From owner-ipsec-policy@mail.vpnc.org Sat Sep 1 11:25:25 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA15599 for ; Sat, 1 Sep 2001 11:25:25 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f81EJtm26014 for ipsec-policy-bks; Sat, 1 Sep 2001 07:19:55 -0700 (PDT) Received: from wanderer.hardakers.net (IDENT:root@dns2.hardaker.davis.ca.us [168.150.190.2]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f81EJkD26010 for ; Sat, 1 Sep 2001 07:19:46 -0700 (PDT) Received: (from hardaker@localhost) by wanderer.hardakers.net (8.11.2/8.11.2) id f81EHO501777; Sat, 1 Sep 2001 07:17:24 -0700 X-Authentication-Warning: wanderer.hardakers.net: hardaker set sender to wes@hardakers.net using -f To: Russ Mundy Cc: "ipsec-policy@vpnc.org" Subject: Re: Draft Minutes from IPSP WG Mtg at 51st IETF References: From: Wes Hardaker X-URL: http://dcas.ucdavis.edu/~hardaker Organization: Network Associates - NAI Labs X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4 Date: Fri, 31 Aug 2001 22:51:14 -0700 In-Reply-To: (Russ Mundy's message of "Thu, 9 Aug 2001 00:28:41 +0100") Message-ID: User-Agent: Gnus/5.090004 (Oort Gnus v0.04) XEmacs/21.2 (Terspichore) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Lines: 17 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Russ> A WG member asked the amount of energy that it took to implement Russ> the MIB. Including the work and re-work needed to track some of Russ> the changes to the model, NAI Labs needed about 3.5 people over Russ> three months. I apologize for making this slightly inaccurate statement during the meeting (I realized my error the following day, but have been away from a network until now). We had 3.5 people working on it for 3 months, but were implementing not only the MIB instrumentation but a management station that can configure it as well. The end result is that it should be significantly less than 3.5 people for 3 months. Approximately 1.5 of those 3.5 people did the core of the work implementing the MIB itself. -- Wes Hardaker NAI Labs Network Associates From owner-ipsec-policy@mail.vpnc.org Mon Sep 10 20:29:48 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA06786 for ; Mon, 10 Sep 2001 20:29:48 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8ANYBs18863 for ipsec-policy-bks; Mon, 10 Sep 2001 16:34:11 -0700 (PDT) Received: from mail.iPolicyNet.COM (mail.policyone.com [63.199.81.149]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8ANY4D18176 for ; Mon, 10 Sep 2001 16:34:09 -0700 (PDT) Received: from ca-mail01.CA.iPolicyNet.COM (CA-Mail01.CA.iPolicyNet.COM [199.172.181.4]) by mail.iPolicyNet.COM (8.9.3+Sun/8.9.3) with ESMTP id QAA03148 for ; Mon, 10 Sep 2001 16:24:37 -0700 (PDT) Received: by CA-Mail01.CA.iPolicyNet.COM with Internet Mail Service (5.5.2653.19) id ; Mon, 10 Sep 2001 16:23:28 -0700 Message-ID: From: "Vohra, Meenakshi" To: ipsec-policy@vpnc.org Subject: VPN source Date: Mon, 10 Sep 2001 16:23:21 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: pls. suggest me list of some good freely available source code for VPN gateways. thanx meenakshi From owner-ipsec-policy@mail.vpnc.org Wed Sep 12 14:09:43 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA29384 for ; Wed, 12 Sep 2001 14:09:42 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8CH7Gb00922 for ipsec-policy-bks; Wed, 12 Sep 2001 10:07:16 -0700 (PDT) Received: from exchange.redcreek.com (mail.redcreek.com [209.125.38.15]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8CH7AD00916 for ; Wed, 12 Sep 2001 10:07:13 -0700 (PDT) Received: by mail.redcreek.com with Internet Mail Service (5.5.2653.19) id ; Wed, 12 Sep 2001 10:08:21 -0700 Received: from redcreek.com (host186.redcreek.com [209.218.26.186]) by exchange.redcreek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id RJG8J75N; Wed, 12 Sep 2001 10:08:17 -0700 From: Ricky Charlet To: "Vohra, Meenakshi" Cc: ipsec-policy@vpnc.org Message-ID: <3B9F9788.38CF6E13@redcreek.com> Date: Wed, 12 Sep 2001 10:12:40 -0700 Organization: Redcreek Communications X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.2-2 i686) X-Accept-Language: en MIME-Version: 1.0 Subject: Re: VPN source References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit "Vohra, Meenakshi" wrote: > > pls. suggest me list of some good freely available source code for VPN > gateways. > thanx > meenakshi Hi Meenakshi, Here are several reference implementations that I know of. They have various licensing requirements. All these are host centric implementations, not really gateway centric. But there are still plenty of lessons in there. http://snad.ncsl.nist.gov/cerberus/ http://freeswan.org/ http://www.kame.net/ -- Ricky Charlet : Redcreek Communications : usa (510) 795-6903 From owner-ipsec-policy@mail.vpnc.org Thu Sep 13 07:06:03 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA00653 for ; Thu, 13 Sep 2001 07:06:02 -0400 (EDT) Received: by above.proper.com (8.11.6/8.11.3) id f8DACBR13333 for ipsec-policy-bks; Thu, 13 Sep 2001 03:12:11 -0700 (PDT) Received: from mailhub.cdac.ernet.in ([196.1.109.254]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8DAC0D13299 for ; Thu, 13 Sep 2001 03:12:05 -0700 (PDT) Received: from ashish ([192.9.205.45]) by mailhub.cdac.ernet.in (8.11.4/8.11.4) with SMTP id f8DADKT10763 for ; Thu, 13 Sep 2001 15:43:20 +0530 (IST) Message-ID: <001501c13ca6$8d2fead0$2dcd09c0@ashish> From: "Ashish Chaurasia" To: Subject: VPN comparision Date: Thu, 13 Sep 2001 15:50:57 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0012_01C13C6B.E0BEC350" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C13C6B.E0BEC350 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I m working on VPN using IPSec protocol. But I have some doubts in my = mind.=20 1. What is the advantage of implementing VPN using IPSec protocol that = works at Network layer, even though the implementations of VPN at Data = Link layer are available such as L2TP,L2F, PPTP etc ? 2. What extra does VPN support in comparision to the combination of = Firewall and PKI ? 3. What are the advantages of having security at Network Layer than = having security at other layers of TCP/IP stack. regards Ashish ------=_NextPart_000_0012_01C13C6B.E0BEC350 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I m working on VPN using IPSec = protocol. But I=20 have some doubts in my mind.

