From owner-ietf-ipsra@mail.vpnc.org Sun Apr 1 20:48:35 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA06665 for ; Sun, 1 Apr 2001 20:48:35 -0400 (EDT) Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id QAA05389 for ietf-ipsra-bks; Sun, 1 Apr 2001 16:46:07 -0700 (PDT) Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA05385 for ; Sun, 1 Apr 2001 16:46:06 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: Date: Sun, 1 Apr 2001 16:46:06 -0700 To: ietf-ipsra@vpnc.org From: Paul Hoffman / VPNC Subject: Preliminary minutes for the IPSRA WG meeting Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Greetings again. Here are the preliminary minutes for the IPSRA meeting in Minneapolis. If you have any corrections to what was said or who was saying it, please send them to me in the next few days so I can turn the minutes (and Scott's presentation) into the IETF for the proceedings. Sara and I expect to start the straw poll later this week or early next week once we get the wording down. Preliminary IPSRA minutes 50th IETF, Minneapolis Cochairs: Sara Bitan and Paul Hoffman Sara led the meeting; Paul took the minutes. WG general status Low traffic on mailing list New requirements draft came out in January There were no comments DHCP draft is waiting for IETF last call Remote user authentication PIC is using EAP GetCert will change to use EAP March Straw Poll Few votes: 7 for GetCert, 6 for PIC Is anyone interested??? Proposal Advance requirements draft to Informational Advance DHCP draft to Standards Track Abandon PIC or GetCert due to low interest and inability to pick between them Current status of remote user authentication XAUTH, mode-cfg well-deployed, with some interopability Both of these have serious security considerations This will probably not be fixed by son-of-IKE "Group shared secret", other problems Alternatives for moving forwards Flip a coin and work on one Move the problem to IPsec WG, try to work in son-of-IKE But that will not be allowed Change IPSRA charter to allow change IKE But that will not be allowed Leave things as they are, and get no protocol Comments from the WG Bernard Aboba Why it's not working: We don't have the right group of people We're not cert people Possibly move the work to PKIX Marcus Leech We only need one solution to succeed Previously, vendors with proprietary VPN moved to IPsec Therefore we will probably see reticent vendors go with whatever IPSRA picks It will be failure if we don't pick one and make it a standard Steve Bellovin He is not attached to GetCert Wanted to show that remote access authorization without changing IKE could be done If it goes to PKIX, we have to hold their feet to the fire to actually do the work Bill Sommerfeld He would rather flip the coin than not do either Also thinks the numbers of votes are high enough to indicate interest Cheryl Madson Too many things (the ones that need IKE changes) were thrown off the table Interop happens even without standards (hinting at XAUTH) Dan Harkins The WG was doomed from the start because of the charter Political problems cause current lack of solution Eric Flieshman (apologies if I spelled this wrong!) Customers want GetCert or PIC, not "no solution" Magnus Nystrom Maybe reuse the work being done in the SACRED WG Steve Bellovin: SACRED does not have our legacy auth constraints Sara and Paul and Marcus put their heads together and mumbled There will be a new straw poll with different questions on the WG list in the near future Bob Moskowitz on expected revisions to GetCert Will go from SCEP to CMP Will add EAP Do we go with CMP or CMC? Will still have ASN.1 coding Nice feature: GetCert box can act like RA Sara Bitan on PIC Currently uses EAP on a transport that looks like IKE Scott Kelly on requirements Listed the changes from -02 to -03 Much more on L2TP/IPsec IPSRA WG has lost focus, we should be emphasizing secure aspect of access, not just remote access IPSRA WG has pushed the L2TP folks away Is the current L2TP/IPsec sufficient for us? Main security issues Transit selectors are opaque to IPsec Complexities of L2TP-IPsec interactions User auth is not done until Phase 2: biggest problem Our primary interest should be security: just try to secure the pipe Should allow lower security if the customer understands it Bernard Aboba Using passwords to get a cert lowers security of certs Need to be clearer about the security issues General feeling L2TP is not needed, but should not be shunned Meeting adjourned From owner-ietf-ipsra@mail.vpnc.org Mon Apr 2 21:43:43 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA06928 for ; Mon, 2 Apr 2001 21:43:43 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id SAA01511 for ietf-ipsra-bks; Mon, 2 Apr 2001 18:08:24 -0700 (PDT) Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA01506; Mon, 2 Apr 2001 18:08:22 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: In-Reply-To: <006001c0bbd8$1d41b770$1e72788a@andrewk3.ca.newbridge.com> References: <006001c0bbd8$1d41b770$1e72788a@andrewk3.ca.newbridge.com> Date: Mon, 2 Apr 2001 18:08:21 -0700 To: , From: Paul Hoffman / VPNC Subject: RE: Preliminary minutes for the IPSRA WG meeting Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: At 5:55 PM -0400 4/2/01, Andrew Krywaniuk wrote: >One thing I didn't understand was the result of the straw poll: Get Cert 7, >PIC 6. > >When I look at the results of the poll in the archive (starting with >http://www.vpnc.org/ietf-ipsra/mail-archive/msg00939.html), I only see: Get >Cert 4, PIC 3. > >Were some of the votes cast offline or assumed? (e.g. that the authors of >the draft would vote for their own proposal) They were cast offline, to Sara. Some folks don't want to be associated with particular proposals. Unfortunately, the numbers of people who felt that way was the same as those who stated their preferences publicly. --Paul Hoffman, Director --VPN Consortium From owner-ietf-ipsra@mail.vpnc.org Mon Apr 2 21:44:26 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA06940 for ; Mon, 2 Apr 2001 21:44:25 -0400 (EDT) Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id RAA01141 for ietf-ipsra-bks; Mon, 2 Apr 2001 17:56:01 -0700 (PDT) Received: from ns02.newbridge.com (ns02.newbridge.com [192.75.23.75]) by above.proper.com (8.9.3/8.9.3) with SMTP id RAA01137 for ; Mon, 2 Apr 2001 17:55:59 -0700 (PDT) Received: (qmail 4299 invoked from network); 3 Apr 2001 00:54:20 -0000 Received: from portal1.newbridge.com (HELO kanata-mh1.ca.newbridge.com) (192.75.23.76) by ns02.newbridge.com with SMTP; 3 Apr 2001 00:54:20 -0000 Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP for ietf-ipsra@vpnc.org; Mon, 2 Apr 2001 20:54:51 -0400 Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com (Netscape Messaging Server 3.6) with ESMTP id AAA37D7 for ; Mon, 2 Apr 2001 20:54:50 -0400 Reply-To: From: "Andrew Krywaniuk" To: Subject: RE: Preliminary minutes for the IPSRA WG meeting Date: Mon, 2 Apr 2001 17:55:07 -0400 Message-Id: <006001c0bbd8$1d41b770$1e72788a@andrewk3.ca.newbridge.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-reply-to: Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit One thing I didn't understand was the result of the straw poll: Get Cert 7, PIC 6. When I look at the results of the poll in the archive (starting with http://www.vpnc.org/ietf-ipsra/mail-archive/msg00939.html), I only see: Get Cert 4, PIC 3. Were some of the votes cast offline or assumed? (e.g. that the authors of the draft would vote for their own proposal) Andrew ------------------------------------------- Upon closer inspection, I saw that the line dividing black from white was in fact a shade of grey. As I drew nearer still, the grey area grew larger. And then I was enlightened. > -----Original Message----- > From: owner-ietf-ipsra@mail.vpnc.org > [mailto:owner-ietf-ipsra@mail.vpnc.org]On Behalf Of Paul > Hoffman / VPNC > Sent: Sunday, April 01, 2001 7:46 PM > To: ietf-ipsra@vpnc.org > Subject: Preliminary minutes for the IPSRA WG meeting > > > Greetings again. Here are the preliminary minutes for the > IPSRA meeting > in Minneapolis. If you have any corrections to what was said > or who was > saying it, please send them to me in the next few days so I can turn > the minutes (and Scott's presentation) into the IETF for the > proceedings. > > Sara and I expect to start the straw poll later this week or > early next > week once we get the wording down. > > > > > Preliminary IPSRA minutes > 50th IETF, Minneapolis > > Cochairs: Sara Bitan and Paul Hoffman > Sara led the meeting; Paul took the minutes. > > WG general status > Low traffic on mailing list > New requirements draft came out in January > There were no comments > DHCP draft is waiting for IETF last call > Remote user authentication > PIC is using EAP > GetCert will change to use EAP > March Straw Poll > Few votes: 7 for GetCert, 6 for PIC > Is anyone interested??? > Proposal > Advance requirements draft to Informational > Advance DHCP draft to Standards Track > Abandon PIC or GetCert due to low interest > and inability to pick