http://permalink.gmane.org/gmane.ietf.ipsec hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.ietf.ipsec/13484 <pre>Document authors: when might we have the update so Sean can move this forwards? We are gated on this before we solicit AD-VPN protocols. --Paul Hoffman On Apr 30, 2013, at 7:52 AM, Sean Turner &lt;turners&lt; at &gt;ieca.com&gt; wrote: </pre> Paul Hoffman 2013-05-21T01:27:44 http://permalink.gmane.org/gmane.ietf.ipsec/13483 <pre>+1 Kind Regards, Raj -----Original Message----- From: ipsec-bounces&lt; at &gt;ietf.org [mailto:ipsec-bounces&lt; at &gt;ietf.org] On Behalf Of Brian Weis (bew) Sent: Friday, May 17, 2013 5:25 AM To: Yaron Sheffer Cc: IPsecme WG Subject: Re: [IPsec] IPsecME virtual meeting minutes, and way forward with fragmentation On May 16, 2013, at 9:57 AM, Yaron Sheffer &lt;yaronf.ietf&lt; at &gt;gmail.com&gt; wrote: I approve. [snip] Someone made this comment, but it wasn't me. I did mention that the current TCP-based solution has the advantage of only re-sending the missing TCP segment, whereas current and proposed UDP-based fragmentation solutions re-send all packet fragments. That could be valuable for a VPN gateway with many peers with a lossy network. But that doesn't seem enough of a justification to stay with the current TCP-based solution. Brian _______________________________________________ IPsec mailing list IPsec&lt; at &gt;ietf.org https://www.ietf.org/mailman/listinfo/ipsec </pre> Rajeshwar Singh Jenwar (rsj 2013-05-19T03:05:31 http://permalink.gmane.org/gmane.ietf.ipsec/13482 <pre>yes, that was me. Daniel On 05/17/2013 10:08 AM, Yoav Nir wrote: </pre> daniel migault 2013-05-17T08:45:43 http://permalink.gmane.org/gmane.ietf.ipsec/13481 <pre> On May 17, 2013, at 2:54 AM, Brian Weis &lt;bew&lt; at &gt;cisco.com&gt; wrote: That was Daniel. Yoav </pre> Yoav Nir 2013-05-17T08:08:33 http://permalink.gmane.org/gmane.ietf.ipsec/13480 <pre> On May 16, 2013, at 9:57 AM, Yaron Sheffer &lt;yaronf.ietf&lt; at &gt;gmail.com&gt; wrote: I approve. [snip] Someone made this comment, but it wasn't me. I did mention that the current TCP-based solution has the advantage of only re-sending the missing TCP segment, whereas current and proposed UDP-based fragmentation solutions re-send all packet fragments. That could be valuable for a VPN gateway with many peers with a lossy network. But that doesn't seem enough of a justification to stay with the current TCP-based solution. Brian </pre> Brian Weis 2013-05-16T23:54:51 http://permalink.gmane.org/gmane.ietf.ipsec/13479 <pre>+1 On May 16, 2013, at 10:43 PM, Valery Smyslov &lt;svanru&lt; at &gt;gmail.com&gt; wrote: </pre> Yoav Nir 2013-05-16T19:46:00 http://permalink.gmane.org/gmane.ietf.ipsec/13478 <pre>Hi, I approved the conclusion. Regards, Valery. </pre> Valery Smyslov 2013-05-16T19:43:52 http://permalink.gmane.org/gmane.ietf.ipsec/13477 <pre> I approve the decision to take that draft as starting point. I have earlier said I do not care wheter it is TCP or fragmentation, but I think the problem is something that needs to be solved, and I would prefer to have just one standardized way to solve it. </pre> Tero Kivinen 2013-05-16T18:57:43 http://permalink.gmane.org/gmane.ietf.ipsec/13476 <pre>I am supporting IKE fragmentation supported by the application and thus support draft-smyslov-ipsecme-ikev2-fragmentation. BR Daniel On Thu, May 16, 2013 at 7:08 PM, Paul Wouters &lt;paul&lt; at &gt;nohats.ca&gt; wrote: </pre> Daniel Migault 2013-05-16T17:51:54 http://permalink.gmane.org/gmane.ietf.ipsec/13475 <pre>Hi list, I approve of using draft-smyslov-ipsecme-ikev2-fragmentation as a starting for IKEv2 fragmentation. Regards Andreas ====================================================================== Andreas Steffen andreas.steffen&lt; at &gt;strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== </pre> Andreas Steffen 2013-05-16T17:30:06 http://permalink.gmane.org/gmane.ietf.ipsec/13474 <pre> Sorry