1. What is the advantage of = implementing VPN=20 using IPSec protocol that works at Network layer, even though the=20 implementations of VPN at Data Link layer are available such as = L2TP,L2F, PPTP=20 etc ?

2. What extra does VPN support in = comparision to=20 the combination of Firewall and PKI ?

3. What are the advantages of = having security=20 at Network Layer than having security at other layers of TCP/IP=20 stack.

regards

Ashish

------=_NextPart_000_0012_01C13C6B.E0BEC350-- From owner-ipsec-policy@mail.vpnc.org Thu Sep 13 08:32:27 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA01803 for ; Thu, 13 Sep 2001 08:32:27 -0400 (EDT) Received: by above.proper.com (8.11.6/8.11.3) id f8DBjf119350 for ipsec-policy-bks; Thu, 13 Sep 2001 04:45:41 -0700 (PDT) Received: from mailhub.cdac.ernet.in ([196.1.109.254]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8DBjdD19340 for ; Thu, 13 Sep 2001 04:45:39 -0700 (PDT) Received: from ashish ([192.9.205.45]) by mailhub.cdac.ernet.in (8.11.4/8.11.4) with SMTP id f8DBl5T19416; Thu, 13 Sep 2001 17:17:05 +0530 (IST) Message-ID: <001801c13cb3$a55e5580$2dcd09c0@ashish> From: "Ashish Chaurasia" To: Cc: "Ashish Chaurasia" Subject: VPN Questions Date: Thu, 13 Sep 2001 17:24:41 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0015_01C13C78.F8EA20C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. ------=_NextPart_000_0015_01C13C78.F8EA20C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I m working on VPN using IPSec protocol. But I have some doubts in my = mind.=20 =20 1. What is the advantage of implementing VPN using IPSec protocol that = works at Network layer, even though the implementations of VPN at Data = Link layer are available such as L2TP,L2F, PPTP etc ? 2. What extra does VPN support in comparision to the combination of = Firewall and PKI ? 3. What are the advantages of having security at Network Layer than = having security at other layers of TCP/IP stack. regards Ashish ------=_NextPart_000_0015_01C13C78.F8EA20C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I m working on VPN using IPSec = protocol. But I=20 have some doubts in my mind.

