RE: VPN Auth (was VPN authentication/verification and WG re-chartering)

Email lists > Layer 3 Virtual Private Networks

Thread: RE: VPN Auth (was VPN authentication/verification and WG re-chartering)

Search this list only Search all lists
RE: VPN Auth (was VPN authentication/verification and WG re-chartering)
United States	2007-06-05 11:03:08
Tom- That's a good point. It can (easily) be argued that these multi-SP cases are actually the most important for VPN authentication to address... Certainly, the trust models are complicated. I.e. who owns the customer relationship, who is managing the service(s), etc. But in any case, there are too many contributors in the VPN for things to just work without occasional error. VPN authentication is very valuable in this environment. Cheers, -Benson > -----Original Message----- > From: Thomas D. Nadeau [mailto:tnadeaucisco.com] > Sent: Tuesday, June 05, 2007 3:27 PM > To: Schliesser, Benson > Cc: l3vpnietf.org > Subject: Re: VPN Auth (was VPN authentication/verification > and WG re-chartering) > > > > Sorry for replying to my own message, but I would like to encourage > > discussion around VPN Auth requirements. > > > >> I would like to see discussion of the requirements first, so that > >> candidate solutions have a point of reference. > > > > For instance, I would argue that there are several roles/modes of > > authentication that must be considered: SP-managed, > user-managed, and > > co-managed. Each of these modes have slightly different > > requirements, of > > course, and different alerting and/or response mechanisms. > > And one other thing related to an important point you raised > earlier related would be two other cases: multiple SP-managed, co- > managed > with multiple SPs where there are multiple providers. > > --Tom > > > > Across all of these modes the primary goal is to be assured that all > > sites attached to the VPN are intended and allowed to be members. > > Secondary goals might include verification that the CE was > > configured > > by the correct authority (i.e. is not a hacked or replaced > device), > > that > > routes originating from the CE (or PE) are legitimate, etc. Maybe a > > solution for one of the secondary goals might actually solve the > > primary > > goal, too. > > > > Any thoughts on these goals, and/or how they translate into > technical > > requirements? > > > > Cheers, > > -Benson >

[1]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists

ARCHIVES