Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

From: Paul Wouters [mailto:p...@nohats.ca] Sent: Thursday, September 14, 2017 1:25 PM To: Mike Sullenberger (mls) Cc: Linda Dunbar ; i2...@ietf.org; IPsecME WG ; Yoav Nir Subject: Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller i

Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-04.txt

Paul, Sorry for the late comments. A question to your draft: Introduction: Is "Split DNS" less about "configuration for the secure tunnels", but more about having two zones, one to be used by the internal network, the other used by the external network? Basically Split DNS directs internal ho

Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-04.txt

connected by "IPsec" tunnel. Correct? Since the draft is to be read by general public once it becomes RFC, suggest you add a note to explain your "internal network". Linda -Original Message- From: Paul Wouters [mailto:p...@nohats.ca] Sent: Tuesday, January 23, 2018 4:17

[IPsec] How about simplified IKE? RE: IPsec Flow Protection @I2NSF

eployment with large number of IPsec tunnels among many end points. Any opinion? Issues? Linda Dunbar From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir Sent: Monday, July 16, 2018 3:11 PM To: IPsecME WG Subject: [IPsec] IPsec Flow Protection @I2NSF Hi. I’d like to draw you attent

Re: [IPsec] [I2nsf] How about simplified IKE? RE: IPsec Flow Protection @I2NSF

Dave, That would be great! Any suggestions to provide stronger protections are appreciated. Thanks, Linda From: David Carrel (carrel) [mailto:car...@cisco.com] Sent: Tuesday, July 17, 2018 1:20 PM To: Linda Dunbar ; Yoav Nir ; IPsecME WG Cc: i2...@ietf.org Subject: Re: [I2nsf] How about

[IPsec] questions and comments to drat-carrel-ipsecme-controller-ike-00

g node has to use two different decryption keys? How does the receiving node know which one the sender actually used? The entire Section 4 description is no different from scenario of two peers' direct communication (i.e. without Controller being presen

Re: [IPsec] questions and comments to drat-carrel-ipsecme-controller-ike-00

David and Brian, In case you missed this email, can you answer those questions? Thank you very much. Linda From: Linda Dunbar Sent: Monday, August 13, 2018 12:18 PM To: IPsecME WG ; i2...@ietf.org; 'David Carrel (carrel)' ; 'Brian Weis (bew)' Subject: questions and com

[IPsec] Issues of draft-dm-net2cloud-gap-analysis using BGP to carry IPsec configuration (such as Public key, etc) and Peer authentication information

ause it is difficult for a BGP node to guarantee not forwarding the BGP advertisement (even if the update is marked as Not Forward). Can someone elaborate why? Thanks, Linda Dunbar P.s. a new mailing list has been created to for discussing the risks associated with various simplification of I

[IPsec] Can one IPsec SA be established via two internet ports on one device?

e IPsec SA between A2<->B2? [cid:image001.png@01D4800A.7F9B4EE0] Thanks, Linda Dunbar ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Can one IPsec SA be established via two internet ports on one device?

ggli [mailto:joe...@gmail.com] Sent: Monday, November 19, 2018 2:18 PM To: Linda Dunbar Cc: IPsecME WG Subject: Re: [IPsec] Can one IPsec SA be established via two internet ports on one device? On Nov 19, 2018, at 11:19, Linda Dunbar mailto:linda.dun...@huawei.com>> wrote: IPsec expert

Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 (Section 1)

I like the title of “distributed keying” (case 1) vs “centralized keying” (Case 2). Linda From: I2nsf [mailto:i2nsf-boun...@ietf.org] On Behalf Of Yoav Nir Sent: Tuesday, November 27, 2018 4:39 PM To: Gabriel Lopez Cc: i2...@ietf.org; ipsec@ietf.org WG ; Paul Wouters ; Rafa Marin Lopez Subje

[IPsec] Policy distributed by the controller

Controller (which includes the "IPsec Configuration Server"), can we eliminate the step for Devices to "choose the correct policy" and to distribute DIM? Basically eliminate the step of requiring SD-WAN edges to distribute the IKEv2 payloads of [ID, [N(INITIAL_CONTACT),] KE, Ni]?

[IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration

by BESS WG chair, there are multiple drafts addressing IPsec in BESS, IDR, and WGs in Security Area, involved Chairs and ADs may need to agree where is the home for continuing the discussion to avoid future conflicts. Cheers, Linda Dunbar ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] using BGP signaling to achieve IPsec Tunnel configuration (draft-hujun-idr-bgp-ipsec): potential conflict with the I2NSF's Controller facilitated IPsec configuration

Standard & Patent Dept) Sent: Monday, April 01, 2019 8:52 PM To: Hu, Jun (Nokia - US/Mountain View) ; Fernando Pereñíguez García ; Linda Dunbar Cc: Roman Danyliw ; idr wg ; stephane.litkow...@orange.com; i2...@ietf.org; idr-cha...@ietf.org; Gabriel López Millán ; Yoav Nir ; Alvaro Retana ; i

[IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?

solutions to the problems identified by RFC7018? Thank you very much, Linda Dunbar ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?

Vishwas, Thank you very much for the link. The draft was dated aug 2013. Why it didn’t move forward? Linda From: vishwas.ietf Sent: Monday, May 18, 2020 12:32 PM To: Linda Dunbar ; ipsec@ietf.org WG Subject: RE: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery

Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?

sage- From: Paul Wouters Sent: Monday, May 18, 2020 1:52 PM To: Linda Dunbar Cc: ipsec@ietf.org WG Subject: Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements? On Mon, 18 May 2020, Linda Dunbar wrote: > We are ex

[IPsec] Need a 10 minutes slot at the IPsecme session during IETF 110

feedback if our proposed approach, and to learn if there is any issue of using BGP to replace the traditional IPsec information exchange among peers. Thank you very much. Linda Dunbar -Original Message- From: IPsec On Behalf Of "IETF Secretariat" Sent: Friday, February 12,

[IPsec] Are there any issues of reusing IPsec key for generating Authentication Code?

greatly appreciated. Linda Dunbar ___ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org

[IPsec] Re: Are there any issues of reusing IPsec key for generating Authentication Code?

- From: Paul Wouters Sent: Wednesday, July 10, 2024 8:59 AM To: Linda Dunbar Cc: ipsec@ietf.org Subject: Re: [IPsec] Are there any issues of reusing IPsec key for generating Authentication Code? On Tue, 9 Jul 2024, Linda Dunbar wrote: > 1. The IPsec tunnel itself provides a secure chan

[IPsec] Re: Are there any issues of reusing IPsec key for generating Authentication Code?

draft didn't describe how the Authentication keys are distributed. Thanks, Linda -Original Message- From: Scott Fluhrer (sfluhrer) Sent: Wednesday, July 10, 2024 2:41 PM To: Linda Dunbar ; Paul Wouters Cc: ipsec@ietf.org Subject: RE: [IPsec] Re: Are there any issues of reusing

[IPsec] request for a presentation slot at IETF 120 IPsecme WG session

mechanism, as well as obtaining more valuable feedback. Thanks, Linda -Original Message- From: Linda Dunbar Sent: Wednesday, July 10, 2024 3:39 PM To: Scott Fluhrer (sfluhrer) ; Paul Wouters Cc: ipsec@ietf.org Subject: RE: [IPsec] Re: Are there any issues of reusing IPsec key for

[IPsec] Can Overlay nodes see any difference on how ECMP is used by the underlay in building the IPSec tunnels for a specific time span? (was : Flow Security Policies exchanged over I2NSF service laye

eding ECMP" or "Don't care ECMP" be good enough? Thanks, Linda -Original Message- From: Tom Herbert [mailto:t...@herbertland.com] Sent: Wednesday, June 15, 2016 11:28 PM To: Xuxiaohu Cc: Lou Berger; Linda Dunbar; Liyizhou; NVO3; IPsec@ietf.org Subject: Re: [nvo3] FW:

Re: [IPsec] [I2nsf] How does Overlay Network inform the Underlay network on which flows among Overlay network nodes need to go through IPSec Tunnel? (was : Flow Security Policies exchanged over I2NSF

D policies and IKE credentials, don't you think that they need to inquire each other if the other party has the needed resource for the needed IPsec tunnel? Thanks, Linda -Original Message- From: Rafa Marin Lopez [mailto:r...@um.es] Sent: Friday, June 17, 2016 7:43 AM To: Linda D