2. What extra does VPN support in = comparision to=20 the combination of Firewall and PKI ?

3. What are the advantages of = having security=20 at Network Layer than having security at other layers of TCP/IP=20 stack.

regards

Ashish

------=_NextPart_000_0015_01C13C78.F8EA20C0-- From owner-ipsec-policy@mail.vpnc.org Thu Sep 13 14:21:28 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA12297 for ; Thu, 13 Sep 2001 14:21:28 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8DHY0807029 for ipsec-policy-bks; Thu, 13 Sep 2001 10:34:00 -0700 (PDT) Received: from mail.iPolicyNet.COM (mail.policyone.com [63.199.81.149]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8DHXxD07025 for ; Thu, 13 Sep 2001 10:33:59 -0700 (PDT) Received: from ca-mail01.CA.iPolicyNet.COM (CA-Mail01.CA.iPolicyNet.COM [199.172.181.4]) by mail.iPolicyNet.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA03729; Thu, 13 Sep 2001 10:23:06 -0700 (PDT) Received: by CA-Mail01.CA.iPolicyNet.COM with Internet Mail Service (5.5.2653.19) id ; Thu, 13 Sep 2001 10:21:58 -0700 Message-ID: From: "Vohra, Meenakshi" To: "'Ashish Chaurasia'" , ipsec-policy@vpnc.org Subject: RE: VPN Questions Date: Thu, 13 Sep 2001 10:21:57 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C13C78.9782AC30" Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C13C78.9782AC30 Content-Type: text/plain; charset="ISO-8859-1" for question # 1 , well i guess , VPN at Data Link Layer is not secure whereas IPSec provides VPN with security through encryption , encapsulation..... i think so.... again i think firewall only filters which traffic to allow & which not to wheres VPN with IPSec secures those packets by encrypting them & authenticating them Pls. correct me if i am wrong meenakshi -----Original Message----- From: Ashish Chaurasia [mailto:ashish.chaurasia@cdac.ernet.in] Sent: Thursday, September 13, 2001 5:25 PM To: ipsec-policy@vpnc.org Cc: Ashish Chaurasia Subject: VPN Questions I m working on VPN using IPSec protocol. But I have some doubts in my mind. 1. What is the advantage of implementing VPN using IPSec protocol that works at Network layer, even though the implementations of VPN at Data Link layer are available such as L2TP,L2F, PPTP etc ? 2. What extra does VPN support in comparision to the combination of Firewall and PKI ? 3. What are the advantages of having security at Network Layer than having security at other layers of TCP/IP stack. regards Ashish ------_=_NextPart_001_01C13C78.9782AC30 Content-Type: text/html; charset="ISO-8859-1"

for question # 1 , well i guess , VPN at Data Link Layer is not secure whereas IPSec provides VPN with security through encryption , encapsulation..... i think so....

again i think firewall only filters which traffic to allow & which not to wheres VPN with IPSec secures those packets by encrypting them & authenticating them

Pls. correct me if i am wrong

meenakshi

-----Original Message-----
From: Ashish Chaurasia [mailto:ashish.chaurasia@cdac.ernet.in]
Sent: Thursday, September 13, 2001 5:25 PM
To: ipsec-policy@vpnc.org
Cc: Ashish Chaurasia
Subject: VPN Questions

I m working on VPN using IPSec protocol. But I have some doubts in my mind.

1. What is the advantage of implementing VPN using IPSec protocol that works at Network layer, even though the implementations of VPN at Data Link layer are available such as L2TP,L2F, PPTP etc ?

