From kent@bbn.com Mon Dec 2 06:46:37 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BDF31A8028 for ; Mon, 2 Dec 2013 06:46:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BywcXvif_iWO for ; Mon, 2 Dec 2013 06:46:35 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id DDBE11AE068 for ; Mon, 2 Dec 2013 06:46:30 -0800 (PST) Received: from dommiel.bbn.com ([192.1.122.15]:47462 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1VnUlY-000OmL-Bk for ipsec@ietf.org; Mon, 02 Dec 2013 09:46:28 -0500 Message-ID: <529C9D43.9010107@bbn.com> Date: Mon, 02 Dec 2013 09:46:27 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: ipsec Content-Type: multipart/alternative; boundary="------------050203030604080308080605" Subject: [IPsec] 4301 questionnaire X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Dec 2013 14:46:37 -0000 This is a multi-part message in MIME format. --------------050203030604080308080605 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit For progress to Internet Standard, we need to verify the status of implementations relative to the RFCs. Rather than Going through an exhaustive list of MUST and SHOULD compliance, let's start with a simpler list, suggested by Sean. I request that each implementer complete the following form: *- Which of following databases does your implementation support: - SPD (Security Policy Database) - SAD (Security Association Database) - PAD (Peer Authorization Database) - Which of the processing semantics does your implementation support: - IP Traffic: - ICMP: - Fragment: - Path MTU/DF The following questions document whether interoperability has been achieved as well as other intangibles the IESG will be interested: - What evidence do you have that your implementation can interoperate with other implementations?** ** ** - In your opinion, are there unused features in the RFC that greatly increase implementation complexity?** ** ** - Errata was filed against RFC 4301 and has been incorporated in**https://datatracker.ietf.org/doc/draft-kent-ipsecme-saforip-rfc4301bis/**; are any of the incorporated errata problematic for your implementation?** ** **- Does your implementation support the updates documented in RFC 6401? Additional information (optional):* Thanks, Steve --------------050203030604080308080605 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit For progress to Internet Standard, we need to verify the status of implementations
relative to the RFCs. Rather than Going through an exhaustive list of MUST and
SHOULD compliance, let's start with a simpler list, suggested by Sean.

I request that each implementer complete the following form:

 
- Which of following databases does your implementation support:
	- SPD (Security Policy Database)
	- SAD (Security Association Database)
	- PAD (Peer Authorization Database)
- Which of the processing semantics does your implementation support:
	- IP Traffic:
	- ICMP:
	- Fragment:
	- Path MTU/DF

The following questions document whether interoperability has been achieved as well as other intangibles the IESG will be interested:

- What evidence do you have that your implementation can interoperate with other implementations?

 - In your opinion, are there unused features in the RFC that greatly increase implementation complexity?

 - Errata was filed against RFC 4301 and has been incorporated in https://datatracker.ietf.org/doc/draft-kent-ipsecme-saforip-rfc4301bis/; are any of the incorporated errata problematic for your implementation?

- Does your implementation support the updates documented in RFC 6401?

Additional information (optional):

Thanks,

Steve
--------------050203030604080308080605-- From kent@bbn.com Mon Dec 2 06:47:44 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FDD1AE434 for ; Mon, 2 Dec 2013 06:47:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bR5zzjAfbK_W for ; Mon, 2 Dec 2013 06:47:43 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id E4BC61AE474 for ; Mon, 2 Dec 2013 06:47:42 -0800 (PST) Received: from dommiel.bbn.com ([192.1.122.15]:47465 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1VnUmi-000On7-FF for ipsec@ietf.org; Mon, 02 Dec 2013 09:47:40 -0500 Message-ID: <529C9D8C.50503@bbn.com> Date: Mon, 02 Dec 2013 09:47:40 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: ipsec Content-Type: multipart/alternative; boundary="------------030106050306070008050102" Subject: [IPsec] progressing 4303 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Dec 2013 14:47:44 -0000 This is a multi-part message in MIME format. --------------030106050306070008050102 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Same drill for 4303: *The following questions document whether the syntax and semantics of the protocol were implemented: - Which of the following ESP packet formats does your implementation support: - separate encryption and integrity algorithms: - combined mode algorithms: - Which processing semantics does your implementation support: - Transport Mode: - Tunnel Mode: - Auditing: The following questions document whether interoperability has been achieved as well as other intangibles the IESG will be interested: - What evidence do you have that your implementation can interoperate with other implementations? - In your opinion, are there unused features in the RFC that greatly increase implementation complexity? - Errata was filed against RFC 4303 and has been included in**https://datatracker.ietf.org/doc/draft-kent-ipsecme-esp-rfc4303bis/**; are any of the incorporated errata problematic for your implementation? Additional information (optional):* --------------030106050306070008050102 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Same drill for 4303:

The following questions document whether the syntax and semantics of the protocol were implemented:

- Which of the following ESP packet formats does your implementation support:
	- separate encryption and integrity algorithms:
	- combined mode algorithms:
- Which processing semantics does your implementation support:
	- Transport Mode:
	- Tunnel Mode:
	- Auditing:

The following questions document whether interoperability has been achieved as well as other intangibles the IESG will be interested:

- What evidence do you have that your implementation can interoperate with other implementations?

- In your opinion, are there unused features in the RFC that greatly increase implementation complexity?

- Errata was filed against RFC 4303 and has been included in https://datatracker.ietf.org/doc/draft-kent-ipsecme-esp-rfc4303bis/; are any of the incorporated errata problematic for your implementation?

Additional information (optional):

