > >If not, then we can organize a lunch/dinner BOF maybe. There's been some foul-up; we're trying to recover.... Who is around Friday morning? --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) From owner-ipsec-policy@mail.vpnc.org Tue Jul 15 06:51:29 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA13609 for ; Tue, 15 Jul 2003 06:51:28 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FAL8qt060139 for ; Tue, 15 Jul 2003 03:21:08 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6FAL8d8060138 for ipsec-policy-bks; Tue, 15 Jul 2003 03:21:08 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from wanderer.hardakers.net (IDENT:58Njv6TR5qfvfy2X4nf1D1Re82FuJIC3@wanderer.hardakers.net.ietf57.telekom.at [81.160.179.140]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FAL7qt060128 for ; Tue, 15 Jul 2003 03:21:07 -0700 (PDT) (envelope-from hardaker@tislabs.com) Received: by wanderer.hardakers.net (Postfix, from userid 274) id 9F9E456EE7; Tue, 15 Jul 2003 03:20:44 -0700 (PDT) To: "Steven M. Bellovin" Cc: Michael Richardson , ipsec-policy Subject: Re: meeting in Vienna References: <20030715084230.9308E7B4D@berkshire.research.att.com> From: Wes Hardaker X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4 Organization: Sparta Date: Tue, 15 Jul 2003 03:20:44 -0700 In-Reply-To: <20030715084230.9308E7B4D@berkshire.research.att.com> (Steven M. Bellovin's message of "Tue, 15 Jul 2003 10:42:30 +0200") Message-ID: User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.5 (brussels sprouts, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >>>>> On Tue, 15 Jul 2003 10:42:30 +0200, "Steven M. Bellovin" said: Steven> There's been some foul-up; we're trying to recover.... Who is around Steven> Friday morning? I can be. -- Wes Hardaker Sparta From owner-ipsec-policy@mail.vpnc.org Tue Jul 15 10:33:37 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA21909 for ; Tue, 15 Jul 2003 10:33:37 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FDwCqt080721 for ; Tue, 15 Jul 2003 06:58:12 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6FDwCG2080720 for ipsec-policy-bks; Tue, 15 Jul 2003 06:58:12 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from hs3.order-vault.net (www.hs3.order-vault.net [216.71.40.131]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FDwAqt080714 for ; Tue, 15 Jul 2003 06:58:11 -0700 (PDT) (envelope-from lsanchez@xapiens.com) Received: from xapiens.com (FOO.ietf57.telekom.at [81.160.194.112]) (authenticated (0 bits)) by hs3.order-vault.net (8.11.6/8.11.6) with ESMTP id h6FDvvZ15582; Tue, 15 Jul 2003 09:57:57 -0400 Message-ID: <3F140865.2080104@xapiens.com> Date: Tue, 15 Jul 2003 09:57:57 -0400 From: "Luis A. Sanchez" Organization: Xapiens Corporation User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: Wes Hardaker CC: "Steven M. Bellovin" , Michael Richardson , ipsec-policy Subject: Re: meeting in Vienna References: <20030715084230.9308E7B4D@berkshire.research.att.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit We will try to get together this afternoon after the v6ops meeting (at 1800hrs) in the same room where v6ops is meeting (HALL IK). We will discuss the IPsec API draft. (draft-ietf-ipsp-apireq-00.txt) -luis Wes Hardaker wrote: >>>>>>On Tue, 15 Jul 2003 10:42:30 +0200, "Steven M. Bellovin" said: >>>>>> > > Steven> There's been some foul-up; we're trying to recover.... Who is around > Steven> Friday morning? > > I can be. > > From owner-ipsec-policy@mail.vpnc.org Tue Jul 15 10:47:02 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA22526 for ; Tue, 15 Jul 2003 10:47:01 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FEHkqt081501 for ; Tue, 15 Jul 2003 07:17:46 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6FEHkRX081500 for ipsec-policy-bks; Tue, 15 Jul 2003 07:17:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FEHiqt081493 for ; Tue, 15 Jul 2003 07:17:45 -0700 (PDT) (envelope-from mcr@sandelman.ottawa.on.ca) Received: from sandelman.ottawa.on.ca ([81.160.130.247]) by noxmail.sandelman.ottawa.on.ca (8.11.6p2/8.11.6) with ESMTP id h6FEHHi15381 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK) for ; Tue, 15 Jul 2003 10:17:37 -0400 (EDT) Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id h6FBEn9S009183 for ; Tue, 15 Jul 2003 13:14:55 +0200 To: ipsec-policy Subject: Re: meeting in Vienna In-reply-to: Your message of "Tue, 15 Jul 2003 10:42:30 +0200." <20030715084230.9308E7B4D@berkshire.research.att.com> Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Tue, 15 Jul 2003 13:14:48 +0200 Message-ID: <9182.1058267688@marajade.sandelman.ottawa.on.ca> From: Michael Richardson Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >>>>> "Steven" == Steven M Bellovin writes: mcr> Luis claims that there is a timeslot for IPSP, but I can't find it mcr> on the agenda. I hope Luis will post the time/location! mcr> mcr> If not, then we can organize a lunch/dinner BOF maybe. Steven> There's been some foul-up; we're trying to recover.... Who is Steven> around Friday morning? I am here until Saturday afternoon. Friday morning would suit me fine. Perhaps a summary could also be provided at the proposed IPsec dinner BOF. ] At IETF57 in Wien, Austria | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[ From owner-ipsec-policy@mail.vpnc.org Wed Jul 16 09:06:55 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA28740 for ; Wed, 16 Jul 2003 09:06:55 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6GCQPqt072106 for ; Wed, 16 Jul 2003 05:26:25 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6GCQPXj072105 for ipsec-policy-bks; Wed, 16 Jul 2003 05:26:25 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6GCQNqt072089 for ; Wed, 16 Jul 2003 05:26:23 -0700 (PDT) (envelope-from mcr@sandelman.ottawa.on.ca) Received: from sandelman.ottawa.on.ca ([2002:51a0:4ed::1]) by noxmail.sandelman.ottawa.on.ca (8.11.6p2/8.11.6) with ESMTP id h6GCIIi20698 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK); Wed, 16 Jul 2003 08:26:07 -0400 (EDT) Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id h6FNVEMF003737; Wed, 16 Jul 2003 01:32:14 +0200 To: "Luis A. Sanchez" cc: Wes Hardaker , "Steven M. Bellovin" , ipsec-policy Subject: Re: meeting in Vienna In-reply-to: Your message of "Tue, 15 Jul 2003 09:57:57 EDT." <3F140865.2080104@xapiens.com> Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Wed, 16 Jul 2003 01:31:14 +0200 Message-ID: <3736.1058311874@marajade.sandelman.ottawa.on.ca> From: Michael Richardson Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Luis" == Luis A Sanchez writes: Luis> We will try to get together this afternoon after the v6ops meeting Luis> (at Luis> 1800hrs) in the same room where v6ops is meeting (HALL IK). We will Luis> Two hours notice was hardly enough notice. Did things happen? ] At IETF57 in Wien, Austria | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPxSOwIqHRg3pndX9AQHKYgQA0hBmZ/1XMqtsXU5oa0Ugr5ZUbSGVJPQM yveb09WShFE5t/Nh9AgfVtbTqf+pyX8xzzN0BTKTHa8TMHi2FuB0G75dcKDYBpWc KlOtUDBxXD7fDGSSCfICSdS2fmkc2qJbg6YaQ2Z2+VZ1qAze4t0fnSqmOmrqnmyo 5N6j+Nfs33k= =VJNd -----END PGP SIGNATURE----- From owner-ipsec-policy@mail.vpnc.org Wed Jul 16 13:35:38 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA09612 for ; Wed, 16 Jul 2003 13:35:38 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6GGvdqt090388 for ; Wed, 16 Jul 2003 09:57:39 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6GGvdKi090387 for ipsec-policy-bks; Wed, 16 Jul 2003 09:57:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from wanderer.hardakers.net (IDENT:evc69/L/3IiBQsxFvxqcV9LRcNp58aLU@wanderer.hardakers.net.ietf57.telekom.at [81.160.218.50]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6GGvcqt090378 for ; Wed, 16 Jul 2003 09:57:38 -0700 (PDT) (envelope-from hardaker@tislabs.com) Received: by wanderer.hardakers.net (Postfix, from userid 274) id 0030B56EE7; Wed, 16 Jul 2003 09:57:21 -0700 (PDT) To: Michael Richardson Cc: "Luis A. Sanchez" , "Steven M. Bellovin" , ipsec-policy Subject: Re: meeting in Vienna References: <3736.1058311874@marajade.sandelman.ottawa.on.ca> From: Wes Hardaker X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4 Organization: Sparta Date: Wed, 16 Jul 2003 09:57:21 -0700 In-Reply-To: <3736.1058311874@marajade.sandelman.ottawa.on.ca> (Michael Richardson's message of "Wed, 16 Jul 2003 01:31:14 +0200") Message-ID: User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.5 (brussels sprouts, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >>>>> On Wed, 16 Jul 2003 01:31:14 +0200, Michael Richardson said: Michael> Did things happen? I'll send in my minutes: - Four of us talked for an hour or so and made decent progress. p -- Wes Hardaker Sparta From owner-ipsec-policy@mail.vpnc.org Thu Jul 17 07:14:45 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA29887 for ; Thu, 17 Jul 2003 07:14:44 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HAgdqt081472 for ; Thu, 17 Jul 2003 03:42:39 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6HAgddO081471 for ipsec-policy-bks; Thu, 17 Jul 2003 03:42:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HAgXqt081454 for ; Thu, 17 Jul 2003 03:42:38 -0700 (PDT) (envelope-from mcr@sandelman.ottawa.on.ca) Received: from sandelman.ottawa.on.ca ([2002:51a0:4ea::1]) by noxmail.sandelman.ottawa.on.ca (8.11.6p2/8.11.6) with ESMTP id h6HAgSW26442 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK); Thu, 17 Jul 2003 06:42:31 -0400 (EDT) Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id h6HAgQqB001866; Thu, 17 Jul 2003 12:42:26 +0200 To: Wes Hardaker cc: "Luis A. Sanchez" , "Steven M. Bellovin" , ipsec-policy Subject: Re: meeting in Vienna In-reply-to: Your message of "Wed, 16 Jul 2003 09:57:21 PDT." Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Thu, 17 Jul 2003 12:42:26 +0200 Message-ID: <1865.1058438546@marajade.sandelman.ottawa.on.ca> From: Michael Richardson Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- So, is Friday morning cancelled then? I am pretty upset that: a) no meeting get scheduled. b) a proposal to have it Friday was accepted and then changed. c) that only two hours notice was given. ] At IETF57 in Wien, Austria | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPxZ9kYqHRg3pndX9AQGR7wP/UKkbzwUWw59mtLDhynZWxLg4iDDb+e/V Ms7Rl/6gCA+SzrypAUUDoJQ+RJJoFH5LwghxfIl8fE/fiEfNKO3SQami0eoNLQgF Ns0bAjsegejw6swJ717AcDTuCSeGrWTJDZfqi0Z1fh7TA16izCQi5JR9gEdU+gaC kUUEiWXxiLg= =MD/G -----END PGP SIGNATURE----- From owner-ipsec-policy@mail.vpnc.org Thu Jul 17 07:24:56 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA00102 for ; Thu, 17 Jul 2003 07:24:56 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HAx7qt082414 for ; Thu, 17 Jul 2003 03:59:07 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6HAx72V082413 for ipsec-policy-bks; Thu, 17 Jul 2003 03:59:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HAx5qt082401 for ; Thu, 17 Jul 2003 03:59:05 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h6HApL3j009019; Thu, 17 Jul 2003 06:51:21 -0400 Received: from berkshire.research.att.com (raptor.research.att.com [135.207.23.32]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h6HAwpV12290; Thu, 17 Jul 2003 06:58:51 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 0717F7B4D; Thu, 17 Jul 2003 12:58:50 +0200 (CEST) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Michael Richardson Cc: Wes Hardaker , "Luis A. Sanchez" , ipsec-policy Subject: Re: meeting in Vienna Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Jul 2003 12:58:50 +0200 From: "Steven M. Bellovin" Message-Id: <20030717105850.0717F7B4D@berkshire.research.att.com> Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: In message <1865.1058438546@marajade.sandelman.ottawa.on.ca>, Michael Richardso n writes: >-----BEGIN PGP SIGNED MESSAGE----- > > >So, is Friday morning cancelled then? > >I am pretty upset that: > a) no meeting get scheduled. There was supposed to be one. Due to errors all around, it didn't happen. Exactly what happened isn't clear. > b) a proposal to have it Friday was accepted and then changed. Many people leave by then; the question (and I don't know the answer -- Luis?) was who among the key people was would still be here. > c) that only two hours notice was given. > Agreed. Both the situation and the error recovery mechanism were bad. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) From owner-ipsec-policy@mail.vpnc.org Thu Jul 17 09:04:09 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA05022 for ; Thu, 17 Jul 2003 09:04:08 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HCWmqt089973 for ; Thu, 17 Jul 2003 05:32:48 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6HCWm4B089972 for ipsec-policy-bks; Thu, 17 Jul 2003 05:32:48 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from wanderer.hardakers.net (IDENT:RWYLUTHckVQoqFzGDXJX5sPhATXBytoe@wanderer.hardakers.net.ietf57.telekom.at [81.160.218.50]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HCWlqt089930 for ; Thu, 17 Jul 2003 05:32:47 -0700 (PDT) (envelope-from hardaker@tislabs.com) Received: by wanderer.hardakers.net (Postfix, from userid 274) id 5168C5729D; Thu, 17 Jul 2003 05:32:18 -0700 (PDT) To: Michael Richardson Cc: "Luis A. Sanchez" , "Steven M. Bellovin" , ipsec-policy Subject: Re: meeting in Vienna References: <1865.1058438546@marajade.sandelman.ottawa.on.ca> From: Wes Hardaker X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4 Organization: Sparta Date: Thu, 17 Jul 2003 05:32:18 -0700 In-Reply-To: <1865.1058438546@marajade.sandelman.ottawa.on.ca> (Michael Richardson's message of "Thu, 17 Jul 2003 12:42:26 +0200") Message-ID: User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.5 (brussels