VPN Auth (was VPN authentication/verification and WG re-chartering)

Sorry for replying to my own message, but I would like to
encourage
discussion around VPN Auth requirements.

> I would like to see discussion of the requirements
first, so that 
> candidate solutions have a point of reference.

For instance, I would argue that there are several
roles/modes of
authentication that must be considered: SP-managed,
user-managed, and
co-managed. Each of these modes have slightly different
requirements, of
course, and different alerting and/or response mechanisms.

Across all of these modes the primary goal is to be assured
that all
sites attached to the VPN are intended and allowed to be
members.
Secondary goals *might* include verification that the CE was
configured
by the correct authority (i.e. is not a hacked or replaced
device), that
routes originating from the CE (or PE) are legitimate, etc.
Maybe a
solution for one of the secondary goals might actually solve
the primary
goal, too.

Any thoughts on these goals, and/or how they translate into
technical
requirements?

Cheers,
-Benson

> Sorry for replying to my own message, but I would like
to encourage
> discussion around VPN Auth requirements.
>
>> I would like to see discussion of the requirements
first, so that
>> candidate solutions have a point of reference.
>
> For instance, I would argue that there are several
roles/modes of
> authentication that must be considered: SP-managed,
user-managed, and
> co-managed. Each of these modes have slightly different
 
> requirements, of
> course, and different alerting and/or response
mechanisms.

	And one other thing related to an important point you
raised
earlier related would be two other cases: multiple
SP-managed, co- 
managed
with multiple SPs where there are multiple providers.

	--Tom


> Across all of these modes the primary goal is to be
assured that all
> sites attached to the VPN are intended and allowed to
be members.
> Secondary goals *might* include verification that the
CE was  
> configured
> by the correct authority (i.e. is not a hacked or
replaced device),  
> that
> routes originating from the CE (or PE) are legitimate,
etc. Maybe a
> solution for one of the secondary goals might actually
solve the  
> primary
> goal, too.
>
> Any thoughts on these goals, and/or how they translate
into technical
> requirements?
>
> Cheers,
> -Benson

Schliesser, Benson wrote:
> Sorry for replying to my own message, but I would like
to encourage
> discussion around VPN Auth requirements.
> 
> 
>>I would like to see discussion of the requirements
first, so that 
>>candidate solutions have a point of reference.
> 
> 
> For instance, I would argue that there are several
roles/modes of
> authentication that must be considered: SP-managed,
user-managed, and
> co-managed. Each of these modes have slightly different
requirements, of
> course, and different alerting and/or response
mechanisms.

Could you say a few words about what each of these terms
means?

> 
> Across all of these modes the primary goal is to be
assured that all
> sites attached to the VPN are intended and allowed to
be members.
> Secondary goals *might* include verification that the
CE was configured
> by the correct authority (i.e. is not a hacked or
replaced device), that
> routes originating from the CE (or PE) are legitimate,
etc. Maybe a
> solution for one of the secondary goals might actually
solve the primary
> goal, too.

Could you say a few words about the secondary goals?

                                 Ron

> 
> Any thoughts on these goals, and/or how they translate
into technical
> requirements?
> 
> Cheers,
> -Benson
>