--------------030106050306070008050102-- From paul.hoffman@vpnc.org Mon Dec 2 06:48:15 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CBEA1AE49E for ; Mon, 2 Dec 2013 06:48:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.347 X-Spam-Level: X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3vWMnbCu5PS for ; Mon, 2 Dec 2013 06:48:14 -0800 (PST) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id C9D4F1AE49B for ; Mon, 2 Dec 2013 06:48:13 -0800 (PST) Received: from [10.20.30.90] (50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id rB2EmANI053502 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Mon, 2 Dec 2013 07:48:11 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41] claimed to be [10.20.30.90] From: Paul Hoffman Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Mon, 2 Dec 2013 06:48:11 -0800 References: <20131202125348.16990.76682.idtracker@ietfa.amsl.com> To: ipsec@ietf.org Message-Id: Mime-Version: 1.0 (Mac OS X Mail 7.0 $1822$) X-Mailer: Apple Mail (2.1822) Subject: [IPsec] Fwd: Last Call: (Virtual Private Network (VPN) traffic leakages in dual-stack hosts/ networks) to Informational RFC X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Dec 2013 14:48:15 -0000 This IETF-wide last call should be of definite interest to many = developers in this WG. Please send any review comments to the addresses = below, not to the IPsecME WG mailing list. --Paul Hoffman Begin forwarded message: > From: The IESG > Subject: Last Call: (Virtual = Private Network (VPN) traffic leakages in dual-stack hosts/ networks) to = Informational RFC > Date: December 2, 2013 at 4:53:48 AM PST > To: IETF-Announce > Cc: opsec@ietf.org > Reply-To: ietf@ietf.org >=20 >=20 > The IESG has received a request from the Operational Security > Capabilities for IP Network Infrastructure WG (opsec) to consider the > following document: > - 'Virtual Private Network (VPN) traffic leakages in dual-stack hosts/ > networks' > as Informational RFC >=20 > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2013-12-16. Exceptionally, comments may = be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of the Subject line to allow automated sorting. >=20 > Abstract >=20 >=20 > The subtle way in which the IPv6 and IPv4 protocols co-exist in > typical networks, together with the lack of proper IPv6 support in > popular Virtual Private Network (VPN) products, may inadvertently > result in VPN traffic leaks. That is, traffic meant to be > transferred over a VPN connection may leak out of such connection and > be transferred in the clear from the local network to the final > destination. This document discusses some scenarios in which such > VPN leakages may occur, either as a side effect of enabling IPv6 on a > local network, or as a result of a deliberate attack from a local > attacker. Additionally, it discusses possible mitigations for the > aforementioned issue. >=20 >=20 >=20 >=20 > The file can be obtained via > http://datatracker.ietf.org/doc/draft-ietf-opsec-vpn-leakages/ >=20 > IESG discussion can be tracked via > http://datatracker.ietf.org/doc/draft-ietf-opsec-vpn-leakages/ballot/ >=20 >=20 > No IPR declarations have been submitted directly on this I-D. >=20 >=20 From kent@bbn.com Tue Dec 3 07:47:55 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F72F1AE13A for ; Tue, 3 Dec 2013 07:47:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.303 X-Spam-Level: X-Spam-Status: No, score=-2.303 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bctlXvDrKXye for ; Tue, 3 Dec 2013 07:47:52 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id D5FCE1AE12A for ; Tue, 3 Dec 2013 07:47:52 -0800 (PST) Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:49830) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1VnsCT-0009VY-Hs for ipsec@ietf.org; Tue, 03 Dec 2013 10:47:49 -0500 Message-ID: <529DFD25.2030704@bbn.com> Date: Tue, 03 Dec 2013 10:47:49 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: ipsec Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [IPsec] I forgot to mention X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 15:47:55 -0000 Responses to the 4301 and 4303 questions should be posted to the list. Steve From kent@bbn.com Tue Dec 3 07:52:14 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C2EE1AE08C for ; Tue, 3 Dec 2013 07:52:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.202 X-Spam-Level: X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7B4Kzrbhrth for ; Tue, 3 Dec 2013 07:52:12 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id B40AD1AE05B for ; Tue, 3 Dec 2013 07:52:12 -0800 (PST) Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:49854) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1VnsGf-0009al-V1 for ipsec@ietf.org; Tue, 03 Dec 2013 10:52:10 -0500 Message-ID: <529DFE29.7060403@bbn.com> Date: Tue, 03 Dec 2013 10:52:09 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: ipsec References: <529C9D43.9010107@bbn.com> <529CBE8A.7060504@gmail.com> In-Reply-To: <529CBE8A.7060504@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [IPsec] another 4301 questionnaire whoops X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 15:52:14 -0000 Yaron pointed out that the reference to RFC 6401 was in error. The relevant RFC is 6040 (Tunneling of Explicit Congestion Notification). Sorry 'bout that, Steve From TurnerS@ieca.com Tue Dec 3 09:34:09 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 281021A1F4E for ; Tue, 3 Dec 2013 09:34:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.167 X-Spam-Level: X-Spam-Status: No, score=-0.167 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZR6VWEOuNAZI for ; Tue, 3 Dec 2013 09:34:08 -0800 (PST) Received: from gateway01.websitewelcome.com (gateway01.websitewelcome.com [67.18.80.19]) by ietfa.amsl.com (Postfix) with ESMTP id EC29B1AD939 for ; Tue, 3 Dec 2013 09:34:07 -0800 (PST) Received: by gateway01.websitewelcome.com (Postfix, from userid 5007) id 09121B41F3615; Tue, 3 Dec 2013 11:34:05 -0600 (CST) Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway01.websitewelcome.com (Postfix) with ESMTP id B9E20B41F34B9 for ; Tue, 3 Dec 2013 11:34:04 -0600 (CST) Received: from [198.180.150.142] (port=50412 helo=v142.vpn.iad.rg.net) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80) (envelope-from ) id 1VntrG-0006fN-PK for ipsec@ietf.org; Tue, 03 Dec 2013 11:34:03 -0600 From: Sean Turner Content-Type: multipart/signed; boundary="Apple-Mail=_B924512E-9B23-4FF0-918E-DCE8AF6D8AD3"; protocol="application/pkcs7-signature"; micalg=sha1 Message-Id: <33B8DC07-B651-4937-9EE7-845AB0B6509E@ieca.com> Date: Tue, 3 Dec 2013 17:33:58 +0000 To: IPsecme WG Mime-Version: 1.0 (Mac OS X Mail 7.0 $1822$) X-Mailer: Apple Mail (2.1822) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator3286.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source-IP: 198.180.150.142 X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (v142.vpn.iad.rg.net) [198.180.150.142]:50412 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 6 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20= Subject: [IPsec] 3948 Questionnaire X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 17:34:09 -0000 --Apple-Mail=_B924512E-9B23-4FF0-918E-DCE8AF6D8AD3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Here=92s a proposed set of question for RFC 3948 implementers: The following questions document whether your implementation supports = the syntax and semantics of the protocol: - Which of the following packet formats does your implementation = support: - UDP-Encapsulated ESP Header Format (y/n): - IKE Header Format for Port 4500 (y/n): - NAT-Keepalive Packet Format (y/n): - Which of the following encapsulation and decapsulation processing = rules does your implementation support: - Auxiliary Processing - Tunnel Mode Decapsulation NAT Procedure (y/n): - Transport Mode Decapsulation NAT Procedure (y/n): - Transport Mode ESP Encapsulation (y/n): - Transport Mode ESP Decapsulation (y/n): - Tunnel Mode ESP Encapsulation (y/n): - Tunnel Mode ESP Decapsulation (y/n): - Does your implementation support the NAT keepalive procedure? (y/n): The following questions document whether interoperability has been = achieved as well as other intangibles the IESG will be interested. - What evidence do you have that your implementation can interoperate = with other implementations? - In your opinion, are there unused features in the RFC that greatly = increase implementation complexity? Additional information (optional): spt= --Apple-Mail=_B924512E-9B23-4FF0-918E-DCE8AF6D8AD3 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEgDCCBHww ggJkoAMCAQICCQCdWMxKNutUeTANBgkqhkiG9w0BAQsFADAiMQswCQYDVQQGEwJVUzETMBEGA1UE ChMKSUVDQSwgSW5jLjAeFw0xMzA0MDMxNDUxMThaFw0xNDA0MDMxNDUxMThaMDgxCzAJBgNVBAYT AlVTMRMwEQYDVQQKEwpJRUNBLCBJbmMuMRQwEgYDVQQDEwtTZWFuIFR1cm5lcjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAOpCGCRptT1m+bIpLTmbahZLZ0Qe4X99f8SgTQ7QISvUfpmn tfOD1oA1AttXlOULEERYubzvDnUTXvstFomQx0XTA67IaV+mw9ODRtG1hPN/erdKX6sU6rH4tsEb ba3Drr/I0HT3YVvD3SjWtGXjF12XLvTP6+LfMIIDTCAPiEd9KPG23D7skVu/4BvvmdLFI96OARhg wQ86M+lTIn83KRJlbbfAeIevbRx/rUB7D+uvMdWxOzR0KZJhd6dEeTXVwBXZG4rnQ4uFM+mRSiD4 rxDCyOuIuOzR07tnOyCRio6sRipOZvwQUWttdsgMEs6IxLdWsaTXcs1HjCsxrdedovMCAwEAAaOB njCBmzAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgwFoAUAHRsSeXJUmFxTVY4q2HJ8uHl+w0wGwYD VR0RBBQwEoEQVHVybmVyU0BpZWNhLmNvbTAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vd3d3Lmll Y2EuY29tL2NybHMvaWVjYS5jcmwwFwYDVR0gBBAwDjAMBgorBgEEAYHXAAAAMA0GCSqGSIb3DQEB CwUAA4ICAQAimDYm77ppTi4vK6qJSUhyvCDMGb8mngiEXEYKxsfdHPWoDO7+06j7dAZ8sDD9/FtE kiUMyoNGSUmKHR+tGperVnNiM/Zk6WwCJv8dYZwhGXNQeEGzeys/UkFv7CFX7uDSn8GQeB8sOAZ1 N1hxV/TvT8qXvcRxP5+aWTAGAq3TKtCQxZjuU74L3st2hZiOhJlhjhqz0K5FIwWzXUK9uwhZe1th GUpDbRustVgmKN2Xa0pzwqI1VUO0jnWt24A4u59xo6DJQXzQVMhCx0xhpemuT9BrsBDTX8eJdI1i Wv9wp3ivSrfHjKXp8y8OGD+usiG40HCjj0W9C+dH0VfbgrB6QOI4vA9+kTg4mANth1cxyxwPYOSJ v0zi1qR0eDIGI//2v2/s6TmGuNqbnRa26Ldv5gGqS7xj32Fiaby6UOXs4+aAIWGZEOH+BXjozcvE eGBwjU/VRQYu6itR28PaNhNVji4D5ITaGxWWiycqK1EUaFraWHtk7W100ROX69xTeFVZP86D2ymi /aohl5Vb1vlYHdqlbgqjDRl9dPbTxVCXEHf+jkexcuwlLTvr7F+5DIN6c/EbCpRqQx3edy193L48 OGyRDh1/Wmzpew0VWWAWOSXGl/P9VzXf3Z6GPt7flN/V9iEJAa3Mo+w+eIdzJkHBWR+yJcqQcCRM MSyishMwLDGCAjgwggI0AgEBMC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklFQ0EsIEluYy4C CQCdWMxKNutUeTAJBgUrDgMCGgUAoIHfMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTEzMTIwMzE3MzM1OVowIwYJKoZIhvcNAQkEMRYEFEEI/FFkB8lxU1nNyv9Smu30 sY8tMD4GCSsGAQQBgjcQBDExMC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklFQ0EsIEluYy4C CQCdWMxKNutUeTBABgsqhkiG9w0BCRACCzExoC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklF Q0EsIEluYy4CCQCdWMxKNutUeTANBgkqhkiG9w0BAQEFAASCAQC//Kdo6+3baNysQmesY7gkK+wQ gFAD0NQKLoXnzvVdayS8Px45JgbXsn9XSlyPk1yCGb8u7WJp4QMUQ+nZT8twesyvqbFZVFdxW0lJ B4LNIzqwjZPYQc5rurRYBSLlPax4KNnXUhYBy1l+4D/1MKB2xUL9dADQ6f+sayyY2K9cmrZKdJu3 dembLhVlfjySYhmX+9/JUz1or4KnqRn36Jdih/BYXhGF9ToIF9/mp4/Gs9REqMdcYOM1sbpP1hQf 8SnfsrwthSSOKqPffErtNx19xoG1vrnN5/YHKP9ZrJwZMXEGjdnDgVxGd82114ROYa9kel5MV2NT lTGYO/XLAOMzAAAAAAAA --Apple-Mail=_B924512E-9B23-4FF0-918E-DCE8AF6D8AD3-- From TurnerS@ieca.com Tue Dec 3 09:34:12 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC3B1AE0F8 for ; Tue, 3 Dec 2013 09:34:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.332 X-Spam-Level: X-Spam-Status: No, score=0.332 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imt7SpNzL-O6 for ; Tue, 3 Dec 2013 09:34:10 -0800 (PST) Received: from gateway15.websitewelcome.com (gateway15.websitewelcome.com [67.18.82.10]) by ietfa.amsl.com (Postfix) with ESMTP id C24B71A1F4E for ; Tue, 3 Dec 2013 09:34:10 -0800 (PST) Received: by gateway15.websitewelcome.com (Postfix, from userid 5007) id 7AFB01D3D3D20; Tue, 3 Dec 2013 11:34:08 -0600 (CST) Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway15.websitewelcome.com (Postfix) with ESMTP id 5757D1D3D3C7F for ; Tue, 3 Dec 2013 11:34:08 -0600 (CST) Received: from [198.180.150.142] (port=50412 helo=v142.vpn.iad.rg.net) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80) (envelope-from ) id 1VntrL-0006fN-0a for ipsec@ietf.org; Tue, 03 Dec 2013 11:34:07 -0600 From: Sean Turner Content-Type: multipart/signed; boundary="Apple-Mail=_3742813A-A946-44CC-9840-FA385E85F65B"; protocol="application/pkcs7-signature"; micalg=sha1 Message-Id: Date: Tue, 3 Dec 2013 17:34:02 +0000 To: IPsecme WG Mime-Version: 1.0 (Mac OS X Mail 7.0 $1822$) X-Mailer: Apple Mail (2.1822) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator3286.