I missed the meeting. I approve of the conclusions reached. Paul </pre> Paul Wouters 2013-05-16T17:08:05 http://permalink.gmane.org/gmane.ietf.ipsec/13473 <pre>Hi, As promised, we just had a virtual interim meeting to discuss IKEv2 fragmentation. Please see the minutes below (thanks Paul!). Following up on this meeting, we would like to confirm the decision on the mailing list: - The group still thinks this is an important problem that needs an interoperable solution. - We would like to abandon the work on IKE-over-TCP. - And to work on IKEv2 protocol-level fragmentation, using draft-smyslov-ipsecme-ikev2-fragmentation as a starting point. Please send your approval, disapproval or comments to the list within a week (until May 23). Thanks, Yaron -------- Original Message -------- Subject: Proposed minutes for today IPsecME WG Virtual Interim Meeting, 2013-05-16 Minutes taken by Paul Hoffman Yaron gave introduction Introduction superfluous We have little energy Maybe the draft should be individual draft with discussion on the list Valery: is OK with this being Individual Submission Yoav: wants it to be a WG document Cisco has its own running cod</pre> Yaron Sheffer 2013-05-16T16:57:27 http://permalink.gmane.org/gmane.ietf.ipsec/13472 <pre>Greetings again. From the earlier announcement: The IPsecME Working Group will hold a virtual interim meeting on Thursday, May 16, 2013 via a phone bridge. The meeting will focus on whether solutions are needed for fragmentation of IKEv2 messages, and potential options in this space. For more background, see http://www.ietf.org/mail-archive/web/ipsec/current/msg08371.html. The time for the meeting is: 9:00am PDT 16:00 UTC 12:00 noon EDT 19:00 Israel The meeting will last 1 hour, maybe less. The agenda will be: - Introduction to the problem (Yaron and Paul) - Discussion of draft-smyslov-ipsecme-ikev2-fragmentation (Valery) It would be grand if people would discuss that draft on the list before the phone call as well. The call-in details are: Tele: +1 712-775-7400 Code: 809604# Virtual interim meetings are like real IETF meetings in that we have to take attendance and have minutes. If someone would volunteer to be minutes-taker, that would be grand. --Paul Hoffman </pre> Yaron Sheffer 2013-05-15T14:22:28 http://permalink.gmane.org/gmane.ietf.ipsec/13471 <pre>Hi Matthew. Actually, that section makes it all the more puzzling. It lists 3 disclosures that relate to several RFCs, but none of those RFCs relates to Diffie-Hellman. Instead they relate to lists of algorithms, so I'm not sure how this helps cover the concerns. Yoav On May 13, 2013, at 7:11 PM, Matthew Campagna &lt;mcampagna&lt; at &gt;blackberry.com&gt; wrote: </pre> Yoav Nir 2013-05-13T19:32:09 http://permalink.gmane.org/gmane.ietf.ipsec/13470 <pre>Paul et al, I would like to draw the groups attention to "Section VIII. Other Notes:" of the declaration https://datatracker.ietf.org/ipr/2072/. It highlights previous declarations in regards to the referenced patent and its use in affiliated IPSec and IKE specifications. I personally hope that these earlier statements cover the bulk of concerns and expected uses. Sincerely, Matt Campagna Matthew Campagna - Director, Certicom Research BlackBerry mcampagna&lt; at &gt;certicom.com direct          203.894.9777 office           877.746.5831x14181# http://www.blackberry.com -----Original Message----- From: ipsec-bounces&lt; at &gt;ietf.org [mailto:ipsec-bounces&lt; at &gt;ietf.org] On Behalf Of Paul Hoffman Sent: Friday, May 10, 2013 1:21 PM To: IPsecme WG Subject: Re: [IPsec] IPR Disclosure: Certicom Corporation's Statement about IPR related to draft-ietf-ipsecme-dh-checks-04 On May 10, 2013, at 10:13 AM, Michael Richardson &lt;mcr+ietf&lt; at &gt;sandelman.ca&gt; wrote: &lt;chair-hat on&gt; "We" have not been discussing i</pre> Matthew Campagna 2013-05-13T16:11:01 http://permalink.gmane.org/gmane.ietf.ipsec/13469 <pre>Greetings