sprouts, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >>>>> On Thu, 17 Jul 2003 12:42:26 +0200, Michael Richardson said: Michael> I am pretty upset that: Michael> a) no meeting get scheduled. Michael> b) a proposal to have it Friday was accepted and then changed. Michael> c) that only two hours notice was given. Luis, do you have a final answer on this? It would certainly be beneficial to meet if possible. Though at this point many people may not be able to attend. Or should we just postpone till Minneapolis? -- Wes Hardaker Sparta From owner-ipsec-policy@mail.vpnc.org Thu Jul 17 09:52:15 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA05024 for ; Thu, 17 Jul 2003 09:04:09 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HCZkqt090722 for ; Thu, 17 Jul 2003 05:35:46 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6HCZkk9090721 for ipsec-policy-bks; Thu, 17 Jul 2003 05:35:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HCZiqt090690 for ; Thu, 17 Jul 2003 05:35:44 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h6HCRt3j010296; Thu, 17 Jul 2003 08:27:55 -0400 Received: from berkshire.research.att.com (raptor.research.att.com [135.207.23.32]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h6HCZPV24409; Thu, 17 Jul 2003 08:35:25 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 90D1F7B4D; Thu, 17 Jul 2003 14:35:24 +0200 (CEST) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Wes Hardaker Cc: Michael Richardson , "Luis A. Sanchez" , ipsec-policy Subject: Re: meeting in Vienna Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Jul 2003 14:35:24 +0200 From: "Steven M. Bellovin" Message-Id: <20030717123524.90D1F7B4D@berkshire.research.att.com> Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: In message , Wes Hardaker writes: >>>>>> On Thu, 17 Jul 2003 12:42:26 +0200, Michael Richardson tawa.on.ca> said: > >Michael> I am pretty upset that: >Michael> a) no meeting get scheduled. >Michael> b) a proposal to have it Friday was accepted and then changed. >Michael> c) that only two hours notice was given. > >Luis, do you have a final answer on this? It would certainly be >beneficial to meet if possible. Though at this point many people may >not be able to attend. Or should we just postpone till Minneapolis? I don't know if it's still possible to get a room. I can ask Marcia, but I need an answer by 3:00. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) From owner-ipsec-policy@mail.vpnc.org Thu Jul 17 10:38:32 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA09519 for ; Thu, 17 Jul 2003 10:38:31 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HE5xqt001252 for ; Thu, 17 Jul 2003 07:05:59 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6HE5xQa001251 for ipsec-policy-bks; Thu, 17 Jul 2003 07:05:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from nwkea-mail-2.sun.com (nwkea-mail-2.sun.com [192.18.42.14]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HE5vqt001244 for ; Thu, 17 Jul 2003 07:05:57 -0700 (PDT) (envelope-from sommerfeld@thunk.east.sun.com) Received: from eastmail2bur.East.Sun.COM ([129.148.13.40]) by nwkea-mail-2.sun.com (8.12.9/8.12.9) with ESMTP id h6HE5b1v010553; Thu, 17 Jul 2003 07:05:38 -0700 (PDT) Received: from thunk.east.sun.com (thunk.East.Sun.COM [129.148.174.66]) by eastmail2bur.East.Sun.COM (8.12.9+Sun/8.12.9/ENSMAIL,v2.2) with ESMTP id h6HE5atK000685; Thu, 17 Jul 2003 10:05:37 -0400 (EDT) Received: from thunk (localhost [127.0.0.1]) by thunk.east.sun.com (8.12.9+Sun/8.12.9) with ESMTP id h6HE5Z8Q012778; Thu, 17 Jul 2003 10:05:35 -0400 (EDT) Message-Id: <200307171405.h6HE5Z8Q012778@thunk.east.sun.com> From: Bill Sommerfeld To: Wes Hardaker cc: Michael Richardson , "Luis A. Sanchez" , "Steven M. Bellovin" , ipsec-policy Subject: Re: meeting in Vienna In-Reply-To: Your message of "Thu, 17 Jul 2003 05:32:18 PDT." Reply-to: sommerfeld@East.Sun.COM Date: Thu, 17 Jul 2003 10:05:35 -0400 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: I'll be lurking in common areas of the conference center with luggage in tow until maybe 11am tomorrow in hopes that a meeting will happen. - Bill From owner-ipsec-policy@mail.vpnc.org Thu Jul 17 15:50:43 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20345 for ; Thu, 17 Jul 2003 15:50:42 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HJBGqt019065 for ; Thu, 17 Jul 2003 12:11:16 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6HJBG89019064 for ipsec-policy-bks; Thu, 17 Jul 2003 12:11:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HJBAqt019048 for ; Thu, 17 Jul 