between them > Current status of remote user authentication > XAUTH, mode-cfg well-deployed, with some interopability > Both of these have serious security considerations > This will probably not be fixed by son-of-IKE > "Group shared secret", other problems > Alternatives for moving forwards > Flip a coin and work on one > Move the problem to IPsec WG, try to work in son-of-IKE > But that will not be allowed > Change IPSRA charter to allow change IKE > But that will not be allowed > Leave things as they are, and get no protocol > > Comments from the WG > Bernard Aboba > Why it's not working: > We don't have the right group of people > We're not cert people > Possibly move the work to PKIX > Marcus Leech > We only need one solution to succeed > Previously, vendors with proprietary VPN moved to IPsec > Therefore we will probably see reticent vendors go with > whatever IPSRA picks > It will be failure if we don't pick one and make it a standard > Steve Bellovin > He is not attached to GetCert > Wanted to show that remote access authorization without > changing IKE could be done > If it goes to PKIX, we have to hold their feet to the fire to > actually do the work > Bill Sommerfeld > He would rather flip the coin than not do either > Also thinks the numbers of votes are high enough to indicate > interest > Cheryl Madson > Too many things (the ones that need IKE changes) were thrown > off the table > Interop happens even without standards (hinting at XAUTH) > Dan Harkins > The WG was doomed from the start because of the charter > Political problems cause current lack of solution > Eric Flieshman (apologies if I spelled this wrong!) > Customers want GetCert or PIC, not "no solution" > Magnus Nystrom > Maybe reuse the work being done in the SACRED WG > Steve Bellovin: SACRED does not have our legacy auth constraints > > Sara and Paul and Marcus put their heads together and mumbled > There will be a new straw poll with different questions on the > WG list in the near future > > Bob Moskowitz on expected revisions to GetCert > Will go from SCEP to CMP > Will add EAP > Do we go with CMP or CMC? > Will still have ASN.1 coding > Nice feature: GetCert box can act like RA > Sara Bitan on PIC > Currently uses EAP on a transport that looks like IKE > > Scott Kelly on requirements > Listed the changes from -02 to -03 > Much more on L2TP/IPsec > IPSRA WG has lost focus, we should be emphasizing secure > aspect of access, not just remote access > IPSRA WG has pushed the L2TP folks away > Is the current L2TP/IPsec sufficient for us? > Main security issues > Transit selectors are opaque to IPsec > Complexities of L2TP-IPsec interactions > User auth is not done until Phase 2: biggest problem > Our primary interest should be security: just try to > secure the pipe > Should allow lower security if the customer understands it > > Bernard Aboba > Using passwords to get a cert lowers security of certs > Need to be clearer about the security issues > > General feeling > L2TP is not needed, but should not be shunned > > Meeting adjourned > From owner-ietf-ipsra@mail.vpnc.org Mon Apr 2 21:59:33 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA07082 for ; Mon, 2 Apr 2001 21:59:32 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id SAA01744 for ietf-ipsra-bks; Mon, 2 Apr 2001 18:21:00 -0700 (PDT) Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA01740 for ; Mon, 2 Apr 2001 18:20:58 -0700 (PDT) Received: from postal.research.att.com (postal.research.att.com [135.207.23.30]) by mail-blue.research.att.com (Postfix) with ESMTP id 4F5DB4CE21; Mon, 2 Apr 2001 21:21:02 -0400 (EDT) Received: from berkshire.research.att.com (postal.research.att.com [135.207.23.30]) by postal.research.att.com (8.8.7/8.8.7) with ESMTP id VAA06203; Mon, 2 Apr 2001 21:21:01 -0400 (EDT) Received: from berkshire.research.att.com (localhost.research.att.com [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 6C78835C42; Mon, 2 Apr 2001 21:20:59 -0400 (EDT) X-Mailer: exmh version 2.2 06/23/2000 with version: MH 6.8.3 #1[UCI] From: "Steven M. Bellovin" To: andrew.krywaniuk@alcatel.com Cc: ietf-ipsra@vpnc.org Subject: Re: Preliminary minutes for the IPSRA WG meeting Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Apr 2001 21:20:55 -0400 Message-Id: <20010403012059.6C78835C42@berkshire.research.att.com> Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: In message <006001c0bbd8$1d41b770$1e72788a@andrewk3.ca.newbridge.com>, "Andrew Krywaniuk" writes: >(e.g. that the authors of >the draft would vote for their own proposal) > As noted in the minutes, I don't have strong opinions on the subject. >> Steve Bellovin >> He is not attached to GetCert >> Wanted to show that remote access authorization without >> changing IKE could be done In fact, that's what I said when I did the first presentation on getcert. --Steve Bellovin, http://www.research.att.com/~smb From owner-ietf-ipsra@mail.vpnc.org Tue Apr 3 01:58:38 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id BAA16868 for ; Tue, 3 Apr 2001 01:58:37 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id WAA07285 for ietf-ipsra-bks; Mon, 2 Apr 2001 22:18:04 -0700 (PDT) Received: from ns02.newbridge.com (ns02.newbridge.com [192.75.23.75]) by above.proper.com (8.9.3/8.9.3) with SMTP id WAA07280 for ; Mon, 2 Apr 2001 22:18:02 -0700 (PDT) Received: (qmail 25244 invoked from network); 3 Apr 2001 05:16:23 -0000 Received: from portal1.newbridge.com (HELO kanata-mh1.ca.newbridge.com) (192.75.23.76) by ns02.newbridge.com with SMTP; 3 Apr 2001 05:16:23 -0000 Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP for ietf-ipsra@vpnc.org; Tue, 3 Apr 2001 01:17:34 -0400 Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com (Netscape Messaging Server 3.6) with ESMTP id AAA1DB5; Tue, 3 Apr 2001 01:17:33 -0400 Reply-To: From: "Andrew Krywaniuk" To: , Cc: Subject: RE: Preliminary minutes for the IPSRA WG meeting Date: Mon, 2 Apr 2001 21:30:56 -0400 Message-Id: <006301c0bbfc$d0f62980$1e72788a@andrewk3.ca.newbridge.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-reply-to: <20010403012059.6C78835C42@berkshire.research.att.com> Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Yes, I remember you saying that. I was just wondering how the chairs arrived at the 7-6 tally when I didn't count enough votes on the mailing list. Paul's response cleared that up for me. Andrew ------------------------------------------- Upon closer inspection, I saw that the line dividing black from white was in fact a shade of grey. As I drew nearer still, the grey area grew larger. And then I was enlightened. > -----Original Message----- > From: smb@research.att.com [mailto:smb@research.att.com] > Sent: Monday, April 02, 2001 9:21 PM > To: andrew.krywaniuk@alcatel.com > Cc: ietf-ipsra@vpnc.org > Subject: Re: Preliminary minutes for the IPSRA WG meeting > > > In message > <006001c0bbd8$1d41b770$1e72788a@andrewk3.ca.newbridge.com>, "Andrew > Krywaniuk" writes: > >(e.g. that the authors of > >the draft would vote for their own proposal) > > > As noted in the minutes, I don't have strong opinions on the subject. > > >> Steve Bellovin > >> He is not attached to GetCert > >> Wanted to show that remote access authorization without > >> changing IKE could be done > > In fact, that's what I said when I did the first presentation on > getcert. > > --Steve Bellovin, http://www.research.att.com/~smb > > > From owner-ietf-ipsra@mail.vpnc.org Tue Apr 3 14:40:48 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA12629 for ; Tue, 3 Apr 2001 14:40:48 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id LAA23082 for ietf-ipsra-bks; Tue, 3 Apr 2001 11:09:22 -0700 (PDT) Received: from cs.Technion.AC.IL (csa.cs.technion.ac.il [132.68.32.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA23077 for ; Tue, 3 Apr 2001 11:09:20 -0700 (PDT) Received: from csd.cs.technion.ac.il (csd.cs.technion.ac.il [132.68.32.8]) by cs.Technion.AC.IL (8.9.3+Sun/8.9.0) with ESMTP id UAA19567; Tue, 3 Apr 2001 20:10:30 +0200 (IST) Received: from localhost (sarab@localhost) by csd.cs.technion.ac.il (8.9.3+Sun/8.9.0) with SMTP id UAA07051; Tue, 3 Apr 2001 20:10:28 +0200 (IST) X-Authentication-Warning: csd.cs.technion.ac.il: sarab owned process doing -bs Date: Tue, 3 Apr 2001 20:10:27 +0200 (IST) From: Bittan Sara X-Sender: sarab@csd To: Andrew Krywaniuk cc: smb@research.att.com, ietf-ipsra@vpnc.org Subject: RE: Preliminary minutes for the IPSRA WG meeting In-Reply-To: <006301c0bbfc$d0f62980$1e72788a@andrewk3.ca.newbridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Six people sent their votes to me, without cc'ing the list. 3 votes for PIC, 3 for GetCert. The authors of both drafts didn't vote. Sara On Mon, 2 Apr 2001, Andrew Krywaniuk wrote: > Yes, I remember you saying that. I was just wondering how the chairs arrived > at the 7-6 tally when I didn't count enough votes on the mailing list. > Paul's response cleared that up for me. > > Andrew > ------------------------------------------- > Upon closer inspection, I saw that the line > dividing black from white was in fact a shade > of grey. As I drew nearer still, the grey area > grew larger. And then I was enlightened. > > > > -----Original Message----- > > From: smb@research.att.com [mailto:smb@research.att.com] > > Sent: Monday, April 02, 2001 9:21 PM > > To: andrew.krywaniuk@alcatel.com > > Cc: ietf-ipsra@vpnc.org > > Subject: Re: Preliminary minutes for the IPSRA WG meeting > > > > > > In message > > <006001c0bbd8$1d41b770$1e72788a@andrewk3.ca.newbridge.com>, "Andrew > > Krywaniuk" writes: > > >(e.g. that the authors of > > >the draft would vote for their own proposal) > > > > > As noted in the minutes, I don't have strong opinions on the subject. > > > > >> Steve Bellovin > > >> He is not attached to GetCert > > >> Wanted to show that remote access authorization without > > >> changing IKE could be done > > > > In fact, that's what I said when I did the first presentation on > > getcert. > > > > --Steve Bellovin, http://www.research.att.com/~smb > > > > > > > > From owner-ietf-ipsra@mail.vpnc.org Thu Apr 5 07:27:33 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA27880 for ; Thu, 5 Apr 2001 07:27:33 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id DAA02920 for ietf-ipsra-bks; Thu, 5 Apr 2001 03:41:01 -0700 (PDT) Received: from plmta00.chello.pl (plmta00.chello.pl [213.46.248.62]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA02901 for ; Thu, 5 Apr 2001 03:40:58 -0700 (PDT) Message-Id: <200104051040.DAA02901@above.proper.com> Received: from hetnet.nl ([213.93.48.181]) by plmta00.chello.pl (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with SMTP id pl for ; Thu, 5 Apr 2001 08:02:27 -0100 From: "Rita de Groot" To: Subject: huidziekte Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Thu, 5 Apr 2001 10:59:58 +0200 Content-Transfer-Encoding: 8bit Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 8bit Vijf jaar voordat deze foto's werden genomen werd bij mij diagnose reumatische artritis gesteld en als zodanig ook behandeld. Niets hielp. Toen de ziekte zich zo manifesteerde zoals u hieronder kunt zien.......... http://www.naardedokter.com/testimonials/sys_lup_eryth.htm From owner-ietf-ipsra@mail.vpnc.org Wed Apr 18 15:06:58 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA16203 for ; Wed, 18 Apr 2001 15:06:57 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id LAA03146 for ietf-ipsra-bks; Wed, 18 Apr 2001 11:13:53 -0700 (PDT) Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA03142 for ; Wed, 18 Apr 2001 11:13:51 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: Date: Wed, 18 Apr 2001 11:13:07 -0700 To: ietf-ipsra@vpnc.org From: Paul Hoffman / VPNC Subject: Straw poll, round 2 Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: As discussed at the Minneapolis meeting, we need to take the straw poll again. My apologies for taking so long to get to it. We need to either choose between PIC and GetCert for the product of this Working Group, or to actively decide that the Working Group does not want to create a protocol. For this straw poll, please respond to this message, and simply say "PIC" or "GetCert" or "No new protocol". If you wish, you can say why, but please state your preference first. Please respond within two weeks from today. Note that this is a straw poll, not a "50%+1" straight vote. In the IETF tradition, the WG chairs will view the results and look for consensus. We (the chairs) will report back to the list soon after the two weeks are up. --Paul Hoffman, Director --VPN Consortium From owner-ietf-ipsra@mail.vpnc.org Wed Apr 18 16:40:00 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA17569 for ; Wed, 18 Apr 2001 16:39:59 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id MAA08263 for ietf-ipsra-bks; Wed, 18 Apr 2001 12:57:31 -0700 (PDT) Received: from internaut.com ([64.38.134.99]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA08254; Wed, 18 Apr 2001 12:57:29 -0700 (PDT) Received: from localhost (aboba@localhost) by internaut.com (8.9.3/8.9.3) with ESMTP id MAA74019; Wed, 18 Apr 2001 12:51:06 -0700 (PDT) (envelope-from aboba@internaut.com) Date: Wed, 18 Apr 2001 12:51:06 -0700 (PDT) From: Bernard Aboba To: Paul Hoffman / VPNC cc: ietf-ipsra@vpnc.org Subject: Re: Straw poll, round 2 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: GetCert v2 (the new and improved version) On Wed, 18 Apr 2001, Paul Hoffman / VPNC wrote: > As discussed at the Minneapolis meeting, we need to take the straw > poll again. My apologies for taking so long to get to it. We need to > either choose between PIC and GetCert for the product of this Working > Group, or to actively decide that the Working Group does not want to > create a protocol. > > For this straw poll, please respond to this message, and simply say > "PIC" or "GetCert" or "No new protocol". If you wish, you can say > why, but please state your preference first. Please respond within > two weeks from today. > > Note that this is a straw poll, not a "50%+1" straight vote. In the > IETF tradition, the WG chairs will view the results and look for > consensus. We (the chairs) will report back to the list soon after > the two weeks are up. > > --Paul Hoffman, Director > --VPN Consortium > From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 10:10:09 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA11293 for ; Thu, 19 Apr 2001 10:10:08 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id GAA27358 for ietf-ipsra-bks; Thu, 19 Apr 2001 06:29:12 -0700 (PDT) Received: from mailgate.risccores.com ([194.202.198.225]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA27338; Thu, 19 Apr 2001 06:29:09 -0700 (PDT) From: Steve.Robinson@psti.com Subject: Re: Straw poll, round 2 To: Paul Hoffman / VPNC Cc: ietf-ipsra@vpnc.org, owner-ietf-ipsra@mail.vpnc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Thu, 19 Apr 2001 09:31:14 -0400 X-MIMETrack: Serialize by Router on Notes1/ARC(Release 5.0.5 |September 22, 2000) at 19/04/2001 02:29:59 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: PIC It is a simpler solution, and IP Security is complex enough as it is. But to be honest, I don't like PIC because I don't want to be dependent on a server outside of the scope of my security software on the host machine (this was the reason I voted for GetCert the first time). I feel like I'm trying to choose the lesser of two evils here -- if we had a fourth option "try again from scratch" I'd vote for it over "no new protocol" even though I don't have a better idea to present at this time. Paul Hoffman / VPNC cc: Sent by: Subject: Straw poll, round 2 owner-ietf-ipsra@mai l.vpnc.org 04/18/01 02:13 PM As discussed at the Minneapolis meeting, we need to take the straw poll again. My apologies for taking so long to get to it. We need to either choose between PIC and GetCert for the product of this Working Group, or to actively decide that the Working Group does not want to create a protocol. For this straw poll, please respond to this message, and simply say "PIC" or "GetCert" or "No new protocol". If you wish, you can say why, but please state your preference first. Please respond within two weeks from today. Note that this is a straw poll, not a "50%+1" straight vote. In the IETF tradition, the WG chairs will view the results and look for consensus. We (the chairs) will report back to the list soon after the two weeks are up. --Paul Hoffman, Director --VPN Consortium From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 11:07:19 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA12330 for ; Thu, 19 Apr 2001 11:07:17 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id HAA00929 for ietf-ipsra-bks; Thu, 19 Apr 2001 07:29:24 -0700 (PDT) Received: from zcars04e.nortelnetworks.com (zcars04e.nortelnetworks.com [47.129.242.56]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA00922; Thu, 19 Apr 2001 07:29:22 -0700 (PDT) Received: from rftzy232.ca.nortel.com by zcars04e.nortelnetworks.com; Thu, 19 Apr 2001 10:26:04 -0400 Received: from nortelnetworks.com (MLEECH-1 [47.9.22.33]) by rftzy232.