again. From the earlier announcement: The IPsecME Working Group will hold a virtual interim meeting on Thursday, May 16, 2013 via a phone bridge. The meeting will focus on whether solutions are needed for fragmentation of IKEv2 messages, and potential options in this space. For more background, see http://www.ietf.org/mail-archive/web/ipsec/current/msg08371.html. The time for the meeting is: 9:00am PDT 16:00 UTC 12:00 noon EDT 19:00 Israel The meeting will last 1 hour, maybe less. The agenda will be: - Introduction to the problem (Yaron and Paul) - Discussion of draft-smyslov-ipsecme-ikev2-fragmentation (Valery) It would be grand if people would discuss that draft on the list before the phone call as well. The call-in details are: Tele: +1 712-775-7400 Code: 809604# Virtual interim meetings are like real IETF meetings in that we have to take attendance and have minutes. If someone would volunteer to be minutes-taker, that would be grand. --Paul Hoffman </pre> Paul Hoffman 2013-05-10T20:39:00 http://permalink.gmane.org/gmane.ietf.ipsec/13468 <pre> &lt;chair-hat on&gt; "We" have not been discussing it, and nor should we. Certicom has filed numerous IPR statements with the IETF over more than a decade. Earlier discussions of earlier IPR statements have not come to any general understanding of what Certicom claims and what they intend to do with those claims. In the absence of that understanding (which can be aided by Certicom at any time), there is no point in using the WG mailing list for guessing. WG participants who want to read more about IPR are advised to see &lt;https://www.ietf.org/ipr/&gt;. --Paul Hoffman </pre> Paul Hoffman 2013-05-10T17:20:55 http://permalink.gmane.org/gmane.ietf.ipsec/13467 <pre> I read: http://www.google.com/patents/US7215773 and I find: In RSA or Rabin signatures there are generally three routines, namely key pair generation, signature generation and signature verification. Validating an RSA public key (n, e) involves three steps. Firstly validate e, secondly validate n and thirdly validate e and n are consistent with each other. In order to validate the public exponent e, use of made of the fact that the exponent 2&lt;=e&lt;=2(k I can not speculate as to whether there is prior art, but it seems to match what we have been discussing. </pre> Michael Richardson 2013-05-10T17:13:33 http://permalink.gmane.org/gmane.ietf.ipsec/13465 <pre>This is a small editorial change, and should be accepted. The RFC Editor should add this change to its internal style guide for IPsec-related documents. --Paul Hoffman On May 8, 2013, at 6:05 AM, RFC Errata System &lt;rfc-editor&lt; at &gt;rfc-editor.org&gt; wrote: </pre> Paul Hoffman 2013-05-08T15:10:49 http://permalink.gmane.org/gmane.ietf.ipsec/13464 <pre>The following errata report has been submitted for RFC6311, "Protocol Support for High Availability of IKEv2/IPsec". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6311&amp;eid=3615 -------------------------------------- Type: Editorial Reported by: Yoav Nir &lt;ynir&lt; at &gt;checkpoint.com&gt; Section: 6.4 Original Text ------------- Note that this solution requires that either all Child SAs use Extended Sequence Numbers (ESNs) or else that no Child SA uses ESNs. Corrected Text -------------- Note that this solution requires that either all Child SAs use Extended Sequence Numbers (ESN) or else that no Child SA uses ESN. Notes ----- "ESN" is used here as a name of a feature. There is no need to pluralize it. This is different from "SAs" or "SPIs", where there are many of each. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply </pre> RFC Errata System 2013-05-08T13:05:40 http://permalink.gmane.org/gmane.ietf.ipsec/13463 <pre> On May 7, 2013, at 4:18 PM, Valery Smyslov &lt;svanru&lt; at &gt;gmail.com&gt; wrote: And so, SSL-VPN clients were born… </pre> Yoav Nir 2013-05-07T13:37:18 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.ietf.ipsec