From saag-bounces@ietf.org Thu Jul 3 12:56:47 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D7A4F3A680E; Thu, 3 Jul 2008 12:56:47 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3E3C3A680E for ; Thu, 3 Jul 2008 12:56:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDbZOKoa++HD for ; Thu, 3 Jul 2008 12:56:45 -0700 (PDT) Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 8B5503A6774 for ; Thu, 3 Jul 2008 12:56:45 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m63JuZDc013273 for ; Thu, 3 Jul 2008 14:56:52 -0500 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 3 Jul 2008 22:56:35 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 3 Jul 2008 22:04:19 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 3 Jul 2008 22:04:05 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720112A96B@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Testing - please ignore Thread-Index: AcjdP5BSyM0YPoF6RmiVM9TdKn5ibg== From: To: X-OriginalArrivalTime: 03 Jul 2008 19:04:19.0575 (UTC) FILETIME=[98C47870:01C8DD3F] X-Nokia-AV: Clean Subject: [saag] Testing - please ignore X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org (checking that the archives are now working properly...) _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Wed Jul 23 08:15:59 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A9B963A6A2A; Wed, 23 Jul 2008 08:15:59 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CE873A6A2A for ; Wed, 23 Jul 2008 08:15:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.088 X-Spam-Level: X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[AWL=-0.042, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mCClbusJbhJ for ; Wed, 23 Jul 2008 08:15:57 -0700 (PDT) Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 852BB3A6A4A for ; Wed, 23 Jul 2008 08:15:57 -0700 (PDT) Received: from [10.20.30.152] (dsl-63-249-108-169.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6NFFOJM085052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jul 2008 08:15:25 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: Date: Wed, 23 Jul 2008 08:15:21 -0700 To: saag@ietf.org From: Paul Hoffman Subject: [saag] Request for review of an upcoming NIST document on firewalls X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org Greetings. I have excerpted a recent NIST request for comments on a pending document below. I am the co-author of the document, and we really do want suggestions from the firewall side of the security community on the document. NIST SP 800 documents are long-lived and are relied on by a very large audience, particularly by people throughout the US government. Improvements that can be made to this draft now will help people buying and administering firewalls for many years. If you would, please take the time to read the draft. If you find anything, large or small, please send comments to the NIST address listed. (Sending comments to me is not a good idea because I can't just make changes at this stage; they should go through the NIST review process.) Every comment will be read and many will have direct effects on the content of the final document. Also, please pass this along to anyone in your organization who might have time to review the document. Thanks in advance! --Paul Hoffman, Director --VPN Consortium >3. Draft SP 800-41 Revision 1, Guidelines on Firewalls and Firewall >Policy, provides recommendations on developing firewall policies and >on selecting, configuring, testing, deploying, and managing >firewalls. The publication covers a number of firewall technologies, >including packet filtering, stateful inspection, application-proxy >gateways, host-based, and personal firewalls. SP 800-41 Revision 1 >updates the original publication, which was released in 2002. NIST >requests comments on draft SP 800-41 Revision 1 by August 15, 2008. >Please submit comments to 800-41comments@nist.gov with "Comments SP >800-41" in the subject line. > >URL: http://csrc.nist.gov/publications/PubsDrafts.html#800-41-Rev1 _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Wed Jul 30 02:49:08 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7418728C21E; Wed, 30 Jul 2008 02:49:08 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7893B28C21E for ; Wed, 30 Jul 2008 02:49:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4U6y++Cyz1wL for ; Wed, 30 Jul 2008 02:49:04 -0700 (PDT) Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 4AEA128C1AC for ; Wed, 30 Jul 2008 02:49:01 -0700 (PDT) Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id B140A294006; Wed, 30 Jul 2008 12:49:14 +0300 (IDT) Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 906C3200D6D for ; Wed, 30 Jul 2008 12:46:49 +0300 (IDT) Received: from [172.31.21.53] (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id m6U9kmjI001591 for ; Wed, 30 Jul 2008 12:46:49 +0300 (IDT) Message-ID: <48903886.5060403@checkpoint.com> Date: Wed, 30 Jul 2008 10:46:46 +0100 From: Yaron Sheffer User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: saag@ietf.org Subject: [saag] ipsecme meeting summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org Ipsecme, formed nearly a month ago, met for the first time on Monday morning. The meeting was well attended and rather lively. Most of the time was spent on the group's chartered work items, and both the charter and the "starting point" documents were presented. All existing documents are still individual I-Ds, and volunteers were (and are) solicited to edit the WG docs. Our goal is to have -00 WG documents out within a few weeks, for all cases where starting points exist (i.e. all but a single document). The group's charter covers: - IKEv2 bis - IPsec roadmap - IKEv2 IPv6 configuration - IKE session resumption - IKE redirect - ESP-null visibility Most of the discussion was around precise scoping of the IKEv2 bis and the session resumption documents. Regards, Paul Hoffman and Yaron Sheffer _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Wed Jul 30 08:14:05 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 373043A6979; Wed, 30 Jul 2008 08:14:05 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F0413A68C8 for ; Wed, 30 Jul 2008 08:14:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_21=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6wvku74j8uv for ; Wed, 30 Jul 2008 08:14:02 -0700 (PDT) Received: from bacon.cs.umd.edu (server-nat-4.cs.umd.edu [128.8.127.147]) by core3.amsl.com (Postfix) with ESMTP id 73FAD3A68C7 for ; Wed, 30 Jul 2008 08:14:02 -0700 (PDT) Received: from [130.129.18.59] ([130.129.18.59]) (authenticated bits=0) by bacon.cs.umd.edu (8.13.1/8.14.1) with ESMTP id m6UFE7WR012734 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 30 Jul 2008 11:14:11 -0400 Message-ID: <4890853F.7050607@ltsnet.net> Date: Wed, 30 Jul 2008 11:14:07 -0400 From: Charles Clancy User-Agent: Thunderbird 2.0.0.16 (X11/20080724) MIME-Version: 1.0 To: saag@ietf.org X-CSD-MailScanner-Information: Please email staff@cs.umd.edu for more information X-CSD-MailScanner: Found to be clean X-CSD-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-50, required 5, autolearn=not spam, ALL_TRUSTED -50.00) X-CSD-MailScanner-From: clancy@ltsnet.net Subject: [saag] HOKEY WG meeting summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org HOKEY met briefly Wednesday morning. An update on the current documents was provided. Since the last IETF meeting, the reauthentication problem statement document has been published as RFC 5169, and both the EMSK key hierarchy document and ERX are in the RFC Editor's queue. Most of the working group's time since the last meeting was spent getting the latter two documents through IESG review. The preauthentication problem statement has completed its second WGLC, and will be moving forward for shepherd, AD, and IESG review. The one major remaining task is the key management document. List discussion since the last IETF confirmed the consensus derived there, and the group will be implementing the proposed plan. This basically involves trimming down the existing document into a request/response architecture defined as RADIUS attributes for delivering keys to various AAA entities. We expect to have this document mostly complete before the next IETF meeting. -- t. charles clancy, ph.d. eng.umd.edu/~tcc electrical & computer engineering, university of maryland _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 01:13:39 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E43A83A69E6; Thu, 31 Jul 2008 01:13:38 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76F9D3A6A3F for ; Thu, 31 Jul 2008 01:13:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuU1LD2EWBDy for ; Thu, 31 Jul 2008 01:13:37 -0700 (PDT) Received: from vms046pub.verizon.net (vms046pub.verizon.net [206.46.252.46]) by core3.amsl.com (Postfix) with ESMTP id 8A4A13A677C for ; Thu, 31 Jul 2008 01:13:37 -0700 (PDT) Received: from ttdwqeq.meeting.ietf.org ([130.129.23.161]) by vms046.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPA id <0K4V00KK12U917G7@vms046.mailsrvcs.net> for saag@ietf.org; Thu, 31 Jul 2008 03:13:22 -0500 (CDT) Date: Thu, 31 Jul 2008 09:13:20 +0100 From: Tim Polk To: saag@ietf.org Message-id: <4D45F9B3-779C-4C83-B408-D5B2D5745E86@nist.gov> MIME-version: 1.0 (Apple Message framework v926) X-Mailer: Apple Mail (2.926) References: <48916366.4060908@sun.com> Subject: [saag] IETF 72 Kitten Working Group Summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes" Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org [Forwarded to circumvent mail list snafu] > > The kitten-wg met Tuesday, 7/29/08, during afternoon session three. > > Co-chairs: Alexey Melnikov and Shawn Emery > > The goals of the meeting were to go over the active working items and > Milestones. > > Important developments included both domain-based drafts: > draft-ietf-kitten-gssapi-domain-based-names > draft-ietf-kitten-gssapi-krb5-domain-based-names > > Both are now published RFCs: > RFC5178 > RFC5179 > > respectively. > > IANA extension draft: > draft-ietf-kitten-gssapi-extensions-iana-04 > > updates were made to provide registration, change control, and > expert review procedures. Will start WGLC this week. > > The channel-bindings clarification draft: > draft-ietf-kitten-gssapi-channel-bindings-04 > > introduction and IANA sections created. WGLC ended in April, sent > to AD for publication, and starting PROTO writeup this week. > > The naming extensions ID: > draft-ietf-kitten-gssapi-naming-exts-03 > > updates were made to this draft, including the creation of the > security considerations section. Leif Johansson had a number of > issues with the draft: is the critical and mapped flags needed? > What is the use-case of negative attributes? WG decided to take > these questions to the list > > Java bindings draft: > draft-ietf-kitten-rfc2853bis-04 > > WGLC ended this week. There was an issue brought up on the list, > which the chairs will follow-up with the editors. > > Larry Zhu presented an individual submission on extended GSS-API > negotiation mechanism (NegoEx). Looking for feed-back from the WG. > > Milestones have been pushed out. Co-chairs will update with the new > time lines shortly. > > Shawn and Alexey. > -- > > > > _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 02:47:28 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C6763A6C1D; Thu, 31 Jul 2008 02:47:28 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0A4F3A6AE9 for ; Thu, 31 Jul 2008 02:47:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.299 X-Spam-Level: X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id no3uppx3g5Ve for ; Thu, 31 Jul 2008 02:47:26 -0700 (PDT) Received: from relay.imagine.ie (relay.imagine.ie [87.232.1.40]) by core3.amsl.com (Postfix) with ESMTP id ECF773A6A60 for ; Thu, 31 Jul 2008 02:47:25 -0700 (PDT) Received: from mail2.int.imagine.ie (mail2 [87.232.1.153]) by relay.imagine.ie (Postfix) with ESMTP id 6190532340; Thu, 31 Jul 2008 10:47:29 +0100 (IST) Received: from [10.87.48.5] (dsl-102-234.cust.imagine.ie [87.232.102.234]) by mail2.int.imagine.ie (8.13.4/8.13.4/Debian-3) with ESMTP id m6V9lPuc006136 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 31 Jul 2008 10:47:27 +0100 Message-ID: <48918A92.7050205@cs.tcd.ie> Date: Thu, 31 Jul 2008 10:49:06 +0100 From: Stephen Farrell User-Agent: Thunderbird 2.0.0.14 (X11/20080421) MIME-Version: 1.0 To: saag@ietf.org, ietf-dkim X-Enigmail-Version: 0.95.6 Content-Type: multipart/mixed; boundary="------------040100010507010103010307" X-Bayes-Prob: 0.0001 (Score 0) X-Canit-Stats-ID: 29601202 - f39ce6d7aa4c (trained as not-spam) X-CanItPRO-Stream: outgoing X-Scanned-By: CanIt (www . roaringpenguin . com) on 87.232.1.53 Subject: [saag] DKIM notes for SAAG X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org This is a multi-part message in MIME format. --------------040100010507010103010307 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Attached, Stephen. --------------040100010507010103010307 Content-Type: text/plain; name="minutes.