2. What extra does VPN support in comparision to the combination of Firewall and PKI ?

3. What are the advantages of having security at Network Layer than having security at other layers of TCP/IP stack.

regards

Ashish

------_=_NextPart_001_01C13C78.9782AC30-- From owner-ipsec-policy@mail.vpnc.org Thu Sep 13 15:53:18 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA14402 for ; Thu, 13 Sep 2001 15:53:18 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8DIoYf08195 for ipsec-policy-bks; Thu, 13 Sep 2001 11:50:34 -0700 (PDT) Received: from dgesmtp02.wcom.com (dgesmtp02.wcom.com [199.249.16.17]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8DIoWD08191 for ; Thu, 13 Sep 2001 11:50:32 -0700 (PDT) Received: from dgismtp03.wcomnet.com ([166.38.58.143]) by firewall.wcom.com (PMDF V5.2-33 #42261) with ESMTP id <0GJM00K036WV7I@firewall.wcom.com> for ipsec-policy@vpnc.org; Thu, 13 Sep 2001 18:48:32 +0000 (GMT) Received: from dgismtp03.wcomnet.com by dgismtp03.wcomnet.com (PMDF V5.2-33 #42262) with SMTP id <0GJM008016WS30@dgismtp03.wcomnet.com>; Thu, 13 Sep 2001 18:48:31 +0000 (GMT) Received: from rccc6131 ([166.35.224.128]) by dgismtp03.wcomnet.com (PMDF V5.2-33 #42262) with ESMTP id <0GJM006BP6WCUN@dgismtp03.wcomnet.com>; Thu, 13 Sep 2001 18:48:13 +0000 (GMT) Date: Thu, 13 Sep 2001 13:48:03 -0500 From: "Christopher A. Martin" Subject: RE: VPN Questions In-reply-to: To: "'Vohra, Meenakshi'" , "'Ashish Chaurasia'" , ipsec-policy@vpnc.org Reply-to: christopher.a.martin@wcom.com Message-id: <004501c13c84$9f491100$80e023a6@rccc6131.mcit.com> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V4.72.3110.3 X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0 Content-type: multipart/alternative; boundary="Boundary_(ID_bgg3050BDAWTfJs57jcoQg)" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --Boundary_(ID_bgg3050BDAWTfJs57jcoQg) Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit -----Original Message----- From: owner-ipsec-policy@mail.vpnc.org [mailto:owner-ipsec-policy@mail.vpnc.org]On Behalf Of Vohra, Meenakshi Sent: Thursday, September 13, 2001 12:22 PM To: 'Ashish Chaurasia'; ipsec-policy@vpnc.org Subject: RE: VPN Questions for question # 1 , well i guess , VPN at Data Link Layer is not secure whereas IPSec provides VPN with security through encryption , encapsulation..... i think so.... again i think firewall only filters which traffic to allow & which not to wheres VPN with IPSec secures those packets by encrypting them & authenticating them Pls. correct me if i am wrong meenakshi -----Original Message----- From: Ashish Chaurasia [mailto:ashish.chaurasia@cdac.ernet.in] Sent: Thursday, September 13, 2001 5:25 PM To: ipsec-policy@vpnc.org Cc: Ashish Chaurasia Subject: VPN Questions I m working on VPN using IPSec protocol. But I have some doubts in my mind. 1. What is the advantage of implementing VPN using IPSec protocol that works at Network layer, even though the implementations of VPN at Data Link layer are available such as L2TP,L2F, PPTP etc ? // Layer 2 VPNs typically offer a form of isolation but not confidentiality (encryption). Some of them do offer lower forms of authentication but only IPSec AH offers non-repudiation mechanisms...you are who you say you are withhout a doubt. // 2. What extra does VPN support in comparision to the combination of Firewall and PKI ? IPSec or layer 2 VPN? In the first case PKI works well with IPSec VPN and firewall combinations. 3. What are the advantages of having security at Network Layer than having security at other layers of TCP/IP stack. The lower the layer the quicker the operation...if there were stron encryption methods at layer 2 comparable to layer three I would recommend layer 2 but to the best of my experience Layer 3 is the way to go. The further up the stack you go the more latency is introduced, as would be noticable at higher traffic rates. regards Ashish --Boundary_(ID_bgg3050BDAWTfJs57jcoQg) Content-type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable

-----Original Message-----
From:=20 owner-ipsec-policy@mail.vpnc.org=20 [mailto:owner-ipsec-policy@mail.vpnc.org]On Behalf Of Vohra,=20 Meenakshi
Sent: Thursday, September 13, 2001 12:22 = PM
To:=20 'Ashish Chaurasia'; ipsec-policy@vpnc.org
Subject: RE: VPN=20 Questions

for=20 question # 1 , well i guess , VPN at Data Link Layer is not secure = whereas=20 IPSec provides VPN with security through encryption , = encapsulation..... i=20 think so....

again i think firewall only filters which = traffic to=20 allow & which not to wheres VPN with IPSec secures those packets = by=20 encrypting them & authenticating them

Pls.=20 correct me if i am wrong

meenakshi

-----Original Message-----
From: Ashish Chaurasia = [mailto:ashish.chaurasia@cdac.ernet.in]
Sent: Thursday, = September=20 13, 2001 5:25 PM
To: ipsec-policy@vpnc.org
Cc: = Ashish=20 Chaurasia
Subject: VPN Questions

I m working on VPN using = IPSec protocol.=20 But I have some doubts in my mind.