Re: [IPsec] [I2nsf] How does Overlay Network inform the Underlay network on which flows among Overlay network nodes need to go through IPSec Tunnel? (was : Flow Security Policies exchanged over I2NSF

ope. Other comments are inserted below -Original Message- From: Rafa Marin Lopez [mailto:r...@um.es] Sent: Sunday, June 19, 2016 1:06 PM To: Linda Dunbar Cc: Rafa Marin Lopez; i2...@ietf.org; IPsec@ietf.org; Sowmini Varadhan; Sowmini Varadhan Subject: Re: [IPsec] [I2nsf] How does Overla

Re: [IPsec] [I2nsf] How does Overlay Network inform the Underlay network on which flows among Overlay network nodes need to go through IPSec Tunnel? (was : Flow Security Policies exchanged over I2NSF

Rafa, -Original Message- From: Rafa Marin Lopez [mailto:r...@um.es] Sent: Wednesday, June 22, 2016 10:13 AM To: Linda Dunbar > > The "reactive option, that is, very similar as it would happen with the > OpenFlow PacketIn message and then PacketOut" is not

Re: [IPsec] Can IPSec (RFC 5996) support tunnels with end point being (virtual) CPEs which has a set of workload attached (say Virtual Machines) all having virtual IP addresses?

. The software is controlled by the client, correct? If the client owns this software, it doesn't really cost extra, does it? Linda -Original Message- From: Yoav Nir [mailto:ynir.i...@gmail.com] Sent: Thursday, April 13, 2017 4:42 PM To: Linda Dunbar Cc: IPsec@ietf.org; Michael Richa

[IPsec] sharing key among multiple end points vs. Group Encryption Key - draft-abad-i2nsf-sdn-ipsec-flow-protectio

Yoav, You said that it is a bad idea to have "sharing key among multiple points" as introduced by draft-abad-i2nsf-sdn-ipsec-flow-protection. Isn't the "Group Encryption Key" of having a "Key Server" distributing the key to multiple members doing the same? http://www.cisco.com/c/dam/en/us/pr

Re: [IPsec] ipsecme - New Meeting Session Request for IETF 99

Chairs, Can you add I2NSF to the "Conflict to Avoid" list? Several of us from I2NSF would like to attend IPSecme to sort out issues with SDN controlled IPSec. Thanks, Linda -Original Message- From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of "IETF Meeting Session Request Too

Re: [IPsec] sharing key among multiple end points vs. Group Encryption Key - draft-abad-i2nsf-sdn-ipsec-flow-protectio

:19 PM To: Linda Dunbar Cc: IPsec@ietf.org; Michael Richardson ; i2...@ietf.org Subject: Re: sharing key among multiple end points vs. Group Encryption Key - draft-abad-i2nsf-sdn-ipsec-flow-protectio Hi, Linda On 21 Apr 2017, at 0:40, Linda Dunbar mailto:linda.dun...@huawei.com>> wrote:

[IPsec] can IPSec tunnel support multi-tenancy?

IPSec experts, When an IPSec tunnel is established between two sites (say, SD-WAN use case), is there any fields in the header that can be used to differentiate payload belonging to different tenants? Thank you very much ___ IPsec mailing list IPsec@

[IPsec] Conference bridge information for the (i2nsf) WG Virtual Meeting: 2017-09-06

Here is the conference bridge: Join WebEx meeting Meeting number (access code): 642 733 681 Host key: 121744 Meeting password: P5B3DUCM Join by phone 1-877-668-4493 Call-in toll free number (US/Canada) 1-650-479-32

[IPsec] FW: [I2nsf] conference bridge for Sept 6 I2nsf Interim to discuss SDN-IPSec-flow protection

From: I2nsf [mailto:i2nsf-boun...@ietf.org] On Behalf Of Linda Dunbar Sent: Wednesday, September 06, 2017 7:26 AM To: Michael Richardson ; i2...@ietf.org Cc: ipsec-cha...@ietf.org Subject: [I2nsf] conference bridge for Sept 6 I2nsf Interim Join WebEx meeting<https://ietf.webex.com/ietf/j.

[IPsec] WebEx recording of the i2nsf WG Virtual Meeting on SDN Controlled IPSec Key management (2017-09-06)

Thanks to many people actively participating & contributing to the discussion. It was a very productive meeting. Yoav and I will put the meeting minutes together. Here is the Video Recording of the session: https://ietf.webex.com/ietf/ldr.php?RCID=04303a15dda9bff7d8011a253800736e The Interim

[IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

Yoav, At yesterday's I2NSF Interim meeting, you described an example of Gap having thousands of locations and most of them are in a mall where public network is available. You said that typically the VPN gateway placed in the store has no knowledge of the global network topology, nor does it kn

Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

19 PM To: Linda Dunbar Cc: Yoav Nir ; i2...@ietf.org; IPsecME WG Subject: Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is. Linda Dunbar mailto:linda.dun...@huawei.com>> wrote: > Today, many vendors’ remote CP

[IPsec] Key points of Case 2 of draft-abad-i2nsf-sdn-ipsec-flow-protection and going forward?