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JHXCMM9L; Thu, 19 Apr 2001 10:22:45 -0400 Message-ID: <3ADEF5AE.45382@nortelnetworks.com> Date: Thu, 19 Apr 2001 10:26:54 -0400 X-Sybari-Space: 00000000 00000000 00000000 From: "Marcus Leech" Reply-To: "Marcus Leech" Organization: Not Terribly X-Mailer: Mozilla 4.7 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-ipsra@vpnc.org CC: paul.hoffman@vpnc.org Subject: Straw Poll, Round 2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Orig: Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit getcert2 From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 11:26:09 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA12660 for ; Thu, 19 Apr 2001 11:26:08 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id HAA01751 for ietf-ipsra-bks; Thu, 19 Apr 2001 07:48:07 -0700 (PDT) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA01745; Thu, 19 Apr 2001 07:48:06 -0700 (PDT) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id HAA11492; Thu, 19 Apr 2001 07:47:37 -0700 (PDT) Received: from stephanent3 (ott-b1-dhcp-10-85-28-184.cisco.com [10.85.28.184]) by toque.cisco.com (Mirapoint) with SMTP id ACK02117; Thu, 19 Apr 2001 10:47:36 -0400 (EDT) Message-ID: <04c101c0c8df$ea9b6a90$b81c550a@cisco.com> From: "Stephane Beaulieu" To: , "Paul Hoffman / VPNC" References: Subject: Re: Straw poll, round 2 Date: Thu, 19 Apr 2001 10:49:20 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit No new protocol. Reason: I'd prefer something that's easier to implement, and (more importantly) easy to deploy. If Hybrid or CRACK were candidates, I'd vote for them. Stephane. ----- Original Message ----- From: "Paul Hoffman / VPNC" To: Sent: Wednesday, April 18, 2001 2:13 PM Subject: Straw poll, round 2 > As discussed at the Minneapolis meeting, we need to take the straw > poll again. My apologies for taking so long to get to it. We need to > either choose between PIC and GetCert for the product of this Working > Group, or to actively decide that the Working Group does not want to > create a protocol. > > For this straw poll, please respond to this message, and simply say > "PIC" or "GetCert" or "No new protocol". If you wish, you can say > why, but please state your preference first. Please respond within > two weeks from today. > > Note that this is a straw poll, not a "50%+1" straight vote. In the > IETF tradition, the WG chairs will view the results and look for > consensus. We (the chairs) will report back to the list soon after > the two weeks are up. > > --Paul Hoffman, Director > --VPN Consortium From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 14:46:42 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA16196 for ; Thu, 19 Apr 2001 14:46:40 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id LAA20266 for ietf-ipsra-bks; Thu, 19 Apr 2001 11:09:25 -0700 (PDT) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA20238; Thu, 19 Apr 2001 11:09:22 -0700 (PDT) Received: from mira-sjcm-3.cisco.com (mira-sjcm-3.cisco.com [171.69.43.101]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id LAA20126; Thu, 19 Apr 2001 11:08:57 -0700 (PDT) Received: from sfanningwork (dhcp-171-69-39-135.cisco.com [171.69.39.135]) by mira-sjcm-3.cisco.com (Mirapoint) with SMTP id ACO20250; Thu, 19 Apr 2001 11:08:51 -0700 (PDT) Message-ID: <007e01c0c8fb$7fd36200$872745ab@cisco.com> From: "Scott Fanning" To: "Stephane Beaulieu" , , "Paul Hoffman / VPNC" References: <04c101c0c8df$ea9b6a90$b81c550a@cisco.com> Subject: Re: Straw poll, round 2 Date: Thu, 19 Apr 2001 11:06:47 -0700 Organization: Cisco Systems MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit No new protocol. Between L2TP, Hybrid, CRACK and the other "unnamed" methods, I think we can solve this problem. Scott ----- Original Message ----- From: "Stephane Beaulieu" To: ; "Paul Hoffman / VPNC" Sent: Thursday, April 19, 2001 7:49 AM Subject: Re: Straw poll, round 2 > No new protocol. > > Reason: I'd prefer something that's easier to implement, and (more > importantly) easy to deploy. If Hybrid or CRACK were candidates, I'd vote > for them. > > Stephane. > > ----- Original Message ----- > From: "Paul Hoffman / VPNC" > To: > Sent: Wednesday, April 18, 2001 2:13 PM > Subject: Straw poll, round 2 > > > > As discussed at the Minneapolis meeting, we need to take the straw > > poll again. My apologies for taking so long to get to it. We need to > > either choose between PIC and GetCert for the product of this Working > > Group, or to actively decide that the Working Group does not want to > > create a protocol. > > > > For this straw poll, please respond to this message, and simply say > > "PIC" or "GetCert" or "No new protocol". If you wish, you can say > > why, but please state your preference first. Please respond within > > two weeks from today. > > > > Note that this is a straw poll, not a "50%+1" straight vote. In the > > IETF tradition, the WG chairs will view the results and look for > > consensus. We (the chairs) will report back to the list soon after > > the two weeks are up. > > > > --Paul Hoffman, Director > > --VPN Consortium > From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 15:51:58 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA17572 for ; Thu, 19 Apr 2001 15:51:57 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id MAA21602 for ietf-ipsra-bks; Thu, 19 Apr 2001 12:03:26 -0700 (PDT) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA21596; Thu, 19 Apr 2001 12:03:24 -0700 (PDT) Received: from cyphers.net (UNKNOWN [161.69.248.229]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id GC1ZLX00.V0P; Thu, 19 Apr 2001 12:03:33 -0700 Message-ID: <3ADF35E3.F0BFE800@cyphers.net> Date: Thu, 19 Apr 2001 12:00:50 -0700 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Paul Hoffman / VPNC CC: ietf-ipsra@vpnc.org Subject: Re: Straw poll, round 2 References: <04c101c0c8df$ea9b6a90$b81c550a@cisco.com> <007e01c0c8fb$7fd36200$872745ab@cisco.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit No new protocol. Agreed that adequate solutions to this problem set already exist. Scott Fanning wrote: > > No new protocol. > > Between L2TP, Hybrid, CRACK and the other "unnamed" methods, I think we can > solve this problem. > > Scott > ----- Original Message ----- > From: "Stephane Beaulieu" > To: ; "Paul Hoffman / VPNC" > Sent: Thursday, April 19, 2001 7:49 AM > Subject: Re: Straw poll, round 2 > > > No new protocol. > > > > Reason: I'd prefer something that's easier to implement, and (more > > importantly) easy to deploy. If Hybrid or CRACK were candidates, I'd vote > > for them. > > > > Stephane. > > > > ----- Original Message ----- > > From: "Paul Hoffman / VPNC" > > To: > > Sent: Wednesday, April 18, 2001 2:13 PM > > Subject: Straw poll, round 2 > > > > > > > As discussed at the Minneapolis meeting, we need to take the straw > > > poll again. My apologies for taking so long to get to it. We need to > > > either choose between PIC and GetCert for the product of this Working > > > Group, or to actively decide that the Working Group does not want to > > > create a protocol. > > > > > > For this straw poll, please respond to this message, and simply say > > > "PIC" or "GetCert" or "No new protocol". If you wish, you can say > > > why, but please state your preference first. Please respond within > > > two weeks from today. > > > > > > Note that this is a straw poll, not a "50%+1" straight vote. In the > > > IETF tradition, the WG chairs will view the results and look for > > > consensus. We (the chairs) will report back to the list soon after > > > the two weeks are up. > > > > > > --Paul Hoffman, Director > > > --VPN Consortium > > -- Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. Direct (408)346-5906 Cell/VM (650)704-4461 From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 17:16:17 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA18619 for ; Thu, 19 Apr 2001 17:16:15 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id NAA26057 for ietf-ipsra-bks; Thu, 19 Apr 2001 13:33:17 -0700 (PDT) Received: from hoemail1.firewall.lucent.com (hoemail1.lucent.com [192.11.226.161]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA26049 for ; Thu, 19 Apr 2001 13:33:15 -0700 (PDT) Received: from hoemail1.firewall.lucent.com (localhost [127.0.0.1]) by hoemail1.firewall.lucent.com (Switch-2.1.1/Switch-2.1.0) with ESMTP id f3JKXG025807 for ; Thu, 19 Apr 2001 16:33:16 -0400 (EDT) Received: from nwmail.wh.lucent.com (h135-5-40-100.lucent.com [135.5.40.100]) by hoemail1.firewall.lucent.com (Switch-2.1.1/Switch-2.1.0) with SMTP id f3JKXF725790 for ; Thu, 19 Apr 2001 16:33:16 -0400 (EDT) Received: by nwmail.wh.lucent.com (SMI-8.6/EMS-1.5 sol2) id QAA16570; Thu, 19 Apr 2001 16:33:13 -0400 Received: from lucent.com by nwmail.wh.lucent.com (SMI-8.6/EMS-1.5 sol2) id QAA16567; Thu, 19 Apr 2001 16:33:13 -0400 Message-ID: <3ADF4B7B.918CC567@lucent.com> Date: Thu, 19 Apr 2001 16:32:59 -0400 From: Uri Blumenthal Organization: Lucent Technologies / Bell Labs X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18 i686) X-Accept-Language: uk, ru, de, en MIME-Version: 1.0 To: ietf-ipsra@vpnc.org Subject: Re: Straw poll, round 2 References: <04c101c0c8df$ea9b6a90$b81c550a@cisco.com> <007e01c0c8fb$7fd36200$872745ab@cisco.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit I prefer CRACK. -- Regards, Uri. -=-=-<>-=-=- From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 20:43:59 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA20240 for ; Thu, 19 Apr 2001 20:43:58 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id RAA11345 for ietf-ipsra-bks; Thu, 19 Apr 2001 17:10:14 -0700 (PDT) Received: from ns02.newbridge.com (ns02.newbridge.com [192.75.23.75]) by above.proper.com (8.9.3/8.9.3) with SMTP id RAA11335 for ; Thu, 19 Apr 2001 17:10:12 -0700 (PDT) Received: (qmail 24593 invoked from network); 20 Apr 2001 00:08:30 -0000 Received: from portal1.newbridge.com (HELO kanata-mh1.ca.newbridge.com) (192.75.23.76) by ns02.newbridge.com with SMTP; 20 Apr 2001 00:08:30 -0000 Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP; Thu, 19 Apr 2001 20:07:32 -0400 Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com (Netscape Messaging Server 3.6) with ESMTP id AAA4392; Thu, 19 Apr 2001 20:07:31 -0400 Reply-To: From: "Andrew Krywaniuk" To: "'Paul Hoffman / VPNC'" , Subject: RE: Straw poll, round 2 Date: Thu, 19 Apr 2001 20:02:44 -0400 Message-Id: <001601c0c92d$48eb5ef0$1e72788a@andrewk3.ca.newbridge.