1. What is the advantage of = implementing=20 VPN using IPSec protocol that works at Network layer, even though = the=20 implementations of VPN at Data Link layer are available such as = L2TP,L2F,=20 PPTP etc ?

// Layer 2=20 VPNs typically offer a form of isolation but not confidentiality=20 (encryption). Some of them do offer lower forms of authentication = but only=20 IPSec AH offers non-repudiation mechanisms...you are who you say you = are=20 withhout a doubt.

//

2. What extra does VPN = support in=20 comparision to the combination of Firewall and PKI = ?

IPSec or layer=20 2 VPN? In the first case PKI works well with IPSec VPN and = firewall=20 combinations.

3. What are the advantages of = having=20 security at Network Layer than having security at other layers of = TCP/IP=20 stack.

The lower the=20 layer the quicker the operation...if there were stron encryption = methods at=20 layer 2 comparable to layer three I would recommend layer 2 but to = the best=20 of my experience Layer 3 is the way to go. The further up the stack = you go=20 the more latency is introduced, as would be noticable at higher = traffic=20 rates.

regards

Ashish

--Boundary_(ID_bgg3050BDAWTfJs57jcoQg)-- From owner-ipsec-policy@mail.vpnc.org Thu Sep 13 22:29:55 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA23177 for ; Thu, 13 Sep 2001 22:29:55 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8E1HTm14817 for ipsec-policy-bks; Thu, 13 Sep 2001 18:17:29 -0700 (PDT) Received: from us.checkpoint.com ([206.184.151.234]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8E1HSD14813 for ; Thu, 13 Sep 2001 18:17:28 -0700 (PDT) Received: from c690449c (localhost [127.0.0.1]) by us.checkpoint.com (8.11.6/8.11.6/CPoak/8.11.6-090401) with SMTP id f8E139v14421; Thu, 13 Sep 2001 18:03:09 -0700 (PDT) From: "David Goode" To: "Vohra, Meenakshi" , "'Ashish Chaurasia'" , Subject: RE: VPN Questions Date: Thu, 13 Sep 2001 20:04:58 -0500 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_002E_01C13C8F.5D0DCD20" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 In-Reply-To: Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. ------=_NextPart_000_002E_01C13C8F.5D0DCD20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit First, Most existing layer two mechanisms have been proven to be insecure, at least at some levels. Thus, the recent popularity of using IPSec with L2TP etc... IPSec was devised during a time in which much encryption was done at the application layer. Therefore, special ports must be made for each application that wishes to utilize such mechanisms. IPsec offers the advantage of working with all communications without any special altercations as long as IP is used. The idea is all communications, regardless of origin will pass through the network layer before making its' way to the chosen media. Therefore, this offers a convenient place to perform cryptographic functions. In addition, there is special handling that needs to be used with Layer 2 encryption. Since tunneling, or encapsulation of IP headers is usually done, such things as CRC computations must re-calculated after encryption. Also, it is imperative is such a mode of operation that any QOS bits also be copied into the external IP header. Strictly speaking, these operations are preformed at the network later. It must be noted that AH does not provide non-repudiation only verification of integrity. As a rule of thumb, while secure, DH operations are susceptible to "man in the middle" attacks. As such, PKI offers added protection to the authentication of an exchange through non-repudiation. There is something to be said for combining some type of firewall capabilities to a VPN termination point. IPSec by nature guarantees secured communications, but it cannot guarantee the communications being exchanged, does not contain harmful programs or the like. It could be argued, encrypted communications are only as secure as the entity performing the encryption. In the case of tunnel mode operations, this is even more important as the data being encrypted is assumed to have originated from a different entity altogether. ~DG -----Original Message----- From: owner-ipsec-policy@mail.vpnc.org [mailto:owner-ipsec-policy@mail.vpnc.org]On Behalf Of Vohra, Meenakshi Sent: Thursday, September 13, 2001 12:22 PM To: 'Ashish Chaurasia'; ipsec-policy@vpnc.org Subject: RE: VPN Questions for question # 1 , well i guess , VPN at Data Link Layer is not secure whereas IPSec provides VPN with security through encryption , encapsulation..... i think so.... again i think firewall only filters which traffic to allow & which not to wheres VPN with IPSec secures those packets by encrypting them & authenticating them Pls. correct me if i am wrong meenakshi -----Original Message----- From: Ashish Chaurasia [mailto:ashish.chaurasia@cdac.ernet.in] Sent: Thursday, September 13, 2001 5:25 PM To: ipsec-policy@vpnc.org Cc: Ashish Chaurasia Subject: VPN Questions I m working on VPN using IPSec protocol. But I have some doubts in my mind. 1. What is the advantage of implementing VPN using IPSec protocol that works at Network layer, even though the implementations of VPN at Data Link layer are available such as L2TP,L2F, PPTP etc ? 2. What extra does VPN support in comparision to the combination of Firewall and PKI ? 3. What are the advantages of having security at Network Layer than having security at other layers of TCP/IP stack. regards Ashish ------=_NextPart_000_002E_01C13C8F.5D0DCD20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