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="minutes.txt" DKIM met Monday afternoon, 62 people attended. Main goal of the meeting was to get the ADSP and Overview documents to the start of WGLC. Each had a couple of open issues at the start of the meeting that were discussed and resolved (modulo confirmation on the list). The result was that a new rev of ADSP will be published this week. WGLC on both documents will start at that point. The deployment guide was briefly presented and work on that continues. A couple of proposals were made for new work that might require re-chartering. There was some, but not overwhelming, interest in pursuing these, but the group won't have that discussion until after the two current documents are in the hands of the IESG. --------------040100010507010103010307 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag --------------040100010507010103010307-- From saag-bounces@ietf.org Thu Jul 31 02:55:34 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 521D13A696C; Thu, 31 Jul 2008 02:55:33 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 034993A696C for ; Thu, 31 Jul 2008 02:55:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.173 X-Spam-Level: X-Spam-Status: No, score=-5.173 tagged_above=-999 required=5 tests=[AWL=1.426, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h5jgcIiqVENS for ; Thu, 31 Jul 2008 02:55:27 -0700 (PDT) Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by core3.amsl.com (Postfix) with ESMTP id E94B93A691A for ; Thu, 31 Jul 2008 02:55:18 -0700 (PDT) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id m6V9sed1021822 for ; Thu, 31 Jul 2008 05:54:42 -0400 (EDT) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id m6V9sdp2005355 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 31 Jul 2008 05:54:40 -0400 (EDT) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id m6V9sdF5016184; Thu, 31 Jul 2008 05:54:39 -0400 (EDT) To: saag@ietf.org From: Tom Yu Date: Thu, 31 Jul 2008 05:54:39 -0400 Message-ID: Lines: 53 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.42 Subject: [saag] IETF72 SASL summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org Simple Authentication And Security Layer (SASL) IETF72, Dublin, IE Tuesday, July 29, 2008 at 15:20-17:20 ===================================== Chairs: Tom Yu Kurt Zeilenga ==================== Thanks to Larry Zhu for scribing. draft-ietf-sasl-crammd5-10 - answer outstanding comments, new rev to IESG with Informational status and explicitly marking 2195 Historic. draft-ietf-sasl-gs2-10 - need rev; gated on SCRAM (which would be the first user of the framework) draft-melnikov-digest-to-historic-00 - expired; awaiting SCRAM draft-newman-auth-scram-06 - new doc available Chairs have been lame about rechartering; will get that back on track. Chairs will produce biweekly summary of who currently has the ball for each task. Alexey Melnikov talks about SCRAM. Some discussion about channel binding, extensibility, and per-user PBKDF2 iteration counts. Desire for LDAP attribute for storing SCRAM authentication information. Chris Newman will not implement SCRAM if nobody writes about how to store its auth info in LDAP. Sam Hartman and Nico Williams have some rough ABNF describing how to turn SCRAM into a GS2 mechanism; it still needs work. Stefan Santesson talks about non-WG document about HTTP digest with channel binding to TLS. Kurt talks about revising SASLprep. It currently references stringprep, which references a fixed Unicode version. The new approach uses Unicode parameters, and is more immune to Unicode updates. Milestones: Aug 08 - send impl. questionnaire (Chris sent during WG session!) Aug 08 - 4422bis - editorial revisions Sep 08 - 4422bis WGLC Oct 08 - SCRAM WGLC Nov 08 - SCRAM to IESG Nov 08 - impl. report _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 03:21:57 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B7533A6C58; Thu, 31 Jul 2008 03:21:57 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E76513A6C58 for ; Thu, 31 Jul 2008 03:21:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9T-Yh-TW+4mA for ; Thu, 31 Jul 2008 03:21:54 -0700 (PDT) Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id A89B43A6C51 for ; Thu, 31 Jul 2008 03:21:54 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.31,285,1215388800"; d="scan'208";a="70831108" Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-2.cisco.com with ESMTP; 31 Jul 2008 10:15:00 +0000 Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id m6VAF0rX007790 for ; Thu, 31 Jul 2008 03:15:00 -0700 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m6VAF0JZ018166 for ; Thu, 31 Jul 2008 10:15:00 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 31 Jul 2008 03:15:00 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 31 Jul 2008 03:15:33 -0700 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Summary for TLS WG thread-index: Acjy9l5EVUDoZfB9RHaIabpf9AuS4Q== From: "Joseph Salowey (jsalowey)" To: X-OriginalArrivalTime: 31 Jul 2008 10:15:00.0311 (UTC) FILETIME=[4A565E70:01C8F2F6] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=645; t=1217499300; x=1218363300; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20 |Subject:=20Summary=20for=20TLS=20WG |Sender:=20; bh=70oScM4710XaT4bOGUq3KqDS1oKFjiP9luFZHJM4TSk=; b=o9OkTbWdH1AY9Va7JZIKFje9/yOXvdLXO/3ftZ/+fh9t1nxmJrfjXauz5x LFFxzjgAu0jO+yM+boA0JkozPhCyabr8WYRR0ZKh4bbPC46eURYmZFoLRWXn 3CEN9JwS4x; Authentication-Results: sj-dkim-4; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; ); Subject: [saag] Summary for TLS WG X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org The TLS working group met on Monday afternoon. TLS 1.2 is in auth-48 waiting on one issue to be resolved, it should be published soon. We discussed the remaining open issues on the extensions document (4366bis). Once discussion completes on the list this document revised for WG last call. We also had some discussion on DTLS 1.2, which is a new working group draft. There are several cipher suite documents waiting for the publication of TLS 1.2. We had a presentation on using TLS for key management for applications. This seems to be out of scope for the group. We also had a presentation on camellia cipher suites. Joe _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 05:13:59 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 46C1E3A6C59; Thu, 31 Jul 2008 05:13:59 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E3FB33A6C59 for ; Thu, 31 Jul 2008 05:13:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -108.064 X-Spam-Level: X-Spam-Status: No, score=-108.064 tagged_above=-999 required=5 tests=[AWL=2.534, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tzOMSGpUuALK for ; Thu, 31 Jul 2008 05:13:53 -0700 (PDT) Received: from smtp.microsoft.com (maila.