[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Scenario-Question matrix



I'm not really keen on this question format. I feel that I can give more
insightful answers when left to my own devices. I guess these should
supplement the answers I already gave.


> 2.1.)  Does SOI need to provide identity protection

(For the initiator)

> 	Virtual Private Network Site-to-Site Tunnels' - no
> 	Secure Remote Access - yes
> 	End-to-End Security - yes
> 	IP Storage - ?
> 	PPVPN/MPLS - ?
> 	Mobile IP/Wireless - yes
> 	Multiple and Changing Addresses: IPv6, SCTP and MobileIP - yes
> 	Delay Sensitive Applications - ?
> 	VoIP/small device - ?


> 2.2.A) JFK and IKEv2 can provide PFS as well as "imperfect forward
> secrecy" by trading off performance versus the level of PFS provided.
> The funcitonality provided is roughly identical.  Does anyone care
> about the details of how IKEv2 versus JFK provides this functionality?
> Should we just flip a coin?

I don't think this is scenario-specific. Everyone should use PFS unless they
only need manual keying.


> 2.3.A.)  Does SOI need to natively support "legacy authentication
> systems"?

> 	Virtual Private Network Site-to-Site Tunnels' - no
> 	Secure Remote Access - yes
> 	End-to-End Security - no
> 	IP Storage - ?
> 	PPVPN/MPLS - ?
> 	Mobile IP/Wireless - yes
> 	Multiple and Changing Addresses: IPv6, SCTP and MobileIP - ?
> 	Delay Sensitive Applications - ?
> 	VoIP/small device - ?


> 2.3.B.)  Does SOI need to natively support some kind of "shared
> secret" scheme?  (Or just certificates-only?)

> 	Virtual Private Network Site-to-Site Tunnels' - yes
> 	Secure Remote Access - yes
> 	End-to-End Security - yes
> 	IP Storage - ?
> 	PPVPN/MPLS - ?
> 	Mobile IP/Wireless - ?
> 	Multiple and Changing Addresses: IPv6, SCTP and MobileIP - ?
> 	Delay Sensitive Applications - ?
> 	VoIP/small device - ?


> 2.4.A) JFK requires substantially more cryptographic operations for
> rekeying (two more signatures, two more signature validations, and
> three more hashes).  Is this a problem?  More generally, does SOI need
> to be able to support "fast" rekeying?

> 	Virtual Private Network Site-to-Site Tunnels' - yes
> 	Secure Remote Access - yes
> 	End-to-End Security - yes
> 	IP Storage - ?
> 	PPVPN/MPLS - yes
> 	Mobile IP/Wireless - yes
> 	Multiple and Changing Addresses: IPv6, SCTP and MobileIP - yes
> 	Delay Sensitive Applications - ?
> 	VoIP/small device - ?

> 2.5)  Plausible denaibility

> 	Virtual Private Network Site-to-Site Tunnels' - no
> 	Secure Remote Access - no
> 	End-to-End Security - ?
> 	IP Storage - no
> 	PPVPN/MPLS - no
> 	Mobile IP/Wireless - no
> 	Multiple and Changing Addresses: IPv6, SCTP and MobileIP - no
> 	Delay Sensitive Applications - no
> 	VoIP/small device - no


> 2.6.)  Does SOI need to provide a formal proof of security?  (Is this
> a "must have" or a "nice to have"?  What are we willing to trade-off
> for having a formal proof of security?)

no.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Barbara Fraser
> Sent: Friday, June 21, 2002 12:47 PM
> To: ipsec@lists.tislabs.com
> Cc: byfraser@cisco.com; tytso@mit.edu
> Subject: SOI Discussion
>
>
> Hi Folks,
>
> Ted and I are really pleased to see the active dialog on the
> list. We have
> been reviewing the discussion and have noticed, however, that many
> responses are incomplete from the standpoint of being able to use the
> response to help us arrive at a set of features. We need more
> specificity
> so that we can support decisions about a feature. It would
> really help if
> when you answer a question you provide specific scenarios for
> when the
> answer to a given question is yes, no, or maybe. To freshen
> everyone's
> memory, the following list of scenarios was culled from
> Cheryl's document
> (draft-ietf-ipsec-sonofike-rqts-00.txt) plus Michael Thomas'
> VoIP/small
> device scenario. Everyone knows this is an incomplete list,
> but if we can
> deal with these, we'll be going  along way to truly
> establishing the set of
> requirements, and therefore features, that SOI must support.
> 	Virtual Private Network Site-to-Site Tunnels'
> 	Secure Remote Access
> 	End-to-End Security
> 	IP Storage
> 	PPVPN/MPLS
> 	Mobile IP/Wireless
> 	Multiple and Changing Addresses: IPv6, SCTP and MobileIP
> 	Delay Sensitive Applications
> 	VoIP/small device
>
> BTW, if anyone feels moved and wants to try to match all the
> questions from
> our posting on June 11 (subj: Son of IKE: A proposal for
> moving forward) to
> one (or more.... we're optimists) of the scenarios please
> drop Ted and I a
> note so we can track activities and avoid duplication.
>
> Barb
>
>