First, = Most=20 existing layer two mechanisms have been proven to be insecure, at least = at some=20 levels. Thus, the recent popularity of using IPSec with L2TP=20 etc...

&nbs= p; =20 IPSec was devised during a time in which much encryption was done at the = application layer. Therefore, special ports must be made for each = application=20 that wishes to utilize such mechanisms. IPsec offers the advantage of = working=20 with all communications without any special altercations as long as = IP is=20 used.

The=20 idea is all communications, regardless of origin will pass through the = network=20 layer before making its' way to the chosen media. Therefore, this offers = a=20 convenient place to perform cryptographic functions. In addition, there = is=20 special handling that needs to be used with Layer 2 encryption. Since = tunneling,=20 or encapsulation of IP headers is usually done, such things as CRC = computations=20 must re-calculated after encryption. Also, it is imperative is such a = mode of=20 operation that any QOS bits also be copied into the external IP header. = Strictly=20 speaking, these operations are preformed at the network=20 later.

It must be noted that AH does not = provide=20 non-repudiation only verification of integrity. As a rule of thumb, = while=20 secure, DH operations are susceptible to "man in the middle" attacks. As = such,=20 PKI offers added protection to the authentication of an exchange through = non-repudiation.

There is something to be said = for=20 combining some type of firewall capabilities to a VPN termination point. = IPSec=20 by nature guarantees secured communications,

=20 but it cannot guarantee the communications being exchanged, does = not=20 contain harmful programs or the like.

=20 It could be argued, encrypted communications are only as secure as the = entity=20 performing the encryption. In the case of tunnel mode operations, this = is even=20 more important as the data being encrypted is assumed to have originated = from a=20 different entity altogether.

=20 ~DG

-----Original Message-----
From:=20 owner-ipsec-policy@mail.vpnc.org=20 [mailto:owner-ipsec-policy@mail.vpnc.org]On Behalf Of Vohra,=20 Meenakshi
Sent: Thursday, September 13, 2001 12:22 = PM
To:=20 'Ashish Chaurasia'; ipsec-policy@vpnc.org
Subject: RE: VPN=20 Questions

for=20 question # 1 , well i guess , VPN at Data Link Layer is not secure = whereas=20 IPSec provides VPN with security through encryption , = encapsulation..... i=20 think so....

again i think firewall only filters which = traffic to=20 allow & which not to wheres VPN with IPSec secures those packets = by=20 encrypting them & authenticating them

Pls.=20 correct me if i am wrong

meenakshi

-----Original Message-----
From: Ashish Chaurasia = [mailto:ashish.chaurasia@cdac.ernet.in]
Sent: Thursday, = September=20 13, 2001 5:25 PM
To: ipsec-policy@vpnc.org
Cc: = Ashish=20 Chaurasia
Subject: VPN Questions

I m working on VPN using IPSec = protocol. But I=20 have some doubts in my mind.

1. What is the advantage of = implementing=20 VPN using IPSec protocol that works at Network layer, even though = the=20 implementations of VPN at Data Link layer are available such as = L2TP,L2F,=20 PPTP etc ?