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source-IP: 198.180.150.142 X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (v142.vpn.iad.rg.net) [198.180.150.142]:50412 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 7 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20= Subject: [IPsec] 5996 Questionnaire X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 17:34:12 -0000 --Apple-Mail=_3742813A-A946-44CC-9840-FA385E85F65B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 After some edits from Tero, here=92s a proposed set of question for RFC = 5996 implementers: - Which of the IKEv2 exchanges you support: - IKE_SA_INIT (includes support for SA, KE, Ni, Nr payloads) - IKE_AUTH (includes support for SK, IDi, IDr, AUTH, TSi, TSr payloads) - CREATE_CHILD_SA - INFORMATIONAL - Which of the IKEv2 payloads your implementation supports - CERT Certificate - CERTREQ Certificate Request - CP Configuration - D Delete - EAP Extensible Authentication - N Notify - V Vendor ID - Which of the following processing semantics does your implementation = support (y/n): - Can your implementation create a new child SAs with the = CREATE_CHILD_SA exchange?: - Can your implementation rekey an IKE SAs with the = CREATE_CHILD_SA Exchange?: - Can your implementation rekey a Child SAs with the = CREATE_CHILD_SA Exchange?: - Does your implementation support the INFORMATIONAL exchange? - Which of the IKEv2 authentication methods you support - PKIX Certificates as specified in section 4 - Shared key authentication as specified in section 4 - Mixed authentication, where responder uses Certificates and initiator uses shared key -- Which of the usage scenarios does your implementation support = (s1.1.1, s1.1.2, and s1.1.3): - What evidence do you have that your implementation can interoperate = with other implementations? - In your opinion, are there unused features in the RFC that greatly = increase implementation complexity? - Errata was filed against RFC 5996 and has been included in = https://datatracker.ietf.org/doc/draft-kivinen-ipsecme-ikev2-rfc5996bis/; = are any of the incorporated errata problematic for your implementation? Additional information (optional): spt= --Apple-Mail=_3742813A-A946-44CC-9840-FA385E85F65B Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEgDCCBHww ggJkoAMCAQICCQCdWMxKNutUeTANBgkqhkiG9w0BAQsFADAiMQswCQYDVQQGEwJVUzETMBEGA1UE ChMKSUVDQSwgSW5jLjAeFw0xMzA0MDMxNDUxMThaFw0xNDA0MDMxNDUxMThaMDgxCzAJBgNVBAYT AlVTMRMwEQYDVQQKEwpJRUNBLCBJbmMuMRQwEgYDVQQDEwtTZWFuIFR1cm5lcjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAOpCGCRptT1m+bIpLTmbahZLZ0Qe4X99f8SgTQ7QISvUfpmn tfOD1oA1AttXlOULEERYubzvDnUTXvstFomQx0XTA67IaV+mw9ODRtG1hPN/erdKX6sU6rH4tsEb ba3Drr/I0HT3YVvD3SjWtGXjF12XLvTP6+LfMIIDTCAPiEd9KPG23D7skVu/4BvvmdLFI96OARhg wQ86M+lTIn83KRJlbbfAeIevbRx/rUB7D+uvMdWxOzR0KZJhd6dEeTXVwBXZG4rnQ4uFM+mRSiD4 rxDCyOuIuOzR07tnOyCRio6sRipOZvwQUWttdsgMEs6IxLdWsaTXcs1HjCsxrdedovMCAwEAAaOB njCBmzAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgwFoAUAHRsSeXJUmFxTVY4q2HJ8uHl+w0wGwYD VR0RBBQwEoEQVHVybmVyU0BpZWNhLmNvbTAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vd3d3Lmll Y2EuY29tL2NybHMvaWVjYS5jcmwwFwYDVR0gBBAwDjAMBgorBgEEAYHXAAAAMA0GCSqGSIb3DQEB CwUAA4ICAQAimDYm77ppTi4vK6qJSUhyvCDMGb8mngiEXEYKxsfdHPWoDO7+06j7dAZ8sDD9/FtE kiUMyoNGSUmKHR+tGperVnNiM/Zk6WwCJv8dYZwhGXNQeEGzeys/UkFv7CFX7uDSn8GQeB8sOAZ1 N1hxV/TvT8qXvcRxP5+aWTAGAq3TKtCQxZjuU74L3st2hZiOhJlhjhqz0K5FIwWzXUK9uwhZe1th GUpDbRustVgmKN2Xa0pzwqI1VUO0jnWt24A4u59xo6DJQXzQVMhCx0xhpemuT9BrsBDTX8eJdI1i Wv9wp3ivSrfHjKXp8y8OGD+usiG40HCjj0W9C+dH0VfbgrB6QOI4vA9+kTg4mANth1cxyxwPYOSJ v0zi1qR0eDIGI//2v2/s6TmGuNqbnRa26Ldv5gGqS7xj32Fiaby6UOXs4+aAIWGZEOH+BXjozcvE eGBwjU/VRQYu6itR28PaNhNVji4D5ITaGxWWiycqK1EUaFraWHtk7W100ROX69xTeFVZP86D2ymi /aohl5Vb1vlYHdqlbgqjDRl9dPbTxVCXEHf+jkexcuwlLTvr7F+5DIN6c/EbCpRqQx3edy193L48 OGyRDh1/Wmzpew0VWWAWOSXGl/P9VzXf3Z6GPt7flN/V9iEJAa3Mo+w+eIdzJkHBWR+yJcqQcCRM MSyishMwLDGCAjgwggI0AgEBMC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklFQ0EsIEluYy4C CQCdWMxKNutUeTAJBgUrDgMCGgUAoIHfMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTEzMTIwMzE3MzQwMlowIwYJKoZIhvcNAQkEMRYEFJT8c5PvwWmyNSgMqhScKxSZ o2shMD4GCSsGAQQBgjcQBDExMC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklFQ0EsIEluYy4C CQCdWMxKNutUeTBABgsqhkiG9w0BCRACCzExoC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklF Q0EsIEluYy4CCQCdWMxKNutUeTANBgkqhkiG9w0BAQEFAASCAQCWhjWKiqN4nfF91RH1nsBhnam9 q3dRsElJUS2QRd1rGnkVj3BKkjYLMuwyLzJ7zEOKKUcdEH+qZev08LEbpDWwiI1QDYvYO1aKtyot iJx6oW8chNgH7qi4BejPFOF5K93tf4KzTyQbqOW1F+Sa1IIEoVz4MlJ5Cs7E7V9ia/dw84vYl1cq jlNDCKZocigLHDOdSZFudzxqW435MwXvn6U1HCyOmywGO4XhA1N+x2HQQpRLBc4maB4Z2/XUj3b4 MP2rK1EuA1LjmEcPFBaWbs5BwW1S+cOy8wr4LrPGK+gzZMWFZG2oKel+IygKCtmpjOYVqyCqntYD +TlqXJZoQeUtAAAAAAAA --Apple-Mail=_3742813A-A946-44CC-9840-FA385E85F65B-- From yaronf.ietf@gmail.com Tue Dec 3 09:40:58 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB6C61AD8F4 for ; Tue, 3 Dec 2013 09:40:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eSwOZjuWE8CF for ; Tue, 3 Dec 2013 09:40:57 -0800 (PST) Received: from mail-ee0-x229.google.com (mail-ee0-x229.google.com [IPv6:2a00:1450:4013:c00::229]) by ietfa.amsl.com (Postfix) with ESMTP id C8E021A1F1A for ; Tue, 3 Dec 2013 09:40:56 -0800 (PST) Received: by mail-ee0-f41.google.com with SMTP id t10so1774400eei.28 for ; Tue, 03 Dec 2013 09:40:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=+PWLw7ARnHxJsj6gsLEoyWuk3P4oC9x/sa4WX1kUB54=; b=YQawtDGCSSdWo3ucpee9boACtlW3FicUGMU4BsKSofckV5PIr7edlyhYk1oUk0aO0j jyNwZZCCsq3HUtr+VQbF+4dSDcz5BP4fOn4GqsQbDmEeIQkP+AYi6HzhVyTKIsMNigO0 VKuNhFyUYEBM8ws0cARN9Za7QKPjtASkM3GmLAb68rGXAR/MqQlt5wVqh2qowdI+j6wm q8cTJCcEQBAO+Z82Vm3RqkmRo5fZshW3jHcoZsV6r5pC9d73QQr+7oWGC1BgUrxHZkAT K+BZ3muwJVtPQ4qEf1ZcbufLSvVDaKdRa8rvHhU4jyEGLVi7VA1JUP1aPClrJJHjw6fV xTBg== X-Received: by 10.14.105.200 with SMTP id k48mr71719155eeg.1.1386092453678; Tue, 03 Dec 2013 09:40:53 -0800 (PST) Received: from [192.168.193.95] (diup-241-234.inter.net.il. [213.8.241.234]) by mx.google.com with ESMTPSA id a45sm84873354eem.6.2013.12.03.09.40.52 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 03 Dec 2013 09:40:53 -0800 (PST) Message-ID: <529E17A4.8090409@gmail.com> Date: Tue, 03 Dec 2013 19:40:52 +0200 From: Yaron Sheffer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: ipsec References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> In-Reply-To: <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 17:40:59 -0000 Dear IPsecME folks, There is clear working group interest in a standard auto-discovery VPN solution. We have agreed-upon requirements [1]. And we have 3 serious contenders [2] [3] [4] for the solution. It is time to select a protocol to adopt into the working group. We would like to ask people who are *not* authors on any of the solution drafts to send a short message to the list, saying which of the three they prefer, and a few reasons for their choice. Please do *not* send mail saying which of the protocols you do *not* like - this would be far less useful. And please do not think up a new solution proposal, it's too late for that. A quick process reminder: once we adopt a protocol, it becomes the starting point for the working group document. The WG can change the editor team and is free to make material changes to the protocol before it is published as RFC. Thanks, Paul and Yaron [1] http://tools.ietf.org/html/rfc7018 [2] http://tools.ietf.org/html/draft-mao-ipsecme-ad-vpn-protocol-02 [3] http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03 [4] http://tools.ietf.org/html/draft-detienne-dmvpn-00 From mcr@sandelman.ca Tue Dec 3 12:49:58 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B67C21AD94A for ; Tue, 3 Dec 2013 12:49:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cjz6ZRUYmDO6 for ; Tue, 3 Dec 2013 12:49:56 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id BEB3D1ACCFF for ; Tue, 3 Dec 2013 12:49:56 -0800 (PST) Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id 072CB20051; Tue, 3 Dec 2013 17:03:09 -0500 (EST) Received: by sandelman.ca (Postfix, from userid 179) id 8C01263B87; Tue, 3 Dec 2013 15:49:49 -0500 (EST) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 71AF763782; Tue, 3 Dec 2013 15:49:49 -0500 (EST) From: Michael Richardson To: Yaron Sheffer In-Reply-To: <529E17A4.8090409@gmail.com> References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Cc: ipsec Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 20:49:58 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable I prefer draft-sathyanarayan-ipsecme-advpn. =2D-=20 Michael Richardson , Sandelman Software Works=20 --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQCVAwUBUp5D6IqHRg3pndX9AQLhAAP/VJC5ziz2gZv0TQlU3O56IgAzoh9J6cW3 WjW2r4FHTE/vLe7UXETgHgq7ype7IrBS2lq4l74Il9LjwbCA5n7eQTuOiFN6uGVB zWGOHT/rh+UCLuh+x5UAM4TWEKMbGSB8KPqAiCw0Maz6OZyRcfJcvqyWoX268KC7 F77Sao19xIQ= =NBBd -----END PGP SIGNATURE----- --=-=-=-- From paul.hoffman@vpnc.org Tue Dec 3 12:53:51 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3C91ADF48 for ; Tue, 3 Dec 2013 12:53:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.347 X-Spam-Level: X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IK4ASCz2XUod for ; Tue, 3 Dec 2013 12:53:50 -0800 (PST) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id AC8801ACCFF for ; Tue, 3 Dec 2013 12:53:50 -0800 (PST) Received: from [165.227.249.247] (sn80.proper.com [75.101.18.80]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id rB3KrkAC016186 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 3 Dec 2013 13:53:47 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host sn80.proper.com [75.101.18.80] claimed to be [165.227.249.247] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.0 $1822$) From: Paul Hoffman In-Reply-To: <9100.1386103789@sandelman.ca> Date: Tue, 3 Dec 2013 12:53:45 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <57436FF1-ABCE-4E0D-AFD6-C27F5EEC5A73@vpnc.org> References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> <9100.1386103789@sandelman.ca> To: Michael Richardson X-Mailer: Apple Mail (2.1822) Cc: ipsec Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 20:53:51 -0000 On Dec 3, 2013, at 12:49 PM, Michael Richardson = wrote: > I prefer draft-sathyanarayan-ipsecme-advpn. because.... ?= From mcr@sandelman.ca Tue Dec 3 14:11:50 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95FCE1ADF71 for ; Tue, 3 Dec 2013 14:11:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBiiUpzU3JSU for ; Tue, 3 Dec 2013 14:11:48 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id 53BEA1AE042 for ; Tue, 3 Dec 2013 14:11:48 -0800 (PST) Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id 08B5420030 for ; Tue, 3 Dec 2013 18:24:58 -0500 (EST) Received: by sandelman.ca (Postfix, from userid 179) id 523E063B87; Tue, 3 Dec 2013 17:11:37 -0500 (EST) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 38AFF63782 for ; Tue, 3 Dec 2013 17:11:37 -0500 (EST) From: Michael Richardson To: ipsec In-Reply-To: <57436FF1-ABCE-4E0D-AFD6-C27F5EEC5A73@vpnc.org> References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> <9100.1386103789@sandelman.ca> <57436FF1-ABCE-4E0D-AFD6-C27F5EEC5A73@vpnc.org> X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 22:11:50 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable I wrote: "I prefer draft-sathyanarayan-ipsecme-advpn." Paul asked: " because.... ?" Oh.=20 I thought that I wasn't supposed to say why I didn't like other proposals := -)=20 Okay...=20 I prefer it because: 1) it lives inside IKE. 2) it deals with the question of distribution of authentication tokens. 3) it requires no new kernel components, which means that it will run with *just* a modified IKE daemon on many mobile devices. Yes, you need root on Android and a jailbreak on iOS to run a modified IKE, but you don't need a new kernel, and all sorts of other host specific firmware blobs.=20=20 This means that while it might not be end-user-installable, if someone makes the patches, they can tested, and pushed easily into AOSP, and maybe Apple would accept them. 4) it is very specific about what "routing" protocol would be the MTI ("IKE"/RFC4301!) , rather than being "well, whatever you like" 5) it permits port-specific policies to be controlled by HQ. =2D-=20 ] Never tell me the odds! | ipv6 mesh network= s [=20 ] Michael Richardson, Sandelman Software Works | network architect= [=20 ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails = [=20 =09 =20=20 --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQCVAwUBUp5XFoqHRg3pndX9AQJsagP/ToIUyxrS8WEFmkci02Zo5WrurI9Nmbu0 VYBkEFLH0EPVb98w20tR3eeFnsCKRyH7WnSNMc/pzN2Kj7oSJxDLmT68kS9iwbkb HcQjrTAbXO6Vo+DNlYu0I8pk6KDAu2LlNiRJBIpfeRUde71tEbg+27RHY8iSDNUj uxzGtU9x8n4= =kSg1 -----END PGP SIGNATURE----- --=-=-=-- From yaronf.ietf@gmail.com Tue Dec 3 14:27:38 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7C01ADF79 for ; Tue, 3 Dec 2013 14:27:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vHLzfJWY_pQD for ; Tue, 3 Dec 2013 14:27:36 -0800 (PST) Received: from mail-ee0-x235.google.com (mail-ee0-x235.google.com [IPv6:2a00:1450:4013:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id E9ABB1ADDA0 for ; Tue, 3 Dec 2013 14:27:35 -0800 (PST) Received: by mail-ee0-f53.google.com with SMTP id b57so1867564eek.26 for ; Tue, 03 Dec 2013 14:27:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=onsoO8lyO3PybWKvcN1293KsjZ63wZtJWnwUjtAjtpI=; b=Kp7T/ilsxoRo3snNS4jtVy3rQuKdwR4ViyGiaaZtKnwuLjNa02oLPqLP4ciPDhLZFP ihNVvqrq01S+8fFGxD/Hj3vd0R3qWw/ac1CZYhOvThilkoPai+kRWO+Q+kLMUqJdFBE+ ZQ0x1xECr/u/gZSIAjIYmoEhOCFY/8ZYAa9XbIMXRVx2YTMXIYS5zEOmgN57kVX7by7z +zN5/oivxvAfmaik1i3DP5bsbDnB1edDDvz/ZTGqpyHOgF6rWflzbjsaQwvGwuCJR+aP BYuAs9OYP4nW6teCdY8ZUxDoS8xY5Vvv4Jh+bv05bfnvTML+YUjY2K/rLwQRKrQSRe3W YP8Q== X-Received: by 10.15.26.6 with SMTP id m6mr3493973eeu.80.1386109652804; Tue, 03 Dec 2013 14:27:32 -0800 (PST) Received: from [10.0.0.2] ([109.65.142.155]) by mx.google.com with ESMTPSA id z42sm15187166eeo.17.2013.12.03.14.27.32 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 03 Dec 2013 14:27:32 -0800 (PST) Message-ID: <529E5AD3.6080204@gmail.com> Date: Wed, 04 Dec 2013 00:27:31 +0200 From: Yaron Sheffer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: ipsec Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [IPsec] Internet Standards questionnaires X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 22:27:38 -0000 To clarify (yet again): feel free to post your responses to any of these questionnaires to the list, or to send them privately to Sean. In any case the resulting implementation report will be published openly ( http://www.ietf.org/iesg/implementation-report.html), so you should not include anything confidential. Thanks, Yaron From paul.hoffman@vpnc.org Tue Dec 3 16:16:29 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20DD31ADF9A for ; Tue, 3 Dec 2013 16:16:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.347 X-Spam-Level: X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHDp2dqdCU8h for ; Tue, 3 Dec 2013 16:16:28 -0800 (PST) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 201441ADFA9 for ; Tue, 3 Dec 2013 16:16:28 -0800 (PST) Received: from [10.20.30.90] (50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id rB40GN10021649 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 3 Dec 2013 17:16:24 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.0 $1822$) From: Paul Hoffman In-Reply-To: <25486.1386108697@sandelman.ca> Date: Tue, 3 Dec 2013 16:16:21 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> <9100.1386103789@sandelman.ca> <57436FF1-ABCE-4E0D-AFD6-C27F5EEC5A73@vpnc.org> <25486.1386108697@sandelman.ca> To: ipsec X-Mailer: Apple Mail (2.1822) Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 00:16:29 -0000 On Dec 3, 2013, at 2:11 PM, Michael Richardson = wrote: > I wrote: "I prefer draft-sathyanarayan-ipsecme-advpn." >=20 > Paul asked: " because.... ?" >=20 > Oh.=20 > I thought that I wasn't supposed to say why I didn't like other = proposals :-)=20 Correct. We want to hear what anyone (among the non-authors) *likes* = about particular proposals. > Okay...=20 >=20 > I prefer it because: > 1) it lives inside IKE. > 2) it deals with the question of distribution of authentication > tokens. > 3) it requires no new kernel components, which means that it will > run with *just* a modified IKE daemon on many mobile devices. > Yes, you need root on Android and a jailbreak on iOS to run a = modified > IKE, but you don't need a new kernel, and all sorts of other host > specific firmware blobs. =20 > This means that while it might not be end-user-installable, if = someone > makes the patches, they can tested, and pushed easily into AOSP, > and maybe Apple would accept them. >=20 > 4) it is very specific about what "routing" protocol would be the MTI > ("IKE"/RFC4301!) , rather than being "well, whatever you like" >=20 > 5) it permits port-specific policies to be controlled by HQ. Thats the kind of list we are looking for. "It has feature X which I = find useful / important." --Paul Hoffman= From andreas.steffen@strongswan.org Wed Dec 4 01:03:04 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 780921ADFFF for ; Wed, 4 Dec 2013 01:03:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.589 X-Spam-Level: X-Spam-Status: No, score=-3.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzKsOucj_6so for ; Wed, 4 Dec 2013 01:03:03 -0800 (PST) Received: from strongswan.org (sitav-80024.hsr.ch [152.96.80.24]) by ietfa.amsl.com (Postfix) with ESMTP id AAD201ADFD6 for ; Wed, 4 Dec 2013 01:03:02 -0800 (PST) Received: from [152.96.15.95] by strongswan.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1Vo8Jx-00026g-Kt; Wed, 04 Dec 2013 10:00:37 +0100 Message-ID: <529EEF03.9090204@strongswan.org> Date: Wed, 04 Dec 2013 09:59:47 +0100 From: Andreas Steffen User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: ipsec@ietf.org References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> In-Reply-To: <529E17A4.8090409@gmail.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020705020507090600030107" Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 09:03:04 -0000 This is a cryptographically signed message in MIME format. --------------ms020705020507090600030107 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Speaking for the strongSwan project, I'm favoring draft-sathyanarayan-ipsecme-advpn because - The concept is simple but powerful and well embedded into the current IKEv2 message exchange architecture. - No overlay of additional routing protocols is needed. - The proposed solution has a lot of similarity with our Double-NAT IKEv2 Mediation Extension [1] that we proposed a couple of years ago and which has been implemented by strongSwan. Thus the integration of the draft-sathyanarayan-ipsecme-advpn capabilities into our architecture should be rather easy. In the future it might even be possible to extend the SHORTCUT exchange to Double-NAT situations. - The draft is in a very advanced state with all protocol details neatly worked out. It's ready for implementation, so we might give it a try :-) Best regards Andreas [1] http://tools.ietf.org/html/draft-brunner-ikev2-mediation-00 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Andreas Steffen andreas.steffen@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D[ITA-HSR]=3D=3D --------------ms020705020507090600030107 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMhDCC BjQwggQcoAMCAQICAR4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDE1NVoXDTE3MTAyNDIxMDE1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcJg8zOLdgasSmkLhOr lr6KMoOMpohBllVHrdRvEg/q6r8jR+EK75xCGhR8ToREoqe7zM9/UnC6TS2y9UKTpT1v7RSM zR0t6ndl0TWBuUr/UXBhPk+Kmy7bI4yW4urC+y7P3/1/X7U8ocb8VpH/Clt+4iq7nirMcNh6 qJR+xjOhV+VHzQMALuGYn5KZmc1NbJQYclsGkDxDz2UbFqE2+6vIZoL+jb9x4Pa5gNf1TwSD kOkikZB1xtB4ZqtXThaABSONdfmv/Z1pua3FYxnCFmdr/+N2JLKutIxMYqQOJebr/f/h5t95 m4JgrM3Y/w7YX9d7YAL9jvN4SydHsU6n65cCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRTcu2SnODaywFcfH6WNU7y1LhRgjAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBAAqD CH14qywGXLhjjF6uHLkjd02hcdh9hrw+VUsv+q1eeQWB21jWj3kJ96AUlPCoEGZ/ynJNScWy 6QMVQjbbMXltUfO4n4bGGdKo3awPWp61tjAFgraLJgDk+DsSvUD6EowjMTNx25GQgyYJ5RPI zKKR9tQW8gGK+2+RHxkUCTbYFnL6kl8Ch507rUdPPipJ9CgJFws3kDS3gOS5WFMxcjO5DwKf KSETEPrHh7p5shuuNktvsv6hxHTLhiMKX893gxdT3XLS9OKmCv87vkINQcNEcIIoFWbP9HOR z9v3vQwR4e3ksLc2JZOAFK+ssS5XMEoznzpihEP0PLc4dCBYjbvSD7kxgDwZ+Aj8Q9PkbvE9 sIPP7ON0fz095HdThKjiVJe6vofq+n6b1NBc8XdrQvBmunwxD5nvtTW4vtN6VY7mUCmxsCie uoBJ9OlqmsVWQvifIYf40dJPZkk9YgGTzWLpXDSfLSplbY2LL9C9U0ptvjcDjefLTvqSFc7t w1sEhF0n/qpA2r0GpvkLRDmcSwVyPvmjFBGqUp/pNy8ZuPGQmHwFi2/14+xeSUDG2bwnsYJQ G2EdJCB6luQ57GEnTA/yKZSTKI8dDQa8Sd3zfXb19mOgSF0bBdXbuKhEpuP9wirslFe6fQ1t 5j5R0xi72MZ8ikMu1RQZKCyDbMwazlHiMIIGSDCCBTCgAwIBAgIDB7KBMA0GCSqGSIb3DQEB CwUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcNMTMwOTI4MTIzNDU4 WhcNMTQwOTMwMDMxMjI2WjBYMScwJQYDVQQDDB5hbmRyZWFzLnN0ZWZmZW5Ac3Ryb25nc3dh bi5vcmcxLTArBgkqhkiG9w0BCQEWHmFuZHJlYXMuc3RlZmZlbkBzdHJvbmdzd2FuLm9yZzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtxLfnUeESAyEiRlISv6pmUjP1uEd/4 18V5rGVcJbAtzuJfHAlJeHyVaqI8aGjwLN2jHxmPVPJfFi0Z3t/bRAK4u7vnfysSJHTqyrYn 9af2sg59CHvVo9fPEbvX7S+8mi1B2hbWUAVhIO0cmqChBku17gmHdWx+t86gp2v4Ku9ztxC7 D/iNodhHRAofm3RWZSy7VI8W8kifDo2aH2PFG3fw5jFHPxzYNL1DR/ENA2VA1io0x5NA78Mx ZpR6Rgz1jsXp3EgSh+xkcNhY2ugDu1/lIxtvey6JD/BgWIHHh2DI/2gb+HFsDrgVo+A4yf3S u/qv6JHapij26OUCLEYkwdsCAwEAAaOCAuQwggLgMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUp4bQ66T4CmiuI9i9 RewQZ8gFWdgwHwYDVR0jBBgwFoAUU3Ltkpzg2ssBXHx+ljVO8tS4UYIwKQYDVR0RBCIwIIEe YW5kcmVhcy5zdGVmZmVuQHN0cm9uZ3N3YW4ub3JnMIIBTAYDVR0gBIIBQzCCAT8wggE7Bgsr BgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRv IHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBD QSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNv bXBsaWFuY2Ugb2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDYGA1UdHwQvMC0w K6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUxLWNybC5jcmwwgY4GCCsGAQUF BwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xh c3MxL2NsaWVudC9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2Vy dHMvc3ViLmNsYXNzMS5jbGllbnQuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3Rh cnRzc2wuY29tLzANBgkqhkiG9w0BAQsFAAOCAQEAwrFtQfZk5tTb8e//+hSdJGU7Pfq8k6Ip gpzGWIHwy5h/OKJ9mX/4oXWXxIg5L1iyNX44AbnUBRIr7LxfWsKy1O+SxjlraxmeClKD83fJ bbqFg9f14TpF3KvjQULFvNlJf8mdfjO3JCYeswDw3GBjtWYl49zyqiYYG4ovZ+FcPz38cOUT 6VtAjzVe862tsq1mE86WuxMeEt5rDHSf2BorxN+VbG3R9+5ewcl4P6pxbWYjCooHfg4gcplI qMHaggRZvS9c1p85CT5BTIlcLwf1RZz6/TDgCarGqkQnGKovFSotb/6fafq49C5nAtXkyB9X FDQ7lYoldvA387ATO1FTgjGCA90wggPZAgEBMIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UE ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUg U2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0 ZSBDbGllbnQgQ0ECAweygTAJBgUrDgMCGgUAoIICHTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xMzEyMDQwODU5NDdaMCMGCSqGSIb3DQEJBDEWBBRmPaPC sLjBwOJ+r4vs7b9mL1b1bjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgB ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsO AwIHMA0GCCqGSIb3DQMCAgEoMIGlBgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNVBAYTAklM MRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0 aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDB7KBMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkG A1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdp dGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJp bWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgMHsoEwDQYJKoZIhvcNAQEBBQAEggEAmpuM VqKVmDOVv3rpIlK5QANelU4oYDP1bZM11emUYgrUqr2TqKag8GnDeQs7EXZxIl+GnYxZBDDa bnXUzChcWpc98ecoWHUwzuAkhv2TgRx7iH0YpkLB1TirvyLIcNy8s0kS0sreSW2oFzMttmny 8FQTV19RbsHF+RyjMxrLZkOl8xUJziSuyW1jZBQJjrTfpYHxJWStbpYookBv/KroX3alMLBZ yqVyIhrJ8r/ybO6/bsFdX+9ApfbTh5UX2gduHqfBg3gpjBUNwOTKiQXjR5/mXZ93X/sPgEY4 TfS7zHWmLcGhvQSRC5EwHWY8dUJfI6ZmognJHCOf5jTISvRFbwAAAAAAAA== --------------ms020705020507090600030107-- From TurnerS@ieca.com Wed Dec 4 03:41:31 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B25781AE0D9 for ; Wed, 4 Dec 2013 03:41:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.567 X-Spam-Level: X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IB2thR-pMay0 for ; Wed, 4 Dec 2013 03:41:29 -0800 (PST) Received: from gateway12.websitewelcome.com (gateway12.websitewelcome.com [67.18.88.9]) by ietfa.amsl.com (Postfix) with ESMTP id AC0631AE0F3 for ; Wed, 4 Dec 2013 03:41:29 -0800 (PST) Received: by gateway12.websitewelcome.com (Postfix, from userid 5007) id 9845ECC9104BF; Wed, 4 Dec 2013 05:41:26 -0600 (CST) Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway12.websitewelcome.com (Postfix) with ESMTP id 71EF5CC91046D for ; Wed, 4 Dec 2013 05:41:26 -0600 (CST) Received: from [198.180.150.142] (port=53624 helo=v142.vpn.iad.rg.net) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80) (envelope-from ) id 1VoApY-0006et-Hi for ipsec@ietf.org; Wed, 04 Dec 2013 05:41:25 -0600 From: Sean Turner Content-Type: multipart/signed; boundary="Apple-Mail=_A1A8D903-FA04-4F04-A3D5-4F1F97446461"; protocol="application/pkcs7-signature"; micalg=sha1 Message-Id: <2F864385-06F0-4D96-B84E-E5BE4854E3F2@ieca.com> Date: Wed, 4 Dec 2013 11:41:21 +0000 To: IPsecme WG Mime-Version: 1.0 (Mac OS X Mail 7.0 $1822$) X-Mailer: Apple Mail (2.1822) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator3286.