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 6D2703A6BF2 for ; Thu, 31 Jul 2008 05:13:53 -0700 (PDT) Received: from tk5-exhub-c104.redmond.corp.microsoft.com (157.54.88.97) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.1.251.2; Thu, 31 Jul 2008 05:12:26 -0700 Received: from tk5-exmlt-w601.wingroup.windeploy.ntdev.microsoft.com (157.54.18.32) by tk5-exhub-c104.redmond.corp.microsoft.com (157.54.88.97) with Microsoft SMTP Server id 8.1.240.5; Thu, 31 Jul 2008 05:12:26 -0700 Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80::8de9:51a2:cd62:f122]) by tk5-exmlt-w601.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.32]) with mapi; Thu, 31 Jul 2008 05:12:26 -0700 From: Larry Zhu To: "saag@ietf.org" Importance: high Date: Thu, 31 Jul 2008 05:12:14 -0700 Thread-Topic: Kerberos WG IETF72 meeting summary Thread-Index: AQHI8waPllwBiedvzEiBeUS27KZwYo5UJ0lG Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US MIME-Version: 1.0 Subject: [saag] FW: Kerberos WG IETF72 meeting summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0397901191==" Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org --===============0397901191== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_AB1E5627D2489D45BD01B84BD5B90046061BC5B4D2NAEXMSGW601wi_" --_000_AB1E5627D2489D45BD01B84BD5B90046061BC5B4D2NAEXMSGW601wi_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable ________________________________ From: Larry Zhu Sent: Thursday, July 31, 2008 5:11 AM To: ietf-krb-wg@anl.gov; saag@mit.edu Subject: Kerberos WG IETF72 meeting summary This is a SUMMARY of the Kerberos WG meeting held this week in Dublin of Ir= eland as part of the 72st IETF meeting. Full minutes will be posted on a la= ter date. -- larry Kerberos Working Group - IETF 72 meeting summary ACTION ITEMS: * Nicolas Williams - send an updated version of set-change password * Chairs - finish review and writeup of cross-realm problem statement * Larry Zhu =96 respond to one last comment to the naming draft * Larry Zhu =96 follow up on the remaining comments for the anonymous ID * Leif Johansson =96 summarize discussions on missing attributes in the dat= a model document * Gareth Richard =96 respond to existing and future comments for the OTP cu= rrently in WGLC * Sam Hartman and Larry Zhu =96 resolving open issues in the Kerberos preau= th framework document * Larry Zhu and Tim Polk =96 validation of KDF test vectors and followup * Shoichi Sakane =96 Explain to the list why DNS is not acceptable for the = DHCPv6 options. * chairs =96 writeup of summary of starttls discussion *shawn Emery =96 update the hash agility document per agreements in last me= eting and the list * Larry Zhu =96 refresh IAKERB and get it ready for WGLC DECISIONS (to be validated): * =93SHOULD=94 remove AD-INITIAL-VERIFIED-CAS in the anonymos draft * restrict anonymous PKINIT to full anonymous and turn off KDC=92s ability = to add back partial anonymity * add a padata to PKINIT to enforce the ticket session is derived from the = DH or ECDH exchange. SESSION SUMMARY: We reviewed the status of several documents that are working their way through the queue, and discussed several documents which have recently concluded IETF or Working Group Last Call. =95 The set-change password document is waiting for an updated vers= ion which the author didn't quite get in before the meeting, and then it wi= ll go to Tim and the IESG. =95 The cross-realm problem statement document finished WG last cal= l some time ago, and has been waiting for the chairs to finish their review= and writeup. =95 All issues for PKINIT ECC document has been resolved and is wai= ting for go-ahead from Tim. =95 There were comments for missing attributes in the data-model do= cuments. Leif is to follow up with a summary of discussion to the list. A n= ew revision and another last call are expected. =95 There were a few remaining issues for the anonymous draft, and = a new revision is expected. No decision is made whether another last call i= s necessary. The working group had two decision to be validated on the lis= t: 1) SHOULD=94 remove AD-INITIAL-VERIFIED-CAS in the anonymos draft, 2) re= strict anonymous PKINIT to full anonymous and turn off KDC=92s ability to a= dd back partial anonymity =95 There is one comment unresolved for the naming draft and it is = expected to be straightforward. =95 The last revision of the hash agility document does not address= all the comments, and Shawn is to publish a new revision. =95 The PKINIT KDF document need test vectors to be validated. The OTP document is currently in working group last call. We then proceeded to the technical discussion section. Sam Hartman reviewed= recent updates to the Preauth Framework document and discussed open issues= . We discussed a MITM issue under one specific configuration where the chan= nel is established using anonymous Diffie-Hellman. This issue was discovere= d in the context of the encrypted challenge preauth data type introduced in= the last revision, and the working group discussed several options to fix = the issue. One way to fix it is to combine the long term key with the repla= ced key. We discussed unique channel binding using anonymous PKINIT. In add= ition, we will add a padata to PKINIT to combine the reply key with the tic= ket session key thus no party can unilaterally determine the ticket session= key. The ticket key is later used in Kerberos preauth framework in naming = the outer channel, with the additional change to combine the client session= key and ticket session to form the armor key, no party can unilaterally de= termine the armor key. At the open mic, Shoichi Sakane mentioned the proposal he brought to the dhc working group to create a DHCPv6 option for identifying a KDC. Ther= e is no support in the working group and Shoichi is asked to explain to the= list why DNS is not acceptable in the applicable environment. --_000_AB1E5627D2489D45BD01B84BD5B90046061BC5B4D2NAEXMSGW601wi_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
=  
From: Larry Zhu
Sent: Thursday, July 31, 2008 5:11 AM
To: ietf-krb-wg@anl.gov; saag@mit.edu
Subject: Kerberos WG IETF72 meeting summary