2. What extra does VPN support in = comparision=20 to the combination of Firewall and PKI ?

3. What are the advantages of = having=20 security at Network Layer than having security at other layers of = TCP/IP=20 stack.

regards

Ashish
=

------=_NextPart_000_002E_01C13C8F.5D0DCD20-- From owner-ipsec-policy@mail.vpnc.org Wed Sep 19 20:30:18 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA12973 for ; Wed, 19 Sep 2001 20:30:17 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8JN0ob14318 for ipsec-policy-bks; Wed, 19 Sep 2001 16:00:50 -0700 (PDT) Received: from longmail2.lboard.com ([63.109.116.89]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8JN0mD14314 for ; Wed, 19 Sep 2001 16:00:48 -0700 (PDT) Received: by longmail2.lboard.com with Internet Mail Service (5.5.2650.21) id ; Wed, 19 Sep 2001 19:00:19 -0400 Message-ID: From: Ed Ellesson To: "'ipsec-policy@vpnc.org'" Cc: "'Wijnen, Bert (Bert)'" , "'Joel M. Halpern'" Subject: FW: Terminology for Policy-Based Management Date: Wed, 19 Sep 2001 19:00:18 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: IPsec WG: Thanks for your help with the subject draft We have requested that the IESG consider it for Informational status, as noted below. Ed and Joel > -----Original Message----- > From: Ed Ellesson > Sent: Monday, September 17, 2001 3:54 PM > To: 'Wijnen, Bert (Bert)' > Cc: 'Joel M. Halpern'; 'andreaw@cisco.com'; 'policy@ietf.org'; > 'john.schnizlein@cisco.com'; 'john.strassner@intelliden.com'; > 'mscherling@xcert.com'; 'bquinn@celoxnetworks.com'; 'jay@jandg.net'; > 'herzog@iphighway.com'; 'ahuynh@lucent.com'; 'mark.carlson@sun.com'; > 'waldbusser@nextbeacon.com'; 'Randy Bush' > Subject: Terminology for Policy-Based Management > > Bert, > > Please forward the following draft to the IESG for consideration as an > Informational RFC: > > http://www.ietf.org/internet-drafts/draft-ietf-policy-terminology-04.txt > > The content of this revised draft represents the rough consensus of our > working group, coordinated with the following working groups, based on the > comments received on the prior draft (-03) during the multiple working > group extended last call, which completed in early June, prior to the > London IETF. The resulting revisions were discussed and accepted on both > the policy framework working group mailing list, as well as the mailing > list of the working group from which each comment was received. > > The revised draft (-04) was posted prior to the London IETF, and was > reviewed at the policy wg meeting in London. The minutes of that meeting > reflect the wg decision to forward this revised draft to the IESG. No > further comments have been received on the policy wg mailing list. > > Working groups participating in the extended working group last call of > the prior draft (-03), resulting in the revised draft (-04): > Policy > DiffServ > RAP > IPSP > SNMPCONF > AAA > AAAArch (IRTF) > MPLS > > We will also forward a copy of this notice/request to each of these wg's > mailing lists. Thanks to the authors and all those who submitted > comments! > > Sincerely, > > Ed Ellesson, with Joel Halpern > Co-chairs, Policy Framework WG > > > > > From owner-ipsec-policy@mail.vpnc.org Thu Sep 20 05:49:38 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA04462 for ; Thu, 20 Sep 2001 05:49:38 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8K8bqU19032 for ipsec-policy-bks; Thu, 20 Sep 2001 01:37:52 -0700 (PDT) Received: from p-mail2.cnet.fr (p-mail2.rd.francetelecom.com [193.49.124.32]) by above.proper.com (8.11.6/8.11.3) with SMTP id f8K8boD19023 for ; Thu, 20 Sep 2001 01:37:51 -0700 (PDT) Received: by p-voyageur.rd.francetelecom.fr with Internet Mail Service (5.5.2653.19) id ; Thu, 20 Sep 2001 10:20:41 +0200 Message-ID: <91A311FF6A85D3118DDF0060080C3D829DE2C7@lat3721.rd.francetelecom.fr> From: MORAND Pierrick FTRD/DMI/CAE To: "IPSEC-POLICY (E-mail)" Subject: UNIQUENESS clause of ipSecIkeRuleTable Date: Thu, 20 Sep 2001 10:19:36 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="windows-1252" Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Hi ! In the ipSecIkeRuleTable the UNIQUENESS clause is currently the following : UNIQUENESS { ipSecIkeRuleIfName, ipSecIkeRuleRoles } Doing so, this prevents the PDP to install, for an interface having a given Role/IfName tuple value, different Ike policies for different peers. Shouldn't this clause be set to : UNIQUENESS { ipSecIkeRuleIfName, ipSecIkeRuleRoles ipSecIkeRuleIkeAssiciationId ReferenceId, //for the editor : to be renamed in ipSecIkeRuleIkeAssociationId ipSecIkeRuleIkeEndpointGroupId TagReferenceId } I have excluded the ipSecIkeRuleIpSecRuleTimePeriodGroupId in order to avoid that an IkeRule (same IkeAssociation and group of peers) is the object of two different sets of TimePeriod policies leading to create two differents IkeRule instances while the RuleTimePeriodSet could be updated. Thanks for your comments. Pierrick Morand france telecom R&D/DMI/SIR/IPI Tel : +33 2 31 75 91 79 - Fax : +33 2 31 73 56 26 Email :pierrick.morand@rd.francetelecom.com From owner-ipsec-policy@mail.vpnc.org Tue Sep 25 18:48:08 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA17277 for ; Tue, 25 Sep 2001 18:48:07 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8PLdjP04658 for ipsec-policy-bks; Tue, 25 Sep 2001 14:39:45 -0700 (PDT) Received: from mgw-dax2.ext.nokia.com (mgw-dax2.ext.nokia.com [63.78.179.217]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8PLdhD04558 for ; Tue, 25 Sep 2001 14:39:43 -0700 (PDT) Received: from davir02nok.americas.nokia.com (davir02nok.americas.nokia.com [172.18.242.85]) by mgw-dax2.ext.nokia.com (Switch-2.1.0/Switch-2.1.0) with ESMTP id f8PLdxC01789 for ; Tue, 25 Sep 2001 16:40:00 -0500 (CDT) Received: from daebh001.NOE.Nokia.com (unverified) by davir02nok.americas.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id ; Tue, 25 Sep 2001 16:39:44 -0500 content-class: urn:content-classes:message Subject: RE: UNIQUENESS clause of ipSecIkeRuleTable Date: Tue, 25 Sep 2001 16:39:16 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Thread-Topic: UNIQUENESS clause of ipSecIkeRuleTable X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Thread-Index: AcFBstBH7bO4Ga2lEdWJUwAIx6TWpQEVfsUQ From: "Li Man.M (NRC/Boston)" To: "'ext MORAND Pierrick FTRD/DMI/CAE'" , "IPSEC-POLICY (E-mail)" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id f8PLdiD04607 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 8bit Hi Pierrick, Thanks for pointing this out. Would the addition of ipSecIkeRuleIkeEndpointGroupId into the UNIQUENESS be good enough? It boils down to the question of "can there be more than one IKE associations between two end points?" If the answer is yes, then ipSecIkeRuleIkeAssiciationId needs to be added too. I start to think that the ipSecRuleTable has the same issue. The ipSecruleIpSecSelectorGroupId needs to be added to the UNIQUENESS. What do you think? Thanks for your comments Man -----Original Message----- From: ext MORAND Pierrick FTRD/DMI/CAE [mailto:pierrick.morand@rd.francetelecom.com] Sent: September 20, 2001 04:20 AM To: IPSEC-POLICY (E-mail) Subject: UNIQUENESS clause of ipSecIkeRuleTable Hi ! In the ipSecIkeRuleTable the UNIQUENESS clause is currently the following : UNIQUENESS { ipSecIkeRuleIfName, ipSecIkeRuleRoles } Doing so, this prevents the PDP to install, for an interface having a given Role/IfName tuple value, different Ike policies for different peers. Shouldn't this clause be set to : UNIQUENESS { ipSecIkeRuleIfName, ipSecIkeRuleRoles ipSecIkeRuleIkeAssiciationId ReferenceId, //for the editor : to be renamed in ipSecIkeRuleIkeAssociationId ipSecIkeRuleIkeEndpointGroupId TagReferenceId } I have excluded the ipSecIkeRuleIpSecRuleTimePeriodGroupId in order to avoid that an IkeRule (same IkeAssociation and group of peers) is the object of two different sets of TimePeriod policies leading to create two differents IkeRule instances while the RuleTimePeriodSet could be updated. Thanks for your comments. Pierrick Morand france telecom R&D/DMI/SIR/IPI Tel : +33 2 31 75 91 79 - Fax : +33 2 31 73 56 26 Email :pierrick.morand@rd.francetelecom.com