2003 12:11:14 -0700 (PDT) (envelope-from mcr@sandelman.ottawa.on.ca) Received: from sandelman.ottawa.on.ca ([2002:51a0:4ea::1]) by noxmail.sandelman.ottawa.on.ca (8.11.6p2/8.11.6) with ESMTP id h6HJB4W28373 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK); Thu, 17 Jul 2003 15:11:07 -0400 (EDT) Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id h6HJB3iE019111; Thu, 17 Jul 2003 21:11:03 +0200 To: Wes Hardaker , "Luis A. Sanchez" , "Steven M. Bellovin" , ipsec-policy Subject: IPsec API talks (in Vienna and elsewhere) In-reply-to: Your message of "Thu, 17 Jul 2003 10:05:35 EDT." <200307171405.h6HE5Z8Q012778@thunk.east.sun.com> Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Thu, 17 Jul 2003 21:11:03 +0200 Message-ID: <19110.1058469063@marajade.sandelman.ottawa.on.ca> From: Michael Richardson Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Bill" == Bill Sommerfeld writes: Bill> I'll be lurking in common areas of the conference center with luggage Bill> in tow until maybe 11am tomorrow in hopes that a meeting will happen. okay, I will be in for 9am, since we have to take our wavesec equipment out anyway, and maybe hang around and explain stuff to telekom austria, who might to use wavesec themselves. I would like organize a formal interim meeting, possibly in mid/late September. I propose east-coast US for a full day (meaning arrive previous night, stay for dinner) - there are offers for space in New Jersey, but other offers could occur. I think that maybe Bill and I can flesh out the document to the point where discussion is useful. ] At IETF57 in Wien, Austria | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPxb0xIqHRg3pndX9AQG47QP/e9hGaDKkvI3SqBuac0v5pjrXkCpSk7No ydIW7nfvXLf9lVBmnJOzwDcuRG2SwLzkfWAdE/z/S7/BEOA+NsQf9Bgi5b0PK25+ Ui1NJpslksnPeAI3PAZV5yRqAlnFwCHMo8BMoDiFNWRt0jDHT40rLeqZxiZd/a1v tDAVdRNLfkc= =5apI -----END PGP SIGNATURE----- From subs-reminder@vpnc.org Sat Jul 19 23:04:06 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA28181 for ; Sat, 19 Jul 2003 23:04:05 -0400 (EDT) From: subs-reminder@vpnc.org Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6K345qt071258 for ; Sat, 19 Jul 2003 20:04:05 -0700 (PDT) (envelope-from subs-reminder@vpnc.org) Received: (from root@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6K345f7071257; Sat, 19 Jul 2003 20:04:05 -0700 (PDT) Date: Sat, 19 Jul 2003 20:04:05 -0700 (PDT) Message-Id: <200307200304.h6K345f7071257@above.proper.com> To: ipsp-archive@ietf.org Subject: [[266771912]] Subscription to ipsec-policy for ipsp-archive@lists.ietf.org Greetings. This message is a periodic reminder that ipsp-archive@lists.ietf.org is subscribed to the ipsec-policy mailing list. *** SEE BELOW: PLEASE DO NOT RESPOND TO THIS MESSAGE. *** There are two purposes for this message: - If this message is bounced by your mail server, I can remove you from the mailing list and reduce waste of bandwidth and resources. (If you are reading this message, it clearly didn't get bounced!) - Some people stay subscribed to mailing lists even though they do not want to because they do not know how to unsubscribe. If you want to stay subscribed to the ipsec-policy mailing list, you do not need to do anything. Feel free to delete this message. On the other hand, if you want to unsubscribe from this list, simply go to the following link: If for some reason you cannot go to that web site, you can also unsubscribe by email; however, doing so is not as likely to get you unsubscribed as the web site is. To unsubscribe using email, you can respond to this message and I will unsubscribe you by hand in the next few days. Again, this is not assured to work because your mail system may make it impossible for me to determine who you are or what you want to unsubscribe to. Alternatively, you can send a plain-text message to: ipsec-policy-request@vpnc.org with the single word unsubscribe in the body of the message. This last method assumes that the "From:" address in your mail is "ipsp-archive@lists.ietf.org". Again, using the web site above is more likely to work than this method (due to limitations in Majordomo, the mailing list software we currently use). If you have any questions, feel free to contact me. --Paul Hoffman, list administrator From owner-ipsec-policy@mail.vpnc.org Sun Jul 20 00:24:38 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA29229 for ; Sun, 20 Jul 2003 00:24:37 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6K3udqt080419 for ; Sat, 19 Jul 2003 20:56:39 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6K3udA7080418 for