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit In order of preference: 1. Hybrid 2. Crack 3. PIC 4. GetCert Justification: - PIC/GetCert address what I believe to be non-existant flaws in the Hybrid/Crack approach. - Hybrid and Crack are functionally equivalent, however Hybrid reuses code that many IPsec implementers already have. - PIC and GetCert are functionally similar, however I believe that PIC will integrate into existing gateways better. Andrew ------------------------------------------- Upon closer inspection, I saw that the line dividing black from white was in fact a shade of grey. As I drew nearer still, the grey area grew larger. And then I was enlightened. From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 21:38:25 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA21645 for ; Thu, 19 Apr 2001 21:38:25 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id SAA13608 for ietf-ipsra-bks; Thu, 19 Apr 2001 18:07:32 -0700 (PDT) Received: from mail.nexsi.com ([63.121.79.244]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA13602 for ; Thu, 19 Apr 2001 18:07:31 -0700 (PDT) Received: from NEWJERSEY (dynam64.sw.nexsi.com [172.17.14.64]) by mail.nexsi.com (8.9.3/8.9.3) with SMTP id SAA19094 for ; Thu, 19 Apr 2001 18:13:21 -0700 From: "sankar ramamoorthi" To: Subject: RE: Straw poll, round 2 Date: Thu, 19 Apr 2001 18:13:10 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit PIC Better code reusability. -- sankar -- From owner-ietf-ipsra@mail.vpnc.org Thu Apr 19 22:07:47 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id WAA21917 for ; Thu, 19 Apr 2001 22:07:46 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id SAA15004 for ietf-ipsra-bks; Thu, 19 Apr 2001 18:28:03 -0700 (PDT) Received: from wlv.interdyn.com ([205.147.53.144]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA14998 for ; Thu, 19 Apr 2001 18:28:01 -0700 (PDT) Received: by WLV with Internet Mail Service (5.5.2653.19) id ; Thu, 19 Apr 2001 18:25:30 -0700 Received: from redcreek.com (host186.redcreek.com [209.218.26.186]) by exchange.redcreek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JHZ8AB7C; Thu, 19 Apr 2001 18:27:30 -0700 From: Ricky Charlet To: ietf-ipsra@vpnc.org Message-ID: <3ADF8406.BE9E1145@redcreek.com> Date: Thu, 19 Apr 2001 18:34:14 -0600 Organization: Redcreek Communications X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-22 i686) X-Accept-Language: en MIME-Version: 1.0 Subject: Re: Straw poll, round 2 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Howdy, Count my vote with the leader, wether it is PIC or getCert (in case of a tie I vote for PIC). Justification: I am voting for resolution! Either PIC or getCert is fine with me. I hope to increase the distinction in this straw poll by casting my vote for the leading condender. And I call for anyone else who is fine with either to vote as I do (to accentuate the strawpoll distinction). People, we have a crisis of non-consensus taking shape here. There are two status quo solutions which are interoperable even though they are non-standard. They are Hybrid and L2TP. Security concerns have been raised with both of those status-quo solutions on this list before (and refuted, and debated and...). The solution of modifying IKE (as with CRACK) has been rejected by our ADs as introducing too much complexity (and that has been debated at length on this list). We have in front of us two new solutions which are acceptable to our ADs, have been viewed as "doing the right thing" and are each poised to become a broadly accepted standard. These are PIC and getCert. Our realistic choice is between three options, PIC, getCert or nothing (=defacto current). I contend, that if you vote for something other than PIC or getCert, you are voting for nothing. This may be a desireable result for some and seems to be the leading contender so far in this straw poll. So if you are a person who does want and IEFT/IPsec solution for legacy remote authentication, it is very important that you cast your vote for PIC or getCert or (as I have done) for the leader of the strawpoll, be it either PIC or getCert. Otherwise, "nothing" will win. Also note that if PIC and getCert tie, then "nothing" will probably win there too. -- Ricky Charlet : Redcreek Communications : usa (510) 795-6903 From owner-ietf-ipsra@mail.vpnc.org Fri Apr 20 10:07:53 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA12106 for ; Fri, 20 Apr 2001 10:07:52 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id GAA04516 for ietf-ipsra-bks; Fri, 20 Apr 2001 06:13:49 -0700 (PDT) Received: from relay2.nai.com (relay2.nai.com [161.69.3.67]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA04510 for ; Fri, 20 Apr 2001 06:13:48 -0700 (PDT) Received: from scwsout1.nai.com (webshield2.nai.com [161.69.3.73]) by relay2.nai.com (8.9.3/8.9.3) with SMTP id NAA13845 for ; Thu, 19 Apr 2001 13:43:44 -0700 (PDT) Received: FROM ca-ex-bridge2.nai.com BY scwsout1.nai.com ; Thu Apr 19 13:43:50 2001 -0700 Received: by dns-31.dhcp-5.nai.com with Internet Mail Service (5.5.2653.19) id ; Thu, 19 Apr 2001 13:53:56 -0700 Message-ID: <8894CA1F87A5D411BD24009027EE7838128090@md-exchange1.nai.com> From: "Mason, David" To: "'Paul Hoffman / VPNC'" , ietf-ipsra@vpnc.org Subject: RE: Straw poll, round 2 Date: Thu, 19 Apr 2001 13:43:39 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: No new protocol. For now I prefer that-which-must-not-be-named. Barring that I'd vote for PIC. -dave From owner-ietf-ipsra@mail.vpnc.org Fri Apr 20 10:51:52 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA12816 for ; Fri, 20 Apr 2001 10:51:50 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id HAA09977 for ietf-ipsra-bks; Fri, 20 Apr 2001 07:14:50 -0700 (PDT) Received: from www.troy.vpnet.com (IDENT:exim@www.troy.vpnet.com [209.177.58.3]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA09972 for ; Fri, 20 Apr 2001 07:14:48 -0700 (PDT) Received: from [209.177.58.136] (helo=troynt01.troyvpnet) by www.troy.vpnet.com with esmtp (Exim 2.10 #1) id 14qbXQ-0007U5-00; Fri, 20 Apr 2001 10:05:32 -0400 Received: by TROYNT01 with Internet Mail Service (5.5.2650.21) id <22ZF0LJG>; Fri, 20 Apr 2001 10:18:26 -0400 Message-ID: From: Richard Welty To: Ricky Charlet , ietf-ipsra@vpnc.org Subject: RE: Straw poll, round 2 Date: Fri, 20 Apr 2001 10:18:26 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: i agree; this requires a sensible resolution. PIC or Getcert, whichever is leading the vote. > -----Original Message----- > From: Ricky Charlet [mailto:rcharlet@redcreek.com] > Sent: Thursday, April 19, 2001 8:34 PM > To: ietf-ipsra@vpnc.org > Subject: Re: Straw poll, round 2 > > > Howdy, > > Count my vote with the leader, wether it is PIC or > getCert (in case of > a tie I vote for PIC). > > > Justification: > I am voting for resolution! Either PIC or getCert is > fine with me. I > hope to increase the distinction in this straw poll by casting my vote > for the leading condender. And I call for anyone else who is fine with > either to vote as I do (to accentuate the strawpoll distinction). > > People, we have a crisis of non-consensus taking shape > here. There are > two status quo solutions which are interoperable even though they are > non-standard. They are Hybrid and L2TP. Security concerns have been > raised with both of those status-quo solutions on this list > before (and > refuted, and debated and...). The solution of modifying IKE (as with > CRACK) has been rejected by our ADs as introducing too much complexity > (and that has been debated at length on this list). We have > in front of > us two new solutions which are acceptable to our ADs, have been viewed > as "doing the right thing" and are each poised to become a broadly > accepted standard. These are PIC and getCert. > > Our realistic choice is between three options, PIC, > getCert or nothing > (=defacto current). I contend, that if you vote for something > other than > PIC or getCert, you are voting for nothing. This may be a desireable > result for some and seems to be the leading contender so far in this > straw poll. > > So if you are a person who does want and IEFT/IPsec > solution for legacy > remote authentication, it is very important that you cast > your vote for > PIC or getCert or (as I have done) for the leader of the strawpoll, be > it either PIC or getCert. Otherwise, "nothing" will win. Also > note that > if PIC and getCert tie, then "nothing" will probably win there too. > > > > -- > Ricky Charlet : Redcreek Communications : usa (510) 795-6903 > From owner-ietf-ipsra@mail.vpnc.org Fri Apr 20 11:34:04 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA13250 for ; Fri, 20 Apr 2001 11:34:04 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id HAA11229 for ietf-ipsra-bks; Fri, 20 Apr 2001 07:56:54 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA11224 for ; Fri, 20 Apr 2001 07:56:53 -0700 (PDT) Received: from eastmail1.East.Sun.COM ([129.148.1.240]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id HAA26300 for ; Fri, 20 Apr 2001 07:56:52 -0700 (PDT) Received: from thunk.east.sun.com (thunk.East.Sun.COM [129.148.174.66]) by eastmail1.