Tero, Gabriel, Rafa, Alejandro, and Interim meeting participants: Thank you very much for presenting justification for Case 2 & Reasons against Case 2 at yesterday's I2NSF Interim. It is a very productive discussion. In a nutshell: Opponents believe Case 2 is technical feasible but very complex

Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

: Yoav Nir [mailto:ynir.i...@gmail.com] Sent: Friday, September 08, 2017 12:36 AM To: Linda Dunbar Cc: i2...@ietf.org; IPsecME WG Subject: Re: your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is. Hi, Linda The reason I brought up the Gap

[IPsec] Meeting minutes of the i2nsf WG Virtual Meeting on SDN Controlled IPSec Key management (2017-09-06)

/meeting/interim-2017-i2nsf-01/materials/slides-interim-2017-i2nsf-01-sessa-sept-6-interim-chat-record/ Linda & Yoav. From: Linda Dunbar Sent: Wednesday, September 06, 2017 5:30 PM To: 'Yoav Nir' ; IPsecME WG ; i2...@ietf.org Cc: 'Kathleen Moriarty' Subject: WebEx recording

[IPsec] Re: Need 10 minutes slot at the IPsecme session

from the IPsecme community. Thanks, Linda From: Joe Touch Sent: Monday, October 28, 2024 1:26 PM To: Linda Dunbar Cc: Tero Kivinen ; Yoav Nir ; ipsec@ietf.org Subject: Re: [IPsec] Need 10 minutes slot at the IPsecme session Do you mean UDP? On Oct 28, 2024, at 1:20 PM, Linda Dunbar

[IPsec] Re: Need 10 minutes slot at the IPsecme session

minutes slot at the IPsecme session Linda Dunbar wrote: > The primary scenario for the proposed authentication method is from draft-ietf-rtgwg-multi-segment-sdwan > where an additional header (GENEVE Encapsulation [RFC8926]) is added to > the encrypted payload to steer packet

[IPsec] Re: Need 10 minutes slot at the IPsecme session

Joe, Thank you very much for the comments. Please see below the detailed reply: Linda From: to...@strayalpha.com Sent: Thursday, October 31, 2024 12:31 AM To: Linda Dunbar Cc: Tero Kivinen ; Yoav Nir ; ipsec@ietf.org Subject: Re: [IPsec] Need 10 minutes slot at the IPsecme session Hi, Linda

[IPsec] Need 10 minutes slot at the IPsecme session

IPsecme Chairs, We would like a 10minutes slot at the IPsecme session in IETF 121 to discuss this draft: https://datatracker.ietf.org/doc/draft-dunbar-secdispatch-ligthtweight-authenticate/ This document describes lightweight authentication methods to prevent malicious actors tampering with the

[IPsec] Re: Request for Presentation Slot at IETF 122 IPsecme WG Session

There was a typo in my previous email. Here is the correct link to the document: https://datatracker.ietf.org/doc/draft-dunbar-ipsecme-lightweight-authenticate/ Linda From: Linda Dunbar Sent: Thursday, February 20, 2025 4:50 PM To: ipsecme-chairs ; ipsec@ietf.org Cc: draft-dunbar-secdispatch

[IPsec] Request for Presentation Slot at IETF 122 IPsecme WG Session

Dear IPsecme WG Chairs, I would like to request a presentation slot in the IETF 122 IPsecme WG session to discuss our draft: Title: Lightweight Authentication Methods for Encapsulation Headers in Packet Networks https://datatracker.ietf.org/doc/draft-dunbar-ipsecme-ligthtweight-authenticate/ T

[IPsec] Request for IPsecme WG Adoption of draft-dunbar-ipsecme-lightweight-authenticate

d you please advise on how best to proceed? I would appreciate your guidance on whether this can be adopted or if there is another path forward to ensure appropriate review by the IPsecme community. Warm regards, Linda Dunbar ___ IPsec mailing list -- ip