This is a SUMMARY of the Kerberos WG meeting held this week= in Dublin of Ireland as part of the 72st IETF meeting. Full minutes will b= e posted on a later date.

 

-- larry

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"> 

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Kerberos Working= Group - IETF 72 meeting summary

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"> 

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">ACTION ITEMS:

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Nicolas Willia= ms - send an updated version of set-change password

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Chairs - finis= h review and writeup of cross-realm problem statement

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Larry Zhu =96 = respond to one last comment to the naming draft

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Larry Zhu =96 = follow up on the remaining comments for the anonymous ID

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Leif Joh= ansson =96 summarize discussions on missing attributes in the data model do= cument

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Gareth Richard= =96 respond to existing and future comments for the OTP currently in WGLC<= /span>

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Sam Hartman an= d Larry Zhu =96 resolving open issues in the Kerberos preauth framework doc= ument

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Larry Zhu and = Tim Polk =96 validation of KDF test vectors and followup

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Shoichi Sakane= =96 Explain to the list why DNS is not acceptable for the DHCPv6 options.<= /span>

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* chairs =96 wri= teup of summary of starttls discussion

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">*shawn Emery =96= update the hash agility document per agreements in last meeting and the li= st

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* Larry Zhu =96 = refresh IAKERB and get it ready for WGLC

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"> 

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">DECISIONS (to be= validated):

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* =93SHOULD=94 r= emove AD-INITIAL-VERIFIED-CAS in the anonymos draft

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* restrict anony= mous PKINIT to full anonymous and turn off KDC=92s ability to add back part= ial anonymity

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">* add a padata t= o PKINIT to enforce the ticket session is derived from the DH or ECDH excha= nge.

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"> 

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">SESSION SUMMARY:=

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"> 

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">We reviewed the = status of several documents that are working their way

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">through the queu= e, and discussed several documents which have recently

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">concluded IETF o= r Working Group Last Call. 

=B7       =   The set-change password document is waiting for an updated version wh= ich the author didn't quite get in before the meeting, and then it will go = to Tim and the IESG.

=B7       =   The cross-realm problem statement document finished WG last call some= time ago, and has been waiting for the chairs to finish their review and w= riteup.

=B7       =   All issues for PKINIT ECC document has been resolved and is waiting f= or go-ahead from Tim. 

=B7       =   There were comments for missing attributes in the data-model document= s. Leif is to follow up with a summary of discussion to the list. A new rev= ision and another last call are expected.

=B7       =   There were a few remaining issues for the anonymous draft, and a new = revision is expected. No decision is made whether another last call is nece= ssary.  The working group had two decision to be validated on the list: 1) S= HOULD=94 remove AD-INITIAL-VERIFIED-CAS in the anonymos draft, 2) restrict = anonymous PKINIT to full anonymous and turn off KDC=92s ability to add back= partial anonymity

&n= bsp;

=B7       =   There is one comment unresolved for the naming draft and it is expect= ed to be straightforward.

=B7       =   The last revision of the hash agility document does not address all t= he comments, and Shawn is to publish a new revision.

=B7       =   The PKINIT KDF document need test vectors to be validated.

 

The OTP documen= t is currently in working group last call.

 

 

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">We then proceede= d to the technical discussion section. Sam Hartman reviewed recent updates = to the Preauth Framework document and discussed open issues. We discussed a MITM issue under one specific config= uration where the channel is established using anonymous Diffie-Hellman. Th= is issue was discovered in the context of the encrypted challenge preauth d= ata type introduced in the last revision, and the working group discussed several options to fix the issue= . One way to fix it is to combine the long term key with the replaced key. = We discussed unique channel binding using anonymous PKINIT. In addition, we= will add a padata to PKINIT to combine the reply key with the ticket session key thus no party can unilat= erally determine the ticket session key. The ticket key is later used in Ke= rberos preauth framework in naming the outer channel, with the additional c= hange to combine the client session key and ticket session to form the armor key, no party can unilaterally de= termine the armor key.

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"> 

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"> 

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">At the open mic,= Shoichi Sakane mentioned the proposal he brought to

<= span style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">the dhc working = group to create a DHCPv6 option for identifying a KDC. There is no support = in the working group and Shoichi is asked to explain to the list why DNS is not acceptable in the applicable environ= ment.