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id KAA27209 for ; Fri, 20 Apr 2001 10:56:50 -0400 (EDT) Received: from thunk (localhost [127.0.0.1]) by thunk.east.sun.com (8.11.2+Sun/8.11.2) with ESMTP id f3KEuZ917821 for ; Fri, 20 Apr 2001 10:56:35 -0400 (EDT) Message-Id: <200104201456.f3KEuZ917821@thunk.east.sun.com> From: Bill Sommerfeld To: ietf-ipsra@vpnc.org Subject: Straw poll, round 2 Reply-to: sommerfeld@east.sun.com Date: Fri, 20 Apr 2001 10:56:35 -0400 Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: either getcert or pic - Bill From owner-ietf-ipsra@mail.vpnc.org Fri Apr 20 11:53:27 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA13496 for ; Fri, 20 Apr 2001 11:53:26 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id IAA14153 for ietf-ipsra-bks; Fri, 20 Apr 2001 08:21:07 -0700 (PDT) Received: from smtp.NE.3Com.COM (smtp.ne.3com.com [151.104.25.99]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA14145 for ; Fri, 20 Apr 2001 08:21:05 -0700 (PDT) From: Peter_Maricle@ne.3com.com Received: from usboxmta.ne.3com.com (usboxmta.NE.3Com.COM [151.104.25.34]) by smtp.NE.3Com.COM (Pro-8.9.3/Pro-8.9.3) with SMTP id LAA27365 for ; Fri, 20 Apr 2001 11:20:35 -0400 (EDT) Received: by usboxmta.ne.3com.com(Lotus SMTP MTA v4.6.6 (890.1 7-16-1999)) id 85256A34.0054EA43 ; Fri, 20 Apr 2001 11:27:29 -0400 X-Lotus-FromDomain: 3COM To: ietf-ipsra@vpnc.org Message-ID: <85256A34.0054E920.00@usboxmta.ne.3com.com> Date: Fri, 20 Apr 2001 11:20:40 -0400 Subject: Straw poll, round 2 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: PIC For reasons others have already pointed out. ---------------------- Forwarded by Peter Maricle/US/3Com on 04/20/2001 11:19 AM --------------------------- "Paul Hoffman / VPNC" on 04/18/2001 02:13:07 PM Sent by: "Paul Hoffman / VPNC" To: ietf-ipsra@vpnc.org cc: (Peter Maricle/US/3Com) Subject: Straw poll, round 2 As discussed at the Minneapolis meeting, we need to take the straw poll again. My apologies for taking so long to get to it. We need to either choose between PIC and GetCert for the product of this Working Group, or to actively decide that the Working Group does not want to create a protocol. For this straw poll, please respond to this message, and simply say "PIC" or "GetCert" or "No new protocol". If you wish, you can say why, but please state your preference first. Please respond within two weeks from today. Note that this is a straw poll, not a "50%+1" straight vote. In the IETF tradition, the WG chairs will view the results and look for consensus. We (the chairs) will report back to the list soon after the two weeks are up. --Paul Hoffman, Director --VPN Consortium From owner-ietf-ipsra@mail.vpnc.org Fri Apr 20 12:47:04 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA14343 for ; Fri, 20 Apr 2001 12:47:03 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id JAA21151 for ietf-ipsra-bks; Fri, 20 Apr 2001 09:04:19 -0700 (PDT) Received: from exchange.redcreek.com (mail.redcreek.com [209.125.38.15]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA21146 for ; Fri, 20 Apr 2001 09:04:18 -0700 (PDT) Received: by mail.redcreek.com with Internet Mail Service (5.5.2653.19) id ; Fri, 20 Apr 2001 09:04:04 -0700 Received: from redcreek.com (host43.redcreek.com [209.218.26.43]) by exchange.redcreek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JHZ8AC6B; Fri, 20 Apr 2001 08:58:10 -0700 From: "Scott G. Kelly" To: ietf-ipsra@vpnc.org Message-ID: <3AE05C45.ABCF1AC5@redcreek.com> Date: Fri, 20 Apr 2001 08:56:53 -0700 Organization: RedCreek Communications X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686) X-Accept-Language: en MIME-Version: 1.0 Subject: Re: Straw poll, round 2 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit PIC Paul Hoffman / VPNC wrote: > > As discussed at the Minneapolis meeting, we need to take the straw > poll again. My apologies for taking so long to get to it. We need to > either choose between PIC and GetCert for the product of this Working > Group, or to actively decide that the Working Group does not want to > create a protocol. > > For this straw poll, please respond to this message, and simply say > "PIC" or "GetCert" or "No new protocol". If you wish, you can say > why, but please state your preference first. Please respond within > two weeks from today. > > Note that this is a straw poll, not a "50%+1" straight vote. In the > IETF tradition, the WG chairs will view the results and look for > consensus. We (the chairs) will report back to the list soon after > the two weeks are up. > > --Paul Hoffman, Director > --VPN Consortium From owner-ietf-ipsra@mail.vpnc.org Fri Apr 20 19:04:25 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id TAA19606 for ; Fri, 20 Apr 2001 19:04:24 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id PAA14860 for ietf-ipsra-bks; Fri, 20 Apr 2001 15:20:15 -0700 (PDT) Received: from internaut.com ([64.38.134.99]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA14854 for ; Fri, 20 Apr 2001 15:20:13 -0700 (PDT) Received: from localhost (aboba@localhost) by internaut.com (8.9.3/8.9.3) with ESMTP id PAA77147 for ; Fri, 20 Apr 2001 15:13:40 -0700 (PDT) (envelope-from aboba@internaut.com) Date: Fri, 20 Apr 2001 15:13:40 -0700 (PDT) From: Bernard Aboba To: ietf-ipsra@vpnc.org Subject: Availability of updated drafts? In-Reply-To: <85256A34.0054E920.00@usboxmta.ne.3com.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: At times reading the IPSRA mailing list is a little like following the Florida re-count... May I interrupt the regularly scheduled program for a question relating to work items? Over the last two meetings, we've thrown out a variety of ideas on how to move forward. At one point it was suggested that some sort of merger of PIC and GetCert might be possible. We've talked about an updated GetCert draft, or perhaps an CMP/EAP draft. What are the obstacles, if any, to getting this work done? Do the authors feel it's not a good idea? Not have time? Perhaps lack some expertise that might be supplied? Not sure if anyone will implement the result? Since the purpose of a Working Group is to do work, I'm curious to understand why more work isn't being done. For my part, the issue is that this area requires more PKI knowledge than I possess. Also, I'm told that temporary certs may pose some tricky problems that PKI people understand and which I obviously don't (has to do with when you delete old expired certs, load on PKI infrastructure, etc.). Back to our regularly scheduled election coverage... From owner-ietf-ipsra@mail.vpnc.org Sat Apr 21 13:42:50 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11391 for ; Sat, 21 Apr 2001 13:42:50 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id KAA04269 for ietf-ipsra-bks; Sat, 21 Apr 2001 10:02:45 -0700 (PDT) Received: from mail-green.research.att.com (H-135-207-30-103.research.att.com [135.207.30.103]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA04263 for ; Sat, 21 Apr 2001 10:02:41 -0700 (PDT) Received: from postal.research.att.com (postal.research.att.com [135.207.23.30]) by mail-green.research.att.com (Postfix) with ESMTP id A4AED1E01B; Sat, 21 Apr 2001 13:02:42 -0400 (EDT) Received: from berkshire.research.att.com (postal.research.att.com [135.207.23.30]) by postal.research.att.com (8.8.7/8.8.7) with ESMTP id NAA10581; Sat, 21 Apr 2001 13:02:41 -0400 (EDT) Received: from berkshire.research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 5EB177B69; Sat, 21 Apr 2001 13:02:36 -0400 (EDT) X-Mailer: exmh version 2.1.1 10/15/1999 X-Exmh-Isig-CompType: repl X-Exmh-Isig-Folder: ipsra From: "Steven M. Bellovin" To: Bernard Aboba Cc: ietf-ipsra@vpnc.org Subject: Re: Availability of updated drafts? Mime-Version: 1.0 Content-Type: text/plain Date: Sat, 21 Apr 2001 13:02:36 -0400 Message-Id: <20010421170236.5EB177B69@berkshire.research.att.com> Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: In message , Bernard Ab oba writes: >At times reading the IPSRA mailing list is a little like following the >Florida re-count... > >May I interrupt the regularly scheduled program for a question relating to >work items? > >Over the last two meetings, we've thrown out a variety of ideas on how to >move forward. At one point it was suggested that some sort of merger of >PIC and GetCert might be possible. We've talked about an updated GetCert >draft, or perhaps an CMP/EAP draft. > >What are the obstacles, if any, to getting this work done? Do the authors >feel it's not a good idea? Not have time? Perhaps lack some expertise that >might be supplied? Not sure if anyone will implement the result? > After Bob and I talked with the chairs, we all agreed that there was no point to writing more drafts for a direction the working group didn't want to go in. The idea was that after the straw poll, one group or the other would get back to work. But the first straw poll was a lot later than expected, leaving no time for a new draft before Minneapolis even if there had been a clear result. After this straw poll, we have to move ahead. If there's still no clear consensus, someone will flip a coin. As I said at the meeting, though I (of course) prefer getcert, I personally don't care that much about it versus pic -- both have fundamentally the right philosophy. From owner-ietf-ipsra@mail.vpnc.org Sat Apr 21 17:46:07 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA12414 for ; Sat, 21 Apr 2001 17:46:07 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id OAA17394 for ietf-ipsra-bks; Sat, 21 Apr 2001 14:18:25 -0700 (PDT) Received: from internaut.com ([64.38.134.99]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA17389 for ; Sat, 21 Apr 2001 14:18:22 -0700 (PDT) Received: from localhost (aboba@localhost) by internaut.com (8.9.3/8.9.3) with ESMTP id OAA80619; Sat, 21 Apr 2001 14:11:43 -0700 (PDT) (envelope-from aboba@internaut.com) Date: Sat, 21 Apr 2001 14:11:42 -0700 (PDT) From: Bernard Aboba To: "Steven M. Bellovin" cc: ietf-ipsra@vpnc.org Subject: Re: Availability of updated drafts? In-Reply-To: <20010421170236.5EB177B69@berkshire.research.att.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: > After Bob and I talked with the chairs, we all agreed that there > was no point to writing more drafts for a direction the working > group didn't want to go in. Actually, this is a limbo state that more and more WGs seem to be falling into nowadays. Working groups only move at the speed at which they think. Lack of consensus often arises from unresolved issues, to which the solution is more thinking, not more polls. In this case, a better process would have been to evaluate the proposals against the reqts. and give the authors the chance to remediate any disclosed deficiencies. Once we had the best proposals that they could muster, then consensus would be more likely. Because we've been drozen in "election result" mode for more several months now, the proposals have not advanced to address the issues that were identified. Thus, my vote is more based on the "eventual" direction that I think the proposals will take, rather than the current versions, neither of which I think are acceptable. In summary, I don't believe that more polling will produce consensus. What we need is not more polls, but more thought, and a formal evaluation process. From owner-ietf-ipsra@mail.vpnc.org Sun Apr 22 12:01:22 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA11018 for ; Sun, 22 Apr 2001 12:01:21 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id IAA08895 for ietf-ipsra-bks; Sun, 22 Apr 2001 08:30:20 -0700 (PDT) Received: from dfmail.f-secure.com (dfmail.f-secure.com [194.252.6.39]) by above.proper.com (8.9.3/8.9.3) with SMTP id IAA08886 for ; Sun, 22 Apr 2001 08:30:18 -0700 (PDT) Received: (qmail 31032 invoked by uid 0); 22 Apr 2001 15:29:55 -0000 Received: from fsav4im2.f-secure.com (HELO fsav4im2) (194.197.29.47) by dfmail.f-secure.com with SMTP; 22 Apr 2001 15:29:55 -0000 Received: from dfintra.f-secure.com ([194.197.29.8]:4851) (HELO dfintra.f-secure.com) by fsav4im2 ([194.197.29.47]:25) (F-Secure Anti-Virus for Internet Mail 5.0.53 Release) with SMTP; Sun, 22 Apr 2001 15:35:53 -0000 Received: (qmail 31236 invoked from network); 22 Apr 2001 15:30:19 -0000 Received: from unknown (HELO F-Secure.com) (10.128.129.140) by dfintra.f-secure.com with SMTP; 22 Apr 2001 15:30:19 -0000 Message-ID: <3AE2F8F8.F9A61D8A@F-Secure.com> Date: Sun, 22 Apr 2001 18:30:00 +0300 From: Ari Huttunen Organization: F-Secure Corporation X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Hoffman / VPNC CC: ietf-ipsra@vpnc.org Subject: Re: Straw poll, round 2 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit PIC I think PIC has a better chance of quickly replacing X-Auth and Hybrid. Ari Paul Hoffman / VPNC wrote: > > As discussed at the Minneapolis meeting, we need to take the straw > poll again. My apologies for taking so long to get to it. We need to > either choose between PIC and GetCert for the product of this Working > Group, or to actively decide that the Working Group does not want to > create a protocol. > > For this straw poll, please respond to this message, and simply say > "PIC" or "GetCert" or "No new protocol". If you wish, you can say > why, but please state your preference first. Please respond within > two weeks from today. > > Note that this is a straw poll, not a "50%+1" straight vote. In the > IETF tradition, the WG chairs will view the results and look for > consensus. We (the chairs) will report back to the list soon after > the two weeks are up. > > --Paul Hoffman, Director > --VPN Consortium -- Ari Huttunen phone: +358 9 2520 0700 Software Architect fax : +358 9 2520 5001 F-Secure Corporation http://www.F-Secure.com F-Secure products: Integrated Solutions for Enterprise Security * F-Secure is moving. The new address as of 9 April 2001 is: F-Secure Corporation, PL 24, Tammasaarenkatu 7, FIN-00181 Helsinki Finland Phone +358 9 2520 0700 Fax +358 9 2520 5001 * From owner-ietf-ipsra@mail.vpnc.org Tue Apr 24 15:10:24 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA12928 for ; Tue, 24 Apr 2001 15:10:24 -0400 (EDT) Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id LAA06629 for ietf-ipsra-bks; Tue, 24 Apr 2001 11:32:05 -0700 (PDT) Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA06625 for ; Tue, 24 Apr 2001 11:32:00 -0700 (PDT) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA35688; Tue, 24 Apr 2001 14:31:30 -0400 Received: from rotala.raleigh.ibm.com (root@rotala.raleigh.ibm.com [9.37.60.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id OAA23788; Tue, 24 Apr 2001 14:31:32 -0400 Received: from rotala.raleigh.ibm.com (narten@localhost) by rotala.raleigh.ibm.com (8.9.3/8.7/RTP-ral-1.0) with ESMTP id OAA09411; Tue, 24 Apr 2001 14:31:02 -0400 Message-Id: <200104241831.OAA09411@rotala.raleigh.ibm.com> To: ietf-ipsra@vpnc.org, dhcp-v4@bucknell.edu cc: "Marcus Leech" Subject: draft-ietf-ipsec-dhcp-09.txt Date: Tue, 24 Apr 2001 14:31:02 -0400 From: Thomas Narten Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: While reviewing this document for the IESG, I came up with some questions that I'd like the DHC WG to comment on. i.e., this document seems to call for changes to existing DHCP practice, and the need for such changes does not seem properly motivated (at least to me). I would appreciate it if folks from the DHC WG would provide their perspective. I have a basic question/concern with one aspect of this document, namely its use of the chaddr field, the client identifier option, and relay agents. Background (to be sure I have this right). In DHCPv4, the chaddr field always has the link-layer address of the client in it. The relay agent needs this information (together with the giaddr field) to determine how to forward a DHCP response from the DHCP server back to the client (i.e., the giaddr field identifies the interface, the chaddr field is the link-layer address to use). (Actually, broadcast can also be used, but in the case of IPsec tunnels, that seems a non-starter.) In most cases the chaddr value also serves as the way to identify a client to the DHCP server from the perspective of which parameters to assign. However, the client identifier option allows the client to specify an alternate way of identifying itself to the DHCP server, one that doesn't use the chaddr value. In such cases, the chaddr field may still needed by the relay agent to forward DHCP messages from the server to the client. This document seems to be rather unclear about how it uses these values. In particular, it seems to provide a set of options rather than one clear way. I think this needlessly complicates the relay agent. Specifically, the chaddr field (together with the giaddr field) is no longer sufficient information to forward packets from the DHCP server to the client, and the document suggests that relay agents will need to maintain state in order to properly forward packets to clients. I believe this is a change to existing DHCP practice. > differentiate VPN from non-VPN requests. The chaddr field of the > DHCPDISCOVER SHOULD include a unique identifier. The client MUST use > the same chaddr field in all subsequent messages within the same DHCPv4 > exchange. This permits the use of DHCP Relay load balancing as described > in [19]. In addition, the chaddr SHOULD be persistent between reboots so > that the DHCP server will be able to re-assign the same address if The above doesn't seem quite what is needed. First, shouldn't it be a MUST rather than a SHOULD? What you might point out is that one can't guarantee that it is unique. Making it a SHOULD (per 2026) implies that there may