ipsec-policy-bks; Sat, 19 Jul 2003 20:56:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6K3uZqt080403 for ; Sat, 19 Jul 2003 20:56:36 -0700 (PDT) (envelope-from mcr@sandelman.ottawa.on.ca) Received: from sandelman.ottawa.on.ca (desk.marajade.sandelman.ca [205.150.200.247]) by noxmail.sandelman.ottawa.on.ca (8.11.6p2/8.11.6) with ESMTP id h6K3u1m10033 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK) for ; Sat, 19 Jul 2003 23:56:12 -0400 (EDT) Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id h6I9XpEd005191 for ; Fri, 18 Jul 2003 11:33:52 +0200 To: ipsec-policy@vpnc.org Subject: Friday morning informal meeting Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Fri, 18 Jul 2003 11:33:51 +0200 Message-ID: <5190.1058520831@marajade.sandelman.ottawa.on.ca> From: Michael Richardson Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- We had a gathering in the front foyer, Friday morning from 10am to 11:20am. Friday morning IPsec API bar-bof. People present: Wes Hardaker, Bill Sommerfeld, Tero Kivinen, Hugh Daniel, Michael Richardson, Lauri Tarkkala, Heikki Suonsivu, Tim Shepard, Andrew McGregor - review of design team notes and requirements API. - discussion of crypto strength, effort (hardware/software), latency, jitter debate. - how to form/build the documents. everyone should read: nfsv4 - Nicolas - draft-ietf-nfsv4-ccm- Design team notes are at: http://www.sandelman.ca/SSW/ietf/ipsp/pf_policy/ Again, we'd like to possibly have a interim work meeting on the east-coast in September-ish era. If there are those who have/want to travel further want to suggest dates that might be more convenient, that would be great. ] At IETF57 in Wien, Austria | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPxe+/YqHRg3pndX9AQGa4AP+IPeunZQavvaSMKzqzwn2YIrkvYlQThKO zLYK7tfB0mpmrPsajRBi1ElVHE4A2MZpUWyE0jaoDQzO9Btv5tJnWlpLFlMe70m+ +MMD4kDwjQ8r2QNiulmNR2CVbU8HQfUPUI3m+Q7wsEgU3bfTXKhs1TgJ5x0DPSDR ByBO6DiuniY= =wQM2 -----END PGP SIGNATURE----- From owner-ipsec-policy@mail.vpnc.org Mon Jul 21 21:32:21 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA16933 for ; Mon, 21 Jul 2003 21:32:21 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6M0nfqt080354 for ; Mon, 21 Jul 2003 17:49:41 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6M0nfZh080353 for ipsec-policy-bks; Mon, 21 Jul 2003 17:49:41 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from hs3.order-vault.net (ftp.hs3.order-vault.net [216.71.40.131]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6M0nZqt080345 for ; Mon, 21 Jul 2003 17:49:35 -0700 (PDT) (envelope-from lsanchez@xapiens.com) Received: from xapiens.com ([204.181.75.148]) (authenticated (0 bits)) by hs3.order-vault.net (8.11.6/8.11.6) with ESMTP id h6M0nMC00536; Mon, 21 Jul 2003 20:49:22 -0400 Message-ID: <3F1C8A12.9060408@xapiens.com> Date: Mon, 21 Jul 2003 20:49:22 -0400 From: "Luis A. Sanchez" Organization: Xapiens Corporation User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: Michael Richardson CC: Wes Hardaker , "Steven M. Bellovin" , ipsec-policy Subject: Re: meeting in Vienna References: <1865.1058438546@marajade.sandelman.ottawa.on.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Michael, Sorry to hear that you were upset. The secretariat failed to scheduled the IPSP meeting. This fact was acknowledged by them. I also asked for the midcomm slot for tuesday but it had been re-assigned to another wg, another fact. Tuesday's call for an informal meeting was simply to provide feedback to Bill about draft-ietf-ipsp-ipsec-apireq-00 because not everyone was going to be around on Friday and we were running short of options. Steve Bellovin suggested a wg meeting for Friday and i accepted however, i was at the SMZ OST (hospital) from wed thru sat taking care of my 2.5 year old daughter. It was impossible for me to attend but i understand good and productive discussions occurred. -luis Michael Richardson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > So, is Friday morning cancelled then? > > I am pretty upset that: > a) no meeting get scheduled. > b) a proposal to have it Friday was accepted and then changed. > c) that only two hours notice was given. > > ] At IETF57 in Wien, Austria | firewalls [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ > ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ > ] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > Comment: Finger me for keys > > iQCVAwUBPxZ9kYqHRg3pndX9AQGR7wP/UKkbzwUWw59mtLDhynZWxLg4iDDb+e/V > Ms7Rl/6gCA+SzrypAUUDoJQ+RJJoFH5LwghxfIl8fE/fiEfNKO3SQami0eoNLQgF > Ns0bAjsegejw6swJ717AcDTuCSeGrWTJDZfqi0Z1fh7TA16izCQi5JR9gEdU+gaC > kUUEiWXxiLg= > =MD/G > -----END PGP SIGNATURE----- > > From owner-ipsec-policy@mail.vpnc.org Tue Jul 29 05:01:34 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA16136 for ; Tue, 29 Jul 2003 05:01:32 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6T83iqt026775 for ; Tue, 29 Jul 2003 01:03:44 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6T83iSt026774 for ipsec-policy-bks; Tue, 29 Jul 2003 01:03:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from linux.grifflink.com (linux.royaleng.com [216.83.131.67]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6T83hqt026759 for ; Tue, 29 Jul 2003 01:03:43 -0700 (PDT) (envelope-from ho@alum.mit.edu) Received: from localhost.localdomain (user-153.grifflink1.fiber.net [209.90.91.153]) by linux.grifflink.com (8.12.8/8.12.8) with ESMTP id h6T7xoVN008722 for ; Tue, 29 Jul 2003 01:59:50 -0600 Received: from localhost.localdomain (tobermory [127.0.0.1]) by localhost.localdomain (8.12.8/8.11.6) with ESMTP id h6T7xaRW005684 for ; Tue, 29 Jul 2003 01:59:36 -0600 Received: (from ho@localhost) by localhost.localdomain (8.12.8/8.12.8/Submit) id h6T7xZDx005680; Tue, 29 Jul 2003 01:59:35 -0600 Date: Tue, 29 Jul 2003 01:59:35 -0600 Message-Id: <200307290759.h6T7xZDx005680@localhost.localdomain> From: "The Purple Streak, Hilarie Orman" To: ipsec-policy@vpnc.org Subject: Re: draft-ietf-ipsp-ipsec-apireq-00 comments Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: I think the "motivation" section, even with the edits posted by Bill Sommerfield, remains sufficiently unclear as to probably baffle most of the WG members. This, absent the minutes of the interim meeting held at the beginning of summer, makes it difficult for the WG to comment on the draft. In positive terms, what is the motivation for the API? We need to get this right before asking the WG if this should be taken on as a WG item. The draft states that it should be possible "to implement this" (the API?) with IKEv1, IKEv2, KINK, ..." This seems to be verging into architecture, and I'm knot sure what the exact goal is. Is it that the API should have a mapping to any protocol that support IPSec keying? What are the essential attributes here? Is identity the only one? Later, the draft talks specifically about IKE SA's, implying that the API might have additional dependencies on the key management. We need more generic language to get the requirements right. However, I think that IKEv{1,2} MUST be supported. What is the relationship of the API to IPSec structures, such as SA's, SPD's, etc.? This would be the explanation of the statement "system policy trumps all", I would guess. There seems to be an implication that applications have security policies that map to things specified by the API reqs. An explicit statement of this would help motivate the need for the API. The requirement that "nominally authorized" communication failures be visible to the application needs additional thought. Presumably these are communications related to a socket for which the application has some authorization (how fine-grained is such authorization?). Should it see failures on incoming packets that fail the integrity check? These may be spoofed, and the system policy may forbid applications to see them. MUST the API reveal these? I personally disagree with the HOW section. This is an API for IPSec policy, and all identifier names used in IPSec should be fair game for the API, down to the awful algorithm names in their full glory and including IKE key exchange methods and group names. Hilarie From owner-ipsec-policy@mail.vpnc.org Tue Jul 29 14:40:38 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA04218 for ; Tue, 29 Jul 2003 14:40:37 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6THpQqt074215 for ; Tue, 29 Jul 2003 10:51:26 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6THpQGg074214 for ipsec-policy-bks; Tue, 29 Jul 2003 10:51:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6THpJqt074209 for ; Tue, 29 Jul 2003 10:51:24 -0700 (PDT) (envelope-from mcr@sandelman.ottawa.on.ca) Received: from sandelman.ottawa.on.ca (desk.marajade.sandelman.ca [205.150.200.247]) by noxmail.sandelman.ottawa.on.ca (8.11.6p2/8.11.6) with ESMTP id h6THnbW28368 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK) for ; Tue, 29 Jul 2003 13:49:42 -0400 (EDT) Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id h6THpDiB028029 for ; Tue, 29 Jul 2003 13:51:14 -0400 To: ipsec-policy@vpnc.org Subject: Re: draft-ietf-ipsp-ipsec-apireq-00 comments In-reply-to: Your message of "Tue, 29 Jul 2003 01:59:35 MDT." <200307290759.h6T7xZDx005680@localhost.localdomain> Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Tue, 29 Jul 2003 13:51:13 -0400 Message-ID: <28027.1059501073@marajade.sandelman.ottawa.on.ca> From: Michael Richardson Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "The" == The Purple Streak, Hilarie Orman writes: The> I think the "motivation" section, even with the edits posted by The> Bill Sommerfield, remains sufficiently unclear as to probably baffle The> most of the WG members. This, absent the minutes of the interim okay. The> meeting held at the beginning of summer, makes it difficult for The> the WG to comment on the draft. In positive terms, what is the The> motivation for the API? We need to get this right before asking the The> WG if this should be taken on as a WG item. The notes are at: http://www.sandelman.ca/SSW/ietf/ipsp/pf_policy/ubur-2003-06-03-notes.txt As for whether or not an API fits into the WG... Hmm. It isn't in the charter. I thought it was. Yet, we've talked about PF_POLICY at every meeting since we started. The> The draft states that it should be possible "to implement this" (the The> API?) The> with IKEv1, IKEv2, KINK, ..." This seems to be verging into The> architecture, The> and I'm knot sure what the exact goal is. Is it that the API should The> have a mapping to any protocol that support IPSec keying? What are The> the essential attributes here? Is identity the only one? Later, the The> draft talks specifically about IKE SA's, implying that the API might The> have The> additional dependencies on the key management. We need more generic The> language The> to get the requirements right. However, I think that IKEv{1,2} MUST The> be The> supported. The intention is that the protocol should not be IKEv1 or IKEv2 specific. It should be general enough that, yes, it should be implementeable for any IPsec key management protocol. Since we have IKEv{1,2}, clearly, yes, that is a MUST that these systems be able to support the API. The> What is the relationship of the API to IPSec structures, such as The> SA's, SPD's, I don't know how to answer the question. Applications should not deal with SPDs or SAs. They deal with sockets. The purpose of the API is to take a socket (or a potential socket) and have the required SPD created by the "system". (Where this may be the library, the kernel, the key manager, etc. But definitely not the application). The> etc.? This would be the explanation of the statement "system policy The> trumps all", I would guess. There seems to be an implication that The> applications have security policies that map to things specified by The> the API reqs. An explicit statement of this would help motivate The> the need for the API. I can not parse this part. The> The requirement that "nominally authorized" communication failures be The> visible to the application needs additional thought. Presumably these The> are communications related to a socket for which the application has The> some authorization (how fine-grained is such authorization?). The> Should it see failures on incoming packets that fail the integrity The> check? These may be spoofed, and the system policy may forbid The> applications to see them. MUST the API reveal these? You are thinking about IPsec here. That may be appropriate thinking for connectionless protocols. for instance, the VoIP people have suggested that, for instance, that failed data is better than no data. This is a different security model than VPNs. We are thinking about mis-matched public keys, lack of system policy authorizing the session, etc. Someone has to tell the user that they used the wrong smartcard! The> I personally disagree with the HOW section. This is an API for IPSec The> policy, and all identifier names used in IPSec should be fair game The> for the API, down to the awful algorithm names in their full glory The> and including IKE key exchange methods and group names. This is not an API for setting IPsec SPD. We have one. It is called PF_KEY. (SPD = Security Policy Database!) Application writers, including very clueful ones who implement IPsec code do not want to code PF_KEY into applications. It is just way too low level. ] Out and about in Ottawa. hmmm... beer. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBPya0CoqHRg3pndX9AQGs1wQAxZCEiQQSB5YlyzE7hy6QIGFy/hCwn+wN EWMHI7oFrmG0zLI/L1pRAwrnhmehNd06KaEASJGGX/oc0SoKLKmHJy8t5ks3XVC5 /1RwO3Ejxot3OnjVF5EUd8RLf8VqGU+XDumUd6Oxd0AZnfFyJ4qTT+aXHCQ8L2Tv w0zwVCguwaA= =YmRL -----END PGP SIGNATURE-----