--_000_AB1E5627D2489D45BD01B84BD5B90046061BC5B4D2NAEXMSGW601wi_-- --===============0397901191== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag --===============0397901191==-- From saag-bounces@ietf.org Thu Jul 31 06:36:19 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8EA353A6A79; Thu, 31 Jul 2008 06:36:19 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C902D3A68D9 for ; Thu, 31 Jul 2008 06:36:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.236 X-Spam-Level: X-Spam-Status: No, score=-2.236 tagged_above=-999 required=5 tests=[AWL=0.363, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bqoumM7uwNCu for ; Thu, 31 Jul 2008 06:36:16 -0700 (PDT) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by core3.amsl.com (Postfix) with ESMTP id AB2123A67AE for ; Thu, 31 Jul 2008 06:36:16 -0700 (PDT) Received: by wa-out-1112.google.com with SMTP id k34so391386wah.25 for ; Thu, 31 Jul 2008 06:35:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:x-mailer:date:to:from:subject :mime-version:content-type:message-id; bh=83078EBnSdLZCK50Jne6/PPT8h1DrKlfkz6wY6cXpqs=; b=mOHpOCtrkykfn6bdEH2eEpxcdLTvUKUWZB3o6wHTYij6mDhbHGIWtHVYuo0uAyVk72 mc71LE2ZJ5KVrPeKT5b3jzSgNjLwEvxfRLs3SEK+UXkU3o/V9M2hBzsXe5DwyJeZDQNM CS8M4FOEQQsSmJ8SRS9kkZ4nCv6KR+9rGfoQw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=x-mailer:date:to:from:subject:mime-version:content-type:message-id; b=I5rrlBOnju3zJX2KM2vX3lmlCncKASGj5KQ79/Md8DMjqMoAKun8N+FPbfwGZ/plHb 1xpzAQwUwyFF70a/tjZA+3JQ8/oOYOXY+EnsYfS6F2Dw/qrqvLkZDsjRP8ZnjbGZQ3BI GplQuGuekc25S+TPzdksjYeDK9ZiO1bmwJ5dg= Received: by 10.114.147.7 with SMTP id u7mr10072637wad.188.1217511358224; Thu, 31 Jul 2008 06:35:58 -0700 (PDT) Received: from Gregory-T60.gmail.com ( [66.129.225.151]) by mx.google.com with ESMTPS id l27sm3848175waf.27.2008.07.31.06.35.56 (version=SSLv3 cipher=RC4-MD5); Thu, 31 Jul 2008 06:35:57 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 31 Jul 2008 06:37:12 -0700 To: saag@ietf.org From: "Gregory M. Lebovitz" Mime-Version: 1.0 Message-ID: <4891bfbd.1bbc720a.19a9.0373@mx.google.com> Subject: [saag] Comments: SAAG SSL-VPN Preso X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org Paul Hoffman delivered a very helpful survey of SSL-VPN's, based on work done by his VPNConsortium, and captured also in a document he authored: "NIST SP 800-113, Guide to SSL VPNs". See his slides here: http://www.ietf.org/proceedings/08jul/slides/saag-2.pdf . Thanks, Paul, for this very helpful preso. As someone with deployment experience with these products and their usage (read: my day job sells these types of devices), I have some comments and/or clarifications that others may find useful. 1 - Paul's slides say "SSL-VPN" repeatedly. While the market refers to them as such, they are really mostly TLS-VPNs at this point. Paul mentioned that TLS is used toward the end of this slides, but I wanted to clarify, because SSL-VPN is used widely. 2 - there are (at least) three types of TLS-VPN functional modes. Paul listed 2, web-proxy-rewriter and full network access. The 3rd is a per-application forwarding and protection. This type is different from the other two in that one or more specific application types (e.g. MAPI, CIFS, HTTP, etc.) can be made to be forwarded off the client through the TLS tunnel, while no other traffic would pass through the VPN. 3 - Paul referred to an issue of a "Silent gateway-in-the-middle attack" that is a security consideration/weakness of the TLS-VPNs. Users of these products (and they are many, the majority now) might find this characterization contrary to their perspective. The entities that operate TLS-VPNs use them precisely to be able to know and control what is and isn't going in and out of their networks. They see these HTTPS forward-proxy-like features as a wonderful enforcement tool of their entity's security policy for maintaining their networks and securing/control their data. Hope these clarifications help. Gregory Lebovitz +++++++++++++++++++++++ IETF-related email from Gregory M. Lebovitz Juniper Networks g r e go r y d o t i e tf a t g m a i l do t c o m _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 06:37:19 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 059A23A6A99; Thu, 31 Jul 2008 06:37:19 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 808723A69C0 for ; Thu, 31 Jul 2008 06:37:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.507 X-Spam-Level: X-Spam-Status: No, score=-2.507 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q2nETlhG3hzj for ; Thu, 31 Jul 2008 06:37:16 -0700 (PDT) Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 8FBEA3A6818 for ; Thu, 31 Jul 2008 06:37:10 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15] helo=[172.17.6.236]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from ) id 1KOYLC-0005pj-DE for saag@ietf.org; Thu, 31 Jul 2008 09:37:14 -0400 Mime-Version: 1.0 Message-Id: Date: Thu, 31 Jul 2008 09:38:21 -0400 To: saag@ietf.org From: Stephen Kent Subject: [saag] PKIX minutes summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org PKIX Meeting Minutes summary PKIX met once, Wednesday afternoon, for 2 hours and there were approximately 65 attendees. Four PKIX RFCs have been published (5280, 5272-74) since the March meeting, and there are eight documents in process. Half of these are standards track, two informational, and two experimental. Sean Turner described the updates to RFC 3279/4055 (to accommodate the agreed-upon ECC algorithm parameter representation conventions) and noted that these are essentially done. The only outstanding issue is whether the document should make use of the ASN.1 2002 syntax for its modules. Tim Polk will advise the WG on this. Speaking of 2002 ASN.1 modules, Jim Schaad presented an update on the work in this area. Although there is some additional work and compiler debugging to be completed, the major open question here is how many of the ASN.1 modules in various PKIX documents should be included in this document, since some of them have very minor changes under the news syntax. Carl Wallace provided a top level review of the Trust Anchor management requirements I-D that was posted about a month ago. His plan is to receive WG feedback on the requirements and protocols vs. requirements analysis, and then publish it as an informational RFC. There was discussion of whether the format for TA data should be part of the TA management protocol (TAMP) document, or whether it should be stand alone. There was a strong sentiment that the TA format should be a separate document, to allow folks to use it, even if they do not choose to use TAMP. Steve Kent noted that there