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source-IP: 198.180.150.142 X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (v142.vpn.iad.rg.net) [198.180.150.142]:53624 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 1 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20= Subject: [IPsec] Progressing RFCs from PS to IS X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 11:41:31 -0000 --Apple-Mail=_A1A8D903-FA04-4F04-A3D5-4F1F97446461 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Probably best if I lay out the plan that=92s in my mind for progressing = RFCs 3948, 4301, 4303, and 5996 from PS (Proposed Standard) to IS = (Internet Standard). Steps: 1) A request gets sent to IESG to progress RFC(s) from PS to IS. I = think this ought to come from the authors to the WG and then from the WG = to the IESG. But, if the WG thinks it=92s a no-brainer then I=92m happy = to take it directly from the authors. 2) For #1 to not fall on its face, the four questions in RFC 6410 = (copied below) need to be answered: (1) There are at least two independent interoperating implementations with widespread deployment and successful operational experience. To answer this question, somebody (maybe me) needs to create an = interoperability report. The breadth and depth of the report is up to = us, as documented in RFC 5657 (please ignore that the title of that RFC = includes progression to DS (draft standard)). The interoperability = report is either the output of a bake-off or the distillation of a = questionnaire sent to implementers. I figured sending out a = questionnaire was easier than organizing a bake-off and getting the WG = to review the questions I also thought was important. The responses to = the questionnaire are turned in to the interoperability report and that = interoperability report is cited in the WG and IETF LCs and it=92s = posted to:=20 http://www.ietf.org/iesg/implementation-report.html Responses to the questionnaire can be sent to the list or to the person = sending out the questionnaire. Regardless the responses are going to = end up being documented in the interoperability report. I don=92t think = it makes sense to anonymize the responses included in the = interoperability report. I also don=92t think this interoperability = report needs to be exhaustive before we move on. We=92re looking 2-3 = implementations that can claim they interoperate and do some on a wide = scale. (2) There are no errata against the specification that would cause a new implementation to fail to interoperate with deployed ones. For this one we=92re generating new drafts that incorporate errata. Not = all errata has been included and that=92s why the drafts list what was = included and they will be last called to make sure that what got = included is agreed. But, for the RFCs that have errata we=92re = explicitly asking this question in the questionnaire. (3) There are no unused features in the specification that greatly increase implementation complexity. Again, there=92s a specific question in the questionnaire to get an = answer. (4) If the technology required to implement the specification requires patented or otherwise controlled technology, then the set of implementations must demonstrate at least two independent, separate and successful uses of the licensing process. There are IPR filings against RFC 3948 and 5996 so there needs to be = questions added to their questionnaires about this topic. How about: Have the IPR file against RFC XXXX hindered development or deployment? 3) If it=92s going through the WG, the WG LC should include the four = questions making sure the interop report is referenced and calling out = any downrefs. This report can be documented as an internet draft for = this purpose, but there=92s no need to progress it to RFC because it=92s = just published on the interoperability report page. 4) After the AD gets it, the AD will IETF LC the same questions making = sure to also refer to the interop report and include the downrefs. 5) The IESG will review it and we see what happens=85. Make sense? spt= --Apple-Mail=_A1A8D903-FA04-4F04-A3D5-4F1F97446461 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEgDCCBHww ggJkoAMCAQICCQCdWMxKNutUeTANBgkqhkiG9w0BAQsFADAiMQswCQYDVQQGEwJVUzETMBEGA1UE ChMKSUVDQSwgSW5jLjAeFw0xMzA0MDMxNDUxMThaFw0xNDA0MDMxNDUxMThaMDgxCzAJBgNVBAYT AlVTMRMwEQYDVQQKEwpJRUNBLCBJbmMuMRQwEgYDVQQDEwtTZWFuIFR1cm5lcjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAOpCGCRptT1m+bIpLTmbahZLZ0Qe4X99f8SgTQ7QISvUfpmn tfOD1oA1AttXlOULEERYubzvDnUTXvstFomQx0XTA67IaV+mw9ODRtG1hPN/erdKX6sU6rH4tsEb ba3Drr/I0HT3YVvD3SjWtGXjF12XLvTP6+LfMIIDTCAPiEd9KPG23D7skVu/4BvvmdLFI96OARhg wQ86M+lTIn83KRJlbbfAeIevbRx/rUB7D+uvMdWxOzR0KZJhd6dEeTXVwBXZG4rnQ4uFM+mRSiD4 rxDCyOuIuOzR07tnOyCRio6sRipOZvwQUWttdsgMEs6IxLdWsaTXcs1HjCsxrdedovMCAwEAAaOB njCBmzAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgwFoAUAHRsSeXJUmFxTVY4q2HJ8uHl+w0wGwYD VR0RBBQwEoEQVHVybmVyU0BpZWNhLmNvbTAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vd3d3Lmll Y2EuY29tL2NybHMvaWVjYS5jcmwwFwYDVR0gBBAwDjAMBgorBgEEAYHXAAAAMA0GCSqGSIb3DQEB CwUAA4ICAQAimDYm77ppTi4vK6qJSUhyvCDMGb8mngiEXEYKxsfdHPWoDO7+06j7dAZ8sDD9/FtE kiUMyoNGSUmKHR+tGperVnNiM/Zk6WwCJv8dYZwhGXNQeEGzeys/UkFv7CFX7uDSn8GQeB8sOAZ1 N1hxV/TvT8qXvcRxP5+aWTAGAq3TKtCQxZjuU74L3st2hZiOhJlhjhqz0K5FIwWzXUK9uwhZe1th GUpDbRustVgmKN2Xa0pzwqI1VUO0jnWt24A4u59xo6DJQXzQVMhCx0xhpemuT9BrsBDTX8eJdI1i Wv9wp3ivSrfHjKXp8y8OGD+usiG40HCjj0W9C+dH0VfbgrB6QOI4vA9+kTg4mANth1cxyxwPYOSJ v0zi1qR0eDIGI//2v2/s6TmGuNqbnRa26Ldv5gGqS7xj32Fiaby6UOXs4+aAIWGZEOH+BXjozcvE eGBwjU/VRQYu6itR28PaNhNVji4D5ITaGxWWiycqK1EUaFraWHtk7W100ROX69xTeFVZP86D2ymi /aohl5Vb1vlYHdqlbgqjDRl9dPbTxVCXEHf+jkexcuwlLTvr7F+5DIN6c/EbCpRqQx3edy193L48 OGyRDh1/Wmzpew0VWWAWOSXGl/P9VzXf3Z6GPt7flN/V9iEJAa3Mo+w+eIdzJkHBWR+yJcqQcCRM MSyishMwLDGCAjgwggI0AgEBMC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklFQ0EsIEluYy4C CQCdWMxKNutUeTAJBgUrDgMCGgUAoIHfMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTEzMTIwNDExNDEyMVowIwYJKoZIhvcNAQkEMRYEFDobHaM+QV7Sa7nZs6Z8NU95 0J5bMD4GCSsGAQQBgjcQBDExMC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklFQ0EsIEluYy4C CQCdWMxKNutUeTBABgsqhkiG9w0BCRACCzExoC8wIjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCklF Q0EsIEluYy4CCQCdWMxKNutUeTANBgkqhkiG9w0BAQEFAASCAQC9AdDe3Veu2zwtSgE0AWcyOp5x +Xa+O7W9nPXkD6+cg1n+IfMwi+uuy8oEpr1hjaTfSX/7z2DfmM/mQtpZ1CtLo0NWYcZSTM6IFEhA BW8tFDHBqnA+z28leWHnL9xYKil/uE8rXfmDqQWwLDL3tvuuNCZNlmew3SJgzqXgCEUXlfrBUEqJ UWl73EpOf00Cw6omU7O8ZjrINR8N2jzmDqRlHzAqA7doM3NqukeV23Ru2RLWw/bAHTEgc1KKvgqB MPD5IVpkxySbkY9CarAc40PIMhJh7CXCHQw8RSwW9XCr1VK1GoGa9pu7fykElA7Pj2DARIYfDLQ2 Zi1OW1RflIgzAAAAAAAA --Apple-Mail=_A1A8D903-FA04-4F04-A3D5-4F1F97446461-- From Johannes.Merkle@secunet.com Thu Dec 5 05:04:46 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57D251ADFC4 for ; Thu, 5 Dec 2013 05:04:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ux0A2lrmmiUC for ; Thu, 5 Dec 2013 05:04:44 -0800 (PST) Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 1E3B01ADFC0 for ; Thu, 5 Dec 2013 05:04:44 -0800 (PST) Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 4CABE1A0084; Thu, 5 Dec 2013 14:04:39 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 5bTbsFj33Iuk; Thu, 5 Dec 2013 14:04:38 +0100 (CET) Received: from mail-gw-int (unknown [10.53.40.207]) by a.mx.secunet.com (Postfix) with ESMTP id 33F711A006C; Thu, 5 Dec 2013 14:04:38 +0100 (CET) Received: from [10.53.40.200] (port=46211 helo=mail-srv1.secumail.de) by mail-gw-int with esmtp (Exim 4.80 #2 (Debian)) id 1VoYZU-0001wZ-1S; Thu, 05 Dec 2013 14:02:24 +0100 Received: from [10.208.1.57] ([10.208.1.57]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Thu, 5 Dec 2013 14:04:38 +0100 Message-ID: <52A079E5.9060009@secunet.com> Date: Thu, 05 Dec 2013 14:04:37 +0100 From: Johannes Merkle User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: kivinen@iki.fi References: <21124.6276.800771.457943@fireball.kivinen.iki.fi> In-Reply-To: <21124.6276.800771.457943@fireball.kivinen.iki.fi> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 05 Dec 2013 13:04:38.0186 (UTC) FILETIME=[8D9498A0:01CEF1BA] Cc: ipsec@ietf.org Subject: Re: [IPsec] New drafts X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Dec 2013 13:04:46 -0000 Tero Kivinen schrieb am 14.11.2013 01:25: > I also updated the signature authentication draft by adding the > section about the public key selection methods, and I also added the > binary objects for the commonly used signature ASN.1 objects. If > someone has any way to verify those (especially the RSASSA-PSS method > with parameters), that would be really good. > Tero, I just had a closer look at the IANA considerations section. Isn't the new auth method Digital Signature missing? -- Johannes From fdetienn@cisco.com Fri Dec 6 08:04:00 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9415A1AE08A for ; Fri, 6 Dec 2013 08:04:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.502 X-Spam-Level: X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qoqAvzgp2L67 for ; Fri, 6 Dec 2013 08:03:58 -0800 (PST) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 681221AE084 for ; Fri, 6 Dec 2013 08:03:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1571; q=dns/txt; s=iport; t=1386345835; x=1387555435; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=EdJ69HHPjwcExOlrAPd2XpMDXjqwZ2CiyufOzciLqU0=; b=VqF/V8gHOElNp5AXU07Xr3yvZ619jjMhTXHj8YorRSCxhlK/VgUr0f1Z 6zdRA+lOzU2nlGYLOgtoefBHaP1Tq7QsWka4Mjl0nJ/ad5sjVA9ttmlvq A5+GAsD/XSmsxMIfz7aZJaQWEB+or0gFnOJ03tHxlZeipjVuY8kyzrUUZ U=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhQFADr0oVKtJXG8/2dsb2JhbABZgwc4U7kAgSIWdIIlAQEBAwEBAQE3NAsFCwIBCDYQIQYLJQIEDgUbh1UDCQYNuV0NhxoXjH2BQgEBHDMHgyCBEwOWKYFrgTCLKoU5gymBcTk X-IronPort-AV: E=Sophos;i="4.93,841,1378857600"; d="scan'208";a="289932398" Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-4.cisco.com with ESMTP; 06 Dec 2013 16:03:54 +0000 Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id rB6G3skN011987 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 6 Dec 2013 16:03:54 GMT Received: from xmb-aln-x06.cisco.com ([169.254.1.67]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.03.0123.003; Fri, 6 Dec 2013 10:03:54 -0600 From: "Frederic Detienne (fdetienn)" To: Yaron Sheffer Thread-Topic: [IPsec] AD VPN: protocol selection Thread-Index: AQHO8E7a/jMzXRpyKEqstWVWro9PpJpHvXyA Date: Fri, 6 Dec 2013 16:03:53 +0000 Message-ID: <747BB1FB-0DBC-4AEE-AC0E-4CC46300139E@cisco.com> References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> In-Reply-To: <529E17A4.8090409@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.82.214.155] Content-Type: text/plain; charset="us-ascii" Content-ID: <427681F9D343394E992B79B8BB2A6BE4@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: ipsec Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 16:04:00 -0000 Hi Yaron, Is this an official poll or is it "just to see" ? If this is serious, what = is the deadline ? thanks, fred On 03 Dec 2013, at 18:40, Yaron Sheffer wrote: > Dear IPsecME folks, >=20 > There is clear working group interest in a standard auto-discovery VPN so= lution. We have agreed-upon requirements [1]. And we have 3 serious contend= ers [2] [3] [4] for the solution. It is time to select a protocol to adopt = into the working group. >=20 > We would like to ask people who are *not* authors on any of the solution = drafts to send a short message to the list, saying which of the three they = prefer, and a few reasons for their choice. >=20 > Please do *not* send mail saying which of the protocols you do *not* like= - this would be far less useful. And please do not think up a new solution= proposal, it's too late for that. >=20 > A quick process reminder: once we adopt a protocol, it becomes the starti= ng point for the working group document. The WG can change the editor team = and is free to make material changes to the protocol before it is published= as RFC. >=20 > Thanks, > Paul and Yaron >=20 > [1] http://tools.ietf.org/html/rfc7018 > [2] http://tools.ietf.org/html/draft-mao-ipsecme-ad-vpn-protocol-02 > [3] http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03 > [4] http://tools.ietf.org/html/draft-detienne-dmvpn-00 > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec From fdetienn@cisco.com Fri Dec 6 08:07:15 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4391AE06F for ; Fri, 6 Dec 2013 08:07:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.502 X-Spam-Level: X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BCx5ikpY6Y0U for ; Fri, 6 Dec 2013 08:07:13 -0800 (PST) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 0A4CD1AE054 for ; Fri, 6 Dec 2013 08:07:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=367; q=dns/txt; s=iport; t=1386346030; x=1387555630; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=OFZoSKLJ5I4UOlaKLlgB038NZRxOOdxSU6ix9b1dH2E=; b=N3C2/jhcWN8SmyxgsoFf5ejOyyqCnqAbdmnP51hgOlf3zCq6qIhrUcKS vKQILE5b+e6j6rjZ89K43Ig2/199ZzrYeusE1ak4RflHG91JG62Ttb3JM Fx0+SSukpQFvpd+L2SM1nCDdwEEN8HbZHzEZ2cYn2JmsN+6KB1+kiFFDA I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhEFALX1oVKtJV2c/2dsb2JhbABZgweBC7kAgSIWdIImAQEEeRACAQhGMiUCBA4FiALBDxeOXTMHgyCBEwOJCo8KkhODKYIq X-IronPort-AV: E=Sophos;i="4.93,841,1378857600"; d="scan'208";a="286851876" Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-9.cisco.com with ESMTP; 06 Dec 2013 16:07:08 +0000 Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id rB6G78Tk015422 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 6 Dec 2013 16:07:08 GMT Received: from xmb-aln-x06.cisco.com ([169.254.1.67]) by xhc-rcd-x05.cisco.com ([173.37.183.79]) with mapi id 14.03.0123.003; Fri, 6 Dec 2013 10:07:07 -0600 From: "Frederic Detienne (fdetienn)" To: Andreas Steffen Thread-Topic: [IPsec] AD VPN: protocol selection Thread-Index: AQHO8E7a/jMzXRpyKEqstWVWro9PpJpEIlSAgAOcD4A= Date: Fri, 6 Dec 2013 16:07:07 +0000 Message-ID: <40E26A54-7ADF-4B8D-BDC6-9FA8C15D70D1@cisco.com> References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> <529EEF03.9090204@strongswan.org> In-Reply-To: <529EEF03.9090204@strongswan.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.82.214.155] Content-Type: text/plain; charset="iso-8859-1" Content-ID: <86588FF5758A9749BEF4C8DC301F8AD0@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "" Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 16:07:15 -0000 Hi Andreas, On 04 Dec 2013, at 09:59, Andreas Steffen = wrote: > ... > - No overlay of additional routing protocols is needed. please note that our proposal does not mandate a routing protocol. We also = support IKEv2 config exchange and treat the protected subnets as "routes" f= or the tunnel. Thanks! fred= From paul.hoffman@vpnc.org Fri Dec 6 08:42:51 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC4D21AE342 for ; Fri, 6 Dec 2013 08:42:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.347 X-Spam-Level: X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBa4a66JSO5G for ; Fri, 6 Dec 2013 08:42:51 -0800 (PST) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 1005A1ADFFB for ; Fri, 6 Dec 2013 08:42:51 -0800 (PST) Received: from [10.20.30.90] (50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id rB6GghZp072830 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 6 Dec 2013 09:42:45 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.0 $1822$) From: Paul Hoffman In-Reply-To: <747BB1FB-0DBC-4AEE-AC0E-4CC46300139E@cisco.com> Date: Fri, 6 Dec 2013 08:42:44 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> <747BB1FB-0DBC-4AEE-AC0E-4CC46300139E@cisco.com> To: "Frederic Detienne (fdetienn)" X-Mailer: Apple Mail (2.1822) Cc: ipsec Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 16:42:52 -0000 On Dec 6, 2013, at 8:03 AM, Frederic Detienne (fdetienn) = wrote: > Is this an official poll or is it "just to see" ? Both. That is, it is official in that the WG chairs asked for it, = because we wanted "just to see". It is a poll, not a vote. > If this is serious, what is the deadline ? When we have enough input to get a sense of the WG. Given the meager = response so far, we're not at all there yet. --Paul Hoffman= From paul.hoffman@vpnc.org Fri Dec 6 08:45:24 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D877A1AE33D for ; Fri, 6 Dec 2013 08:45:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.347 X-Spam-Level: X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8mzo6Q3w8Hn for ; Fri, 6 Dec 2013 08:45:24 -0800 (PST) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 144DF1AE091 for ; Fri, 6 Dec 2013 08:45:24 -0800 (PST) Received: from [10.20.30.90] (50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id rB6GjIwL072919 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Fri, 6 Dec 2013 09:45:20 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.0 $1822$) From: Paul Hoffman In-Reply-To: <40E26A54-7ADF-4B8D-BDC6-9FA8C15D70D1@cisco.com> Date: Fri, 6 Dec 2013 08:45:18 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> <529EEF03.9090204@strongswan.org> <40E26A54-7ADF-4B8D-BDC6-9FA8C15D70D1@cisco.com> To: "" X-Mailer: Apple Mail (2.1822) Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 16:45:25 -0000 On Dec 6, 2013, at 8:07 AM, Frederic Detienne (fdetienn) = wrote: > please note that our proposal does not mandate a routing protocol. We = also support IKEv2 config exchange and treat the protected subnets as = "routes" for the tunnel. And yet Yaron and I specifically asked: On Dec 3, 2013, at 9:40 AM, Yaron Sheffer wrote: > We would like to ask people who are *not* authors on any of the = solution drafts to send a short message to the list, saying which of the = three they prefer, and a few reasons for their choice. Seriously, authors: please refrain. The WG has heard enough pitches from = you for your proposals and, if not, you are free to update your drafts = to make them clearer. This poll is to hear from the other people in the = WG. --Paul Hoffman= From paul@cypherpunks.ca Fri Dec 6 10:05:53 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540441AE0EB for ; Fri, 6 Dec 2013 10:05:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qaq1x_biGmjO for ; Fri, 6 Dec 2013 10:05:49 -0800 (PST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 656FD1AE114 for ; Fri, 6 Dec 2013 10:05:49 -0800 (PST) Received: by bofh.nohats.ca (Postfix, from userid 500) id C300E80A0C; Fri, 6 Dec 2013 13:05:44 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B5A1A80A0B; Fri, 6 Dec 2013 13:05:44 -0500 (EST) Date: Fri, 6 Dec 2013 13:05:44 -0500 (EST) From: Paul Wouters X-X-Sender: paul@bofh.nohats.ca To: Yaron Sheffer In-Reply-To: <529E17A4.8090409@gmail.com> Message-ID: References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> User-Agent: Alpine 2.10 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: ipsec Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 18:05:53 -0000 On Tue, 3 Dec 2013, Yaron Sheffer wrote: > There is clear working group interest in a standard auto-discovery VPN > solution. > We have agreed-upon requirements [1]. I was unfortunately not really active during the requirements phase. While I believe there is a need for auto-discovery without preconfiguration, I do not think the current ideas of merging site-to-site based VPNs using ADVPN proposals really increases security. It seems a compromise for convenience at the expense of the intended security of IPsec, and a continued trend from strict policy range based VPNs to loose routing based VPNs, reducing IPsec to a virtual private untrusted ethernet cable. I think draft-sathyanarayan-ipsecme-advpn-03 comes closest to removing any kind of routing decisions from the IKE/IPsec protocols, leaving the IPsec subsystem as a consumer of the routing decisions made elsewhere. Paul From mcr@sandelman.ca Fri Dec 6 10:41:46 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5F661ADF22 for ; Fri, 6 Dec 2013 10:41:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.892 X-Spam-Level: X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_MIME_NO_TEXT=0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtyEv7CJXNiV for ; Fri, 6 Dec 2013 10:41:44 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC351A1F6F for ; Fri, 6 Dec 2013 10:41:44 -0800 (PST) Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id 27C9A20050; Fri, 6 Dec 2013 14:55:05 -0500 (EST) Received: by sandelman.ca (Postfix, from userid 179) id E239D63B89; Fri, 6 Dec 2013 13:41:33 -0500 (EST) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id D199463B88; Fri, 6 Dec 2013 13:41:33 -0500 (EST) From: Michael Richardson To: "\" X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Cc: "Frederic Detienne $fdetienn$" Subject: [IPsec] routing protocols for ADVPN X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 18:41:47 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable (thread broken intentionally) Frederic Detienne (fdetienn) wrote: >> ... >> - No overlay of additional routing protocols is needed. > please note that our proposal does not mandate a routing protocol. We > also support IKEv2 config exchange and treat the protected subnets as > "routes" for the tunnel.=20 I have no idea how to implement what you described. This is the problem: we have asked questions, and we keep getting "oh, yes, we can do that", but no actual explanation. I'd rather that you had mandated OSPFv2/3 or someso that I could evaluate t= he entire solution. =2D-=20 ] Never tell me the odds! | ipv6 mesh network= s [=20 ] Michael Richardson, Sandelman Software Works | network architect= [=20 ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails = [=20 =09 --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQCVAwUBUqIaXYqHRg3pndX9AQJmyAP/T2Vel3EgaOh4a1SFFrh71qTxOxNUs9lT S1MeRQIVEKb+C90qnpPosdNN0pA1KX3Zw5jj+yjbhrbicwIQ+FoJZ4/YN2RpGmH9 MBei6DydNbeDmyGc8PuyFoQdySu4kReGNZKWr83ETloHbQQelytVWkiLFY2QGPi3 R2SMfjFSlp0= =I4IL -----END PGP SIGNATURE----- --=-=-=-- From saumoh@gmail.com Fri Dec 6 13:01:49 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E938A1AE0FD for ; Fri, 6 Dec 2013 13:01:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjG7OLXALJV0 for ; Fri, 6 Dec 2013 13:01:47 -0800 (PST) Received: from mail-qe0-x231.google.com (mail-qe0-x231.google.com [IPv6:2607:f8b0:400d:c02::231]) by ietfa.amsl.com (Postfix) with ESMTP id 845041AE0E9 for ; Fri, 6 Dec 2013 13:01:47 -0800 (PST) Received: by mail-qe0-f49.google.com with SMTP id w7so945021qeb.8 for ; Fri, 06 Dec 2013 13:01:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=U25GubsQiYNmXKINfNRo18Cw0mluaRjuycst0Rh5m6g=; b=jeWlPFbLrzNZOCGNEL9POKXdX3jK2S8VXaBmSaGuwHeZIcoB7cFrOQ6glob5fK/NJZ OCSv8/a+OUOt3fKirwqI8Xb+37aASuygNOSfou/D1o6y0D3ntK5gwv9RAwlwmiD7lDt7 13epawNN9wfoYtRW3FMJpHe8Aaskq1JsVnHiZPnrknzKCnvMkUj+U2zpyTXVls9nKRAx uV26zuYZVM8MsX7/w0JVVPTbCRdG/Jn0c5XZpoe5d4oCXgH5yxrawXhohXE7OOUdUA6p YQLgxejHAA45x0sWNTdQu3h61YcBVhcvxba0bPmTDqjsOS9+aj2jBydnaWNGhTLm3ji0 C23w== MIME-Version: 1.0 X-Received: by 10.224.51.7 with SMTP id b7mr10330453qag.74.1386363703497; Fri, 06 Dec 2013 13:01:43 -0800 (PST) Received: by 10.140.50.240 with HTTP; Fri, 6 Dec 2013 13:01:43 -0800 (PST) In-Reply-To: <529E17A4.8090409@gmail.com> References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> Date: Fri, 6 Dec 2013 13:01:43 -0800 Message-ID: From: Saurabh M To: Yaron Sheffer Content-Type: multipart/alternative; boundary=047d7beb9dce13b67b04ece3f491 Cc: ipsec , saurabh.mohan@brocade.com Subject: Re: [IPsec] AD VPN: protocol selection X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 21:01:50 -0000 --047d7beb9dce13b67b04ece3f491 Content-Type: text/plain; charset=ISO-8859-1 Hi, We'd prefer dmvpn( http://tools.ietf.org/html/draft-detienne-dmvpn-00) to become the wg document. The main reason for our recommendation are: - It is what customers are asking for. - We actually prefer that there are 2 separate protocols that co-operate to build the complete solution as it gives us the flexibility for each one to exist without mandating the other. - It was fairly easy to build a solution using open-nhrp and strongswan. Thanks -Saurabh Mohan. On Tue, Dec 3, 2013 at 9:40 AM, Yaron Sheffer wrote: > Dear IPsecME folks, > > There is clear working group interest in a standard auto-discovery VPN > solution. We have agreed-upon requirements [1]. And we have 3 serious > contenders [2] [3] [4] for the solution. It is time to select a protocol to > adopt into the working group. > > We would like to ask people who are *not* authors on any of the solution > drafts to send a short message to the list, saying which of the three they > prefer, and a few reasons for their choice. > > Please do *not* send mail saying which of the protocols you do *not* like > - this would be far less useful. And please do not think up a new solution > proposal, it's too late for that. > > A quick process reminder: once we adopt a protocol, it becomes the > starting point for the working group document. The WG can change the editor > team and is free to make material changes to the protocol before it is > published as RFC. > > Thanks, > Paul and Yaron > > [1] http://tools.ietf.org/html/rfc7018 > [2] http://tools.ietf.org/html/draft-mao-ipsecme-ad-vpn-protocol-02 > [3] http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03 > [4] http://tools.ietf.org/html/draft-detienne-dmvpn-00 > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > --047d7beb9dce13b67b04ece3f491 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Hi,=20

We'd prefer dmvpn(=A0http://tools.ietf.org/html/draft-detienne-dmvpn-00)=A0to = become the wg document.

=A0

The main reason for our recommendation are:

- It is what customers are asking for.

- We actually prefer that there are 2 separate protocol= s that co-operate to build the complete solution as it gives us the flexibi= lity for each one to exist without mandating the other.

- It was fairly easy to build a solution using open-nhrp and = strongswan.=A0=A0

=A0

Thanks

-Saurabh Mohan.

On Tue, Dec 3, 2013 at 9:40 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

Dear IPsecME folks,

There is c= lear working group interest in a standard auto-discovery VPN solution. We h= ave agreed-upon requirements [1]. And we have 3 serious contenders [2] [3] = [4] for the solution. It is time to select a protocol to adopt into the wor= king group.

We would like to ask people who are *not* authors on any of the solutio= n drafts to send a short message to the list, saying which of the three the= y prefer, and a few reasons for their choice.

Please do *not* send m= ail saying which of the protocols you do *not* like - this would be far les= s useful. And please do not think up a new solution proposal, it's too = late for that.

A quick process reminder: once we adopt a protocol, it becomes the star= ting point for the working group document. The WG can change the editor tea= m and is free to make material changes to the protocol before it is publish= ed as RFC.

Thanks,
=A0 =A0 =A0 =A0 Paul and Yaron

[1] http://tools.ietf.org/html/<= u>rfc7018
[2] http://tools.ietf.org/html/<= /u>draft-mao-ipsecme-ad-vpn-protocol-02
[3] http://tools.ietf.org/html/draft-sathyanaraya= n-ipsecme-advpn-03
[4] http://tools.ietf.org/html/draft-detienne-dmvpn-00
_______________________________________________
IPsec mailing lis= t
IPsec@ietf.org=
https://www.ietf.org/mailman/listinfo/ipsec

--047d7beb9dce13b67b04ece3f491-- From synp71@live.com Fri Dec 6 13:25:47 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4956E1AE0FD for ; Fri, 6 Dec 2013 13:25:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.649 X-Spam-Level: X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AemsvavL6wIS for ; Fri, 6 Dec 2013 13:25:45 -0800 (PST) Received: from blu0-omc2-s7.blu0.hotmail.com (blu0-omc2-s7.blu0.hotmail.com [65.55.111.82]) by ietfa.amsl.com (Postfix) with ESMTP id 7A0E31AE09C for ; Fri, 6 Dec 2013 13:25:45 -0800 (PST) Received: from BLU0-SMTP74 ([65.55.111.72]) by blu0-omc2-s7.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 6 Dec 2013 13:25:41 -0800 X-TMN: [HPpve5vdZmBidElPvXb/pl2hYQgi1n0O] X-Originating-Email: [synp71@live.com] Message-ID: Received: from ynir-MBA.local ([84.109.50.18]) by BLU0-SMTP74.phx.gbl over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 6 Dec 2013 13:25:40 -0800 Date: Fri, 6 Dec 2013 23:25:42 +0200 From: Yoav Nir User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Paul Wouters References: <529DF852.7080706@gmail.com> <45734D87-7B8D-4739-B98C-408FC64BFAD8@vpnc.org> <529E17A4.8090409@gmail.com> In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020007060806050104000708" X-OriginalArrivalTime: 06 Dec 2013 21:25:40.0387 (UTC) FILETIME=[B6762F30:01CEF2C9] Cc: ipsec Subject: [IPsec] ADVPN vs opportunistic VPN X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 21:25:47 -0000 --------------ms020007060806050104000708 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable [Changing the subject to avoid poisoning the protocol selection thread=20 with my author-ness] On 6/12/13 8:05 PM, Paul Wouters wrote: > We have agreed-upon requirements [1]. > > I was unfortunately not really active during the requirements phase. > > While I believe there is a need for auto-discovery without > preconfiguration, I do not think the current ideas of merging=20 > site-to-site > based VPNs using ADVPN proposals really increases security.=20 They're not supposed to. They are supposed to increase efficiency and=20 reliability. The problem we're trying to solve is that the way the=20 standards and products work today, tunnels are configured one at a time. = It's so labor-intensive, that administrators minimize the number of=20 tunnels be defining hub-and-spoke topologies for any VPN that is large=20 enough. There is another problem that stems from the same state of standards and = products - that IPsec is hardly ever used between administrative=20 domains. Solving that would be great, and opportunistic encryption might = be a start. Something with RPKI certificates could make it even better.=20 But that is not the focus of this effort. > It seems > a compromise for convenience at the expense of the intended security > of IPsec, and a continued trend from strict policy range based VPNs to > loose routing based VPNs, reducing IPsec to a virtual private untrusted= > ethernet cable. I don't disagree, but defining the tunnels one at a time sounds more=20 like SNA than TCP/IP. Yoav --------------ms020007060806050104000708 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO4zCC BJ0wggOFoAMCAQICEDQ96SusJzT/j8s0lPvMcFQwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UE BhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0w NTA2MDcwODA5MTBaFw0yMDA1MzAxMDQ4MzhaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMC VVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5l dHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVRO LVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVN NRm5pELlzkniii8efNIxB8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQy lbsMTzC9mKALi+VuG6JG+ni8om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXq vgvOdjp6Dpvq/NonWz1zHyLmSGHGTPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6 hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7NlyP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu 9mIwFIws6wIDAQABo4H0MIHxMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0G A1UdDgQWBBSJgmd9xJ0mcABLtFBIfN49rgRufTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/ BAUwAwEB/zARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2Ny bC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEB BCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAAbyc42MosPMxAcLfe91ioAGdIzEPnJJzU1HqH0z61p/Eyi9nfngzD3QWuZGH kfWKJvpkcADYHvkLBGJQh5OB1Nr1I9s0u4VWtHA0bniDNx6FHMURFZJfhxe9rGr98cLRzIlf sXzwPlHyNfN87GCYazor4O/fs32G67Ub9VvsonyYE9cAULnRLXPeA3h04QWFMV7LmrmdlMa5 lDd1ctxE+2fo8PolHlKn2iXpR+CgxzygTrEKNvt3SJ/vl4r7tP7jlBSog7xcLT/SYHFg7sJx ggzpiDbj2iC0o6BsqpZLuICOdcpJB/Y7FLrf3AXZn9vgsuZNoHgm5+ctbn9fxh6IFTCCBRow ggQCoAMCAQICEG0Z6qcZT2ozIuYiMnqqcd4wDQYJKoZIhvcNAQEFBQAwga4xCzAJBgNVBAYT AlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoTFVRo ZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3QuY29t MTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgRW1h aWwwHhcNMTEwNDI4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjCBkzELMAkGA1UEBhMCR0IxGzAZ BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR Q09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRp b24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJKEhFtLV5jUXi+LpOFAyKNTWF9mZfEyTvefMn1V0HhMVbdClOD5J3EHxcZppLkyxPFAGpDM J1Zifxe1cWmu5SAb5MtjXmDKokH2auGj/7jfH0htZUOMKi4rYzh337EXrMLaggLW1DJq1Gdv IBOPXDX65VSAr9hxCh03CgJQU2yVHakQFLSZlVkSMf8JotJM3FLb3uJAAVtIaN3FSrTg7SQf Oq9xXwfjrL8UO7AlcWg99A/WF1hGFYE8aIuLgw9teiFX5jSw2zJ+40rhpVJyZCaRTqWSD//g sWD9Gm9oUZljjRqLpcxCm5t9ImPTqaD8zp6Q30QZ9FxbNboW86eb/8ECAwEAAaOCAUswggFH MB8GA1UdIwQYMBaAFImCZ33EnSZwAEu0UEh83j2uBG59MB0GA1UdDgQWBBR6E04AdFvGeGNk J8Ev4qBbvHnFezAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADARBgNVHSAE CjAIMAYGBFUdIAAwWAYDVR0fBFEwTzBNoEugSYZHaHR0cDovL2NybC51c2VydHJ1c3QuY29t L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFpbC5jcmwwdAYIKwYB BQUHAQEEaDBmMD0GCCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVROQWRk VHJ1c3RDbGllbnRfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3Qu Y29tMA0GCSqGSIb3DQEBBQUAA4IBAQCF1r54V1VtM39EUv5C1QaoAQOAivsNsv1Kv/avQUn1 G1rF0q0bc24+6SZ85kyYwTAo38v7QjyhJT4KddbQPTmGZtGhm7VNm2+vKGwdr+XqdFqo2rHA 8XV6L566k3nK/uKRHlZ0sviN0+BDchvtj/1gOSBH+4uvOmVIPJg9pSW/ve9g4EnlFsjrP0OD 8ODuDcHTzTNfm9C9YGqzO/761Mk6PB/tm/+bSTO+Qik5g+4zaS6CnUVNqGnagBsePdIaXXxH maWbCG0SmYbWXVcHG6cwvktJRLiQfsrReTjrtDP6oDpdJlieYVUYtCHVmdXgQ0BCML7qpeeU 0rD+83X5f27nMIIFIDCCBAigAwIBAgIRAJLy3rLPGBD9qh6TW+ZG9DowDQYJKoZIhvcNAQEF BQAwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBDT01P RE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTMxMTE3 MDAwMDAwWhcNMTQxMTE3MjM1OTU5WjAgMR4wHAYJKoZIhvcNAQkBFg9zeW5wNzFAbGl2ZS5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCow0TXP0M95fIMY0Fsd3xpZj55 m1mkkKhUWLjVtQcd57MyVmBZNQkAmxp9PrzqdHw5eIIBn1EI9foIoynEnUSZzv6pIEXAqdYu xBH0AdvjoPCzWb9uYrqBtbmxnLh9k9ox1pVJG4hit6WEpK+LZ7uvLj5GUWMdmzghC/+fVEZS W8U62xlhd8Hq8ded9bfqjM4psDgqUubjcCkMIUnkD9yuXhzfzwF0wwtD66vXrUe8T4/m6XHO iIqvvVMjzYyKrdLE7zuPyDcDjkxLCCdi2j4c44anq8Pj/yEh5JGU0XSKSfwm2m0UDHj7P/6u B74JwiAyMtqWzdQBHVOphHKDI0ZTAgMBAAGjggHfMIIB2zAfBgNVHSMEGDAWgBR6E04AdFvG eGNkJ8Ev4qBbvHnFezAdBgNVHQ4EFgQUq+f5Y55gheJJpWtJDEPf6j2uzhQwDgYDVR0PAQH/ BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0lBBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUC MBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsG AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBXBgNVHR8EUDBOMEygSqBI hkZodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DbGllbnRBdXRoZW50aWNhdGlvbmFu ZFNlY3VyZUVtYWlsQ0EuY3JsMIGIBggrBgEFBQcBAQR8MHowUgYIKwYBBQUHMAKGRmh0dHA6 Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0NsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJl RW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAaBgNV HREEEzARgQ9zeW5wNzFAbGl2ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBACRvTZSZMhI7HrJr jTpnm5FZXyYwJYVhhc643/94hv8pxAQzIY6vH+BlVwmG4Z0Dt6vWYwaUUYdGmvlH0bti8aql JPe4fUgTxbDlTldhOYfISl3ky9+4CEPg4QvX6tOGIusOrvaIszGUIdvKHzvYM4ZapdTxyFCt oe1RXq/17ifvIklgmuh+QcB1xNBmE3lBNj+Vy8xLvsAQlqf9ZAIcBNL2yQGCaBcr6XoR24/D oCNCTAOCR/J2nN/okuGsEF+kvxP/BCPBnDph9coFLNOEwR4ZataT6H4vq0fwGxm5SROTDYis SUTKc+YYKY2RllEwOxX1NZUSmISuGKrGhr2aCaUxggQcMIIEGAIBATCBqTCBkzELMAkGA1UE BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEa MBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0 aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAJLy3rLPGBD9qh6TW+ZG9DowCQYF Kw4DAhoFAKCCAkcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN MTMxMjA2MjEyNTQyWjAjBgkqhkiG9w0BCQQxFgQUiEAqT/abBwGj2pO0GxCHVhN2rpswbAYJ KoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4G CCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCB ugYJKwYBBAGCNxAEMYGsMIGpMIGTMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl ZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVt YWlsIENBAhEAkvLess8YEP2qHpNb5kb0OjCBvAYLKoZIhvcNAQkQAgsxgayggakwgZMxCzAJ BgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50 IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEQCS8t6yzxgQ/aoek1vmRvQ6 MA0GCSqGSIb3DQEBAQUABIIBACNmCKyoUXX6b/3brxy55MxQUkE14i7MIjviWKziVaC3DSgv 6mowad5SX1babwQY2v5PQuohbIVQk60Lf6rGG8SEcVdk3bKPQ5ecX7Gal02oUeV1geJzzvkx IMGSmPl3UdEPihneRbj0feTxjxwxyT4yPhMbfkwYgBtvLhpiItpLzed7LsXIG3m30sapuwEC zkqcAnECq2xKy48R87bXjsWAAXclx6HU9mEgqlWhcDREQ6n2K2zlUdwYH1apyDyfDjsqj6jt 5ssCkgFiYtDT3QW5mXbL1WIuwSscrSJI7rbS3BQ9r+2GAtCeNFW0cfztOANJ1mOJHRwJt11p HlyTq9gAAAAAAAA= --------------ms020007060806050104000708-- From fdetienn@cisco.com Fri Dec 6 13:29:26 2013 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 643B61AE105 for ; Fri, 6 Dec 2013 13:29:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.502 X-Spam-Level: X-Spam-Status: No, score=-9.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmjrzMsAoMA9 for ; Fri, 6 Dec 2013 13:29:23 -0800 (PST) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) by ietfa.amsl.com (Postfix) with ESMTP id 8C7D61AE09C for ; Fri, 6 Dec 2013 13:29:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2691; q=dns/txt; s=iport; t=1386365359; x=1387574959; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=SKo2ebocNPsZGXXL0LpzJn/3BA85JKBYwWCP2mGB0Ao=; b=JYHy+nZJvwAHKCtwyMUMPuyJnZNf82e2bTDzewmRk5XwWOxduJRax7GP epVUVV0v1umAMEAzJmacfA4MqtUom+nnu/q39ZK9yIkO6fFNtT6MzdiXm JZHcIHC6Fo0LWxmgXzzsrhb9Jc8kunB4fXBgJgfUB3Pg+qfktNpMI2gxE k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgMFAPhAolKtJXG//2dsb2JhbABZgwc4U7kIgSMWdIIlAQEBBCdSEAIBCBguMiUCBA4FG4dnwGkXji4RAR0zB4MggRMDmBSSE4MpgXE5 X-IronPort-AV: E=Sophos;i="4.93,842,1378857600"; d="scan'208";a="4946086" Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by alln-iport-6.cisco.com with ESMTP; 06 Dec 2013 21:29:19 +0000 Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id rB6LTJew009365 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 6 Dec 2013 21:29:19 GMT Received: from xmb-aln-x06.cisco.com ([169.254.1.67]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.03.0123.003; Fri, 6 Dec 2013 15:29:18 -0600 From: "Frederic Detienne (fdetienn)"