be good reasons to not choose a unique identifier and an implementation might choose not to send one. If that is the case, an explanation would help. I.e., the DHCP server won't be happy if identifiers aren't unique enough. This is a basic DHCP assumption. Also, the load balancing stuff that used to be in the DHCP failover document has been removed and is now standalone (see RFC 3074). It is transparent to the client, so I don't see why anything in this document needs to be done to support it (as the above wording suggests) > 6.2. DHCPOFFER message processing > > Typically, the security gateway will also store the xid and the chaddr > gleaned from the DHCPDISCOVER in a table so as to be able to route the > corresponding DHCPOFFER message(s) back to the remote host. This would appear to be a fundamental change in relay agent model compared to standard DHCP. That is, traditional relay agents are stateless. All the info that a relay agent needs in order to relay DHCP packets is contained in those packets. No per-client state is needed. The above text suggests that the relay agent caches the chaddr field in order to be able to route back DHCP responses. Why is this needed? Isn't this info in the packet that needs to be relayed? The answer appears to be no, as the chaddr field as defined in this document isn't sufficiently useful for this. Wouldn't it be better to (say) have the relay agent add a relay agent option that includes information about the SA over which the packet was received? When the server responds, that relay agent option could contain the information needed properly forward the packet. This would be consistent with existing DHCP specifications and would eliminate the need for the relay agent to maintain per-client state. > For use in DHCv4 configuration of IPSEC tunnel mode, the client- > identifier option SHOULD be included and set to something that is unique > and persistent across reboots. Possibilities include: > > a) The htype/chaddr combination, if a LAN interface is present. > > b) The machine FQDN concatenated with an interface number. > > c) The user FQDN as determined from the user's NAI or certificate, > concatenated with an interface number. Another possiblity: why not just make it a MUST that a client identifier option be used (i.e., this is the approach taken by RFC 2855), and then have the chaddr field be the IPv4 (public) address of the client? If this were done, the relay agent would just do its normal processing. I.e., the IPv4 address would be who it forwards the packet too. The remaining comments are more editorial in nature. > concatenating H'4OO0', the IPv4 address of the interface supplying Do you mean 0x4000 ?? > the vendor-class-identifier option; the vendor-specific information > option; the subnet selection option [15] or the host name option [18]. Citing ralph and ted's book here? yikes! We should be citing the definitive source, i.e., RFCs!!! The spelling of IPsec isn't consistent. The document uses "Ipsec" and "IPSEC". I believe the preferred spelling is IPsec The abstract is a verbatim copy of the introduction. This shouldn't be the case. The wording surrounding DHCP failover wording seems a bit weird. Note that the DHPC failover mechanisms are transparent to DHCP clients. When failover is present, it is just a private thing between DHCP servers. Having this document cite DHCP failover as something it supports or helps, seems a stretch. The comparison between DHCP and IKECFG seems a bit long-winded. Somewhat hidden, is the assumption that everyone runs DHCP on the enterprise, including those folks using IKECFG. From that assumption, its pretty clear that having an all DHCP solution would avoid many problems that would be present if IKECFG and DHCP needed to sync up behind the scenes. Can't you just come out and say that? (Actually, I personally don't see much reason to include the comparison/justificaiton -- the document itself has chosen DHCP). Thomas From owner-ietf-ipsra@mail.vpnc.org Tue Apr 24 19:34:10 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id TAA17763 for ; Tue, 24 Apr 2001 19:34:09 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id PAA28581 for ietf-ipsra-bks; Tue, 24 Apr 2001 15:48:25 -0700 (PDT) Received: from eng1.certicom.com (ip7.certicom.com [209.121.99.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA28574 for ; Tue, 24 Apr 2001 15:48:24 -0700 (PDT) Received: from certicom.com ([10.0.2.254]) by eng1.certicom.com (8.8.7/8.8.7) with ESMTP id SAA29475 for ; Tue, 24 Apr 2001 18:48:26 -0400 (EDT) (envelope-from ypoeluev@certicom.com) Message-ID: <3AE602F8.9F860116@certicom.com> Date: Tue, 24 Apr 2001 18:49:29 -0400 From: Yuri Poeluev Organization: Certicom Corp. X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en,ru MIME-Version: 1.0 To: ietf-ipsra@vpnc.org Subject: Re: Straw poll, round 2 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit "No new protocol" - is the first choice When running IKE on small constrained devices "PIC"/"GetCert" introduces a potential problem due to code size, OS limitations, and other similar constraints. "PIC" - is the second preferred choice, but *only if the first one is not accepted* By choosing it there is a possibility of reusing ISAKMP code from IKE implementation. Again it's an issue for the constrained devices. Thanks -- Yuri Poeluev Certicom Corp. Paul Hoffman / VPNC wrote: > > As discussed at the Minneapolis meeting, we need to take the straw > poll again. My apologies for taking so long to get to it. We need to > either choose between PIC and GetCert for the product of this Working > Group, or to actively decide that the Working Group does not want to > create a protocol. > > For this straw poll, please respond to this message, and simply say > "PIC" or "GetCert" or "No new protocol". If you wish, you can say > why, but please state your preference first. Please respond within > two weeks from today. > > Note that this is a straw poll, not a "50%+1" straight vote. In the > IETF tradition, the WG chairs will view the results and look for > consensus. We (the chairs) will report back to the list soon after > the two weeks are up. > > --Paul Hoffman, Director > --VPN Consortium From owner-ietf-ipsra@mail.vpnc.org Fri Apr 27 07:31:36 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA23549 for ; Fri, 27 Apr 2001 07:31:35 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id DAA11205 for ietf-ipsra-bks; Fri, 27 Apr 2001 03:44:40 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA11198 for ; Fri, 27 Apr 2001 03:44:39 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA21065; Fri, 27 Apr 2001 06:44:38 -0400 (EDT) Message-Id: <200104271044.GAA21065@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-ipsra@vpnc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsec-dhcp-10.txt Date: Fri, 27 Apr 2001 06:44:38 -0400 Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Remote Access Working Group of the IETF. Title : DHCPv4 Configuration of IPSEC Tunnel Mode Author(s) : B. Patel, B. Aboba, S. Kelly, V. Gupta Filename : draft-ietf-ipsec-dhcp-10.txt Pages : 16 Date : 26-Apr-01 In many remote access scenarios, a mechanism for making the remote host appear to be present on the local corporate network is quite useful. This may be accomplished by assigning the host a 'virtual' address from the corporate network, and then tunneling traffic via Ipsec from the host's ISP-assigned address to the corporate security gateway. In IPv4, Dynamic Host Configuration Protocol (DHCP) provides for such remote host configuration. This draft explores the requirements for host configuration in IPSEC tunnel mode, and describes how DHCPv4 may be leveraged for configuration. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-10.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-dhcp-10.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-dhcp-10.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010426132418.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-dhcp-10.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-dhcp-10.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010426132418.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ietf-ipsra@mail.vpnc.org Mon Apr 30 18:37:23 2001 Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA27512 for ; Mon, 30 Apr 2001 18:37:22 -0400 (EDT) Received: by above.proper.com (8.9.3/8.9.3) id OAA19789 for ietf-ipsra-bks; Mon, 30 Apr 2001 14:45:58 -0700 (PDT) Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA19784 for ; Mon, 30 Apr 2001 14:45:56 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: Date: Mon, 30 Apr 2001 14:45:56 -0700 To: ietf-ipsra@vpnc.org From: Paul Hoffman / VPNC Subject: WG last call on the requirements document Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: As the straw poll wanes, I am reminded that we are supposed to have a WG last call for the requirements document. Please take a look at and post any comments you have to the list. This will be a normal two-week last call. --Paul Hoffman, Director --VPN Consortium