is relevant ongoing work in SIDR re trust anchor for te RPKI, and that there should be coordination between the two WGs in this regard. Max Pala, SangHwan Park and Stephen Farrell made brief presentations on their documents, (PKI Resource Query Protocol, Traceable Anonymous Certificates and the Other Certificates Extension), which are WG items targeted to experimental status. Phillip Hallam-Baker made a brief presentation on the problem need for algorithm agility in OCSP. Sean Turner made a brief presentation on his document describing two extensions that support subject and authority clearance info, discussing revisions he made to the document after prior comments. The WG chairs agreed to conduct a straw poll on making each of these WG items, next month _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 06:53:19 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C24B53A6A3F; Thu, 31 Jul 2008 06:53:18 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 150AF3A6848 for ; Thu, 31 Jul 2008 06:53:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4d4cF7WqXM6E for ; Thu, 31 Jul 2008 06:53:14 -0700 (PDT) Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 9432F3A63EC for ; Thu, 31 Jul 2008 06:53:13 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.31,286,1215388800"; d="scan'208";a="16095705" Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-2.cisco.com with ESMTP; 31 Jul 2008 13:52:49 +0000 Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m6VDqnQm003903; Thu, 31 Jul 2008 09:52:49 -0400 Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m6VDqmTt015235; Thu, 31 Jul 2008 13:52:49 GMT Received: from xmb-rtp-20b.amer.cisco.com ([64.102.31.53]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 31 Jul 2008 09:52:45 -0400 X-Mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 31 Jul 2008 09:52:44 -0400 Message-ID: <249A89BAA060C94FA0B93EA6135CC93C05E11919@xmb-rtp-20b.amer.cisco.com> In-Reply-To: <4891bfbd.1bbc720a.19a9.0373@mx.google.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [saag] Comments: SAAG SSL-VPN Preso Thread-Index: AcjzEtpLeOdxuraLT3+NrDoKBs3hfQAAJYZA References: <4891bfbd.1bbc720a.19a9.0373@mx.google.com> From: "Mike Kraus (mikraus)" To: "Gregory M. Lebovitz" , X-OriginalArrivalTime: 31 Jul 2008 13:52:45.0960 (UTC) FILETIME=[B6123080:01C8F314] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2917; t=1217512369; x=1218376369; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mikraus@cisco.com; z=From:=20=22Mike=20Kraus=20(mikraus)=22=20 |Subject:=20RE=3A=20[saag]=20Comments=3A=20SAAG=20SSL-VPN=2 0Preso |Sender:=20 |To:=20=22Gregory=20M.=20Lebovitz=22=20,=20; bh=gsK8zJmN/PO2rRMA3GKbsi+re9EWH7UtE4oXCof+f4U=; b=CyJk4aDMltxgF7XuhIfuHIOkXJrsa00q4lNqY0Srv773pHRzJueIJvHaf+ UpZnk0X4MD8byVtCuyuFGfkQD6Pq58lWIH5h9cfefoIOU5uDsrRGXdb11s3n VwFOY6qEq8; Authentication-Results: rtp-dkim-1; header.From=mikraus@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; ); Subject: Re: [saag] Comments: SAAG SSL-VPN Preso X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org In regards to #1 below, some vendors implement and prefer the use of DTLS as a transport over TLS (especially for real-time traffic). So, generically referring to all SSL VPN technologies as TLS-VPNs is also limiting. While DTLS was spawned from the learnings of TLS, it certainly is its own protocol. I agree that SSL VPN as a categorical name isn't 100% accurate but it is what the industry has adopted as the categorical term. So, in the context of the presentation I would probably would have done the same... I do agree on points 2 & 3. -----Original Message----- From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On Behalf Of Gregory M. Lebovitz Sent: Thursday, July 31, 2008 8:37 AM To: saag@ietf.org Subject: [saag] Comments: SAAG SSL-VPN Preso Paul Hoffman delivered a very helpful survey of SSL-VPN's, based on work done by his VPNConsortium, and captured also in a document he authored: "NIST SP 800-113, Guide to SSL VPNs". See his slides here: http://www.ietf.org/proceedings/08jul/slides/saag-2.pdf . Thanks, Paul, for this very helpful preso. As someone with deployment experience with these products and their usage (read: my day job sells these types of devices), I have some comments and/or clarifications that others may find useful. 1 - Paul's slides say "SSL-VPN" repeatedly. While the market refers to them as such, they are really mostly TLS-VPNs at this point. Paul mentioned that TLS is used toward the end of this slides, but I wanted to clarify, because SSL-VPN is used widely. 2 - there are (at least) three types of TLS-VPN functional modes. Paul listed 2, web-proxy-rewriter and full network access. The 3rd is a per-application forwarding and protection. This type is different from the other two in that one or more specific application types (e.g. MAPI, CIFS, HTTP, etc.) can be made to be forwarded off the client through the TLS tunnel, while no other traffic would pass through the VPN. 3 - Paul referred to an issue of a "Silent gateway-in-the-middle attack" that is a security consideration/weakness of the TLS-VPNs. Users of these products (and they are many, the majority now) might find this characterization contrary to their perspective. The entities that operate TLS-VPNs use them precisely to be able to know and control what is and isn't going in and out of their networks. They see these HTTPS forward-proxy-like features as a wonderful enforcement tool of their entity's security policy for maintaining their networks and securing/control their data. Hope these clarifications help. Gregory Lebovitz +++++++++++++++++++++++ IETF-related email from Gregory M. Lebovitz Juniper Networks g r e go r y d o t i e tf a t g m a i l do t c o m _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 06:58:42 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A8FCC3A6C36; Thu, 31 Jul 2008 06:58:42 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0CAD53A68CA for ; Thu, 31 Jul 2008 06:58:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlZcdGG7HJie for ; Thu, 31 Jul 2008 06:58:40 -0700 (PDT) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id E426C3A63D2 for ; Thu, 31 Jul 2008 06:58:39 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.31,286,1215388800"; d="scan'208";a="59907164" Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-1.cisco.com with ESMTP; 31 Jul 2008 13:58:29 +0000 Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id m6VDwTS7016942 for ; Thu, 31 Jul 2008 06:58:29 -0700 Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m6VDwTov029601 for ; Thu, 31 Jul 2008 13:58:29 GMT Received: from xmb-rtp-205.amer.cisco.com ([64.102.31.59]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 31 Jul 2008 09:58:04 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 31 Jul 2008 09:56:55 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IETF72 NEA meeting summary thread-index: AcjzFUsB2/HktE+QRVO3VDNklrp0oA== From: "Susan Thomson (sethomso)" To: X-OriginalArrivalTime: 31 Jul 2008 13:58:04.0426 (UTC) FILETIME=[73E43EA0:01C8F315] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=827; t=1217512709; x=1218376709; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sethomso@cisco.com; z=From:=20=22Susan=20Thomson=20(sethomso)=22=20 |Subject:=20IETF72=20NEA=20meeting=20summary |Sender:=20; bh=f0muGqPns9SCIlFuasHgxf+tvD+1znepuwmMuJ4CBDQ=; b=hWGgogXW8sGtIj+iEMjMeoRZ71DrLISa8T/dC0yRQ07yEUnvSANvXeS9dr ZioPttA2FSEZuZo6yBJaAtZBASwz+cceWNYE70WK3lKOmyn4JgMG4TEFgMuO kkUg//9TE4; Authentication-Results: sj-dkim-4; header.From=sethomso@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; ); Subject: [saag] IETF72 NEA meeting summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org The NEA Working Group met at IETF 71 on Thursday Jul 31 from 9am - 11.30am. Since last IETF, the NEA Requirements I-D has been published as RFC 5209. The bulk of the meeting was spent on the NEA protocol specifications: --- draft-ietf-nea-pa-tnc-01.txt --- draft-ietf-nea-pb-tnc-01.txt. Changes in the -01 versions, protocol flows, and proposed changes to the next version of the protocol documents were discussed. There was also discussion regarding the IANA Considerations for new attributes once the initial protocol specifications are published as RFC. A consensus check of attendees in the meeting indicated that there was support for documenting the semantics of attributes as a prerequisite for registration. This topic needs further thought and will be discussed further on the mailing list. _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 07:25:05 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA6FA3A6999; Thu, 31 Jul 2008 07:25:05 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F4B63A6899 for ; Thu, 31 Jul 2008 07:25:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.465 X-Spam-Level: X-Spam-Status: No, score=-0.465 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b+km4xRJZf8e for ; Thu, 31 Jul 2008 07:25:03 -0700 (PDT) Received: from kilo.rtfm.com (unknown [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id A18CE3A6783 for ; Thu, 31 Jul 2008 07:25:03 -0700 (PDT) Received: from kilo-2.local (localhost [127.0.0.1]) by kilo.rtfm.com (Postfix) with ESMTP id 5CA83512AEF; Thu, 31 Jul 2008 07:24:50 -0700 (PDT) Date: Thu, 31 Jul 2008 07:24:49 -0700 From: Eric Rescorla To: "Mike Kraus (mikraus)" In-Reply-To: <249A89BAA060C94FA0B93EA6135CC93C05E11919@xmb-rtp-20b.amer.cisco.com> References: <4891bfbd.1bbc720a.19a9.0373@mx.google.com> <249A89BAA060C94FA0B93EA6135CC93C05E11919@xmb-rtp-20b.amer.cisco.com> User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Message-Id: <20080731142450.5CA83512AEF@kilo.rtfm.com> Cc: saag@ietf.org Subject: Re: [saag] Comments: SAAG SSL-VPN Preso X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org At Thu, 31 Jul 2008 09:52:44 -0400, Mike Kraus (mikraus) wrote: > In regards to #1 below, some vendors implement and prefer the use of > DTLS as a transport over TLS (especially for real-time traffic). People actually do this now? That's great! Does Cisco do it? -Ekr _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From saag-bounces@ietf.org Thu Jul 31 07:36:52 2008 Return-Path: X-Original-To: saag-archive@ietf.org Delivered-To: ietfarch-saag-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 471B028C114; Thu, 31 Jul 2008 07:36:52 -0700 (PDT) X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 647CA28C114 for ; Thu, 31 Jul 2008 07:36:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fL-7iY8oumy7 for ; Thu, 31 Jul 2008 07:36:50 -0700 (PDT) Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 1623128C105 for ; Thu, 31 Jul 2008 07:36:50 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.31,287,1215388800"; d="scan'208";a="16122064" Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 31 Jul 2008 14:35:21 +0000 Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m6VEZLLL010822; Thu, 31 Jul 2008 10:35:21 -0400 Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m6VEZLhv001290; Thu, 31 Jul 2008 14:35:21 GMT Received: from xmb-rtp-20b.amer.cisco.com ([64.102.31.53]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 31 Jul 2008 10:35:21 -0400 X-Mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 31 Jul 2008 10:35:20 -0400 Message-ID: <249A89BAA060C94FA0B93EA6135CC93C05E11956@xmb-rtp-20b.amer.cisco.com> In-Reply-To: <20080731142450.5CA83512AEF@kilo.rtfm.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [saag] Comments: SAAG SSL-VPN Preso Thread-Index: AcjzGYQu5TNw9OqIRBGCkZITDRUaJQAANW3Q References: <4891bfbd.1bbc720a.19a9.0373@mx.google.com><249A89BAA060C94FA0B93EA6135CC93C05E11919@xmb-rtp-20b.amer.cisco.com> <20080731142450.5CA83512AEF@kilo.rtfm.com> From: "Mike Kraus (mikraus)" To: "Eric Rescorla" X-OriginalArrivalTime: 31 Jul 2008 14:35:21.0584 (UTC) FILETIME=[A9577700:01C8F31A] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=670; t=1217514921; x=1218378921; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mikraus@cisco.com; z=From:=20=22Mike=20Kraus=20(mikraus)=22=20 |Subject:=20RE=3A=20[saag]=20Comments=3A=20SAAG=20SSL-VPN=2 0Preso |Sender:=20 |To:=20=22Eric=20Rescorla=22=20; bh=yPgD3tEV/kaJ80ZPHgILOayU0SRDzGpYnKdkJJQyo8Y=; b=iWC/91FHNfCy6WDN7jQ+HrEDDTvJAma3BX7+sUQph63kxJgHZIzIQXBfL6 AZr+A4wzsySoReTr2okaApAu1Weu3xLm9tOriXBoUBjBHSw9p9PNyW0GqMBy h2FpDcIxOv; Authentication-Results: rtp-dkim-2; header.From=mikraus@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; ); Cc: saag@ietf.org Subject: Re: [saag] Comments: SAAG SSL-VPN Preso X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: saag-bounces@ietf.org Errors-To: saag-bounces@ietf.org Yes, see top item on: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnec t20/administrative/guide/admin5.html -----Original Message----- From: Eric Rescorla [mailto:ekr@networkresonance.com] Sent: Thursday, July 31, 2008 9:25 AM To: Mike Kraus (mikraus) Cc: Gregory M. Lebovitz; saag@ietf.org Subject: Re: [saag] Comments: SAAG SSL-VPN Preso At Thu, 31 Jul 2008 09:52:44 -0400, Mike Kraus (mikraus) wrote: > In regards to #1 below, some vendors implement and prefer the use of > DTLS as a transport over TLS (especially for real-time traffic). People actually do this now? That's great! Does Cisco do it? -Ekr _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag