IETF Logo Mail Archive

Re: [bess] New Version Notification for draft-rosen-bess-secure-l3vpn-00.txt

<stephane.litkowski@orange.com> Fri, 15 June 2018 07:52 UTC

Return-Path: <stephane.litkowski@orange.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C71B9130ED4 for <bess@ietfa.amsl.com>; Fri, 15 Jun 2018 00:52:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_GBYRoslb7O for <bess@ietfa.amsl.com>; Fri, 15 Jun 2018 00:52:35 -0700 (PDT)
Received: from orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89E48130E2B for <bess@ietf.org>; Fri, 15 Jun 2018 00:52:35 -0700 (PDT)
Received: from opfednr04.francetelecom.fr (unknown [xx.xx.xx.68]) by opfednr23.francetelecom.fr (ESMTP service) with ESMTP id DBFD2C086A; Fri, 15 Jun 2018 09:52:33 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.2]) by opfednr04.francetelecom.fr (ESMTP service) with ESMTP id BA8BD40083; Fri, 15 Jun 2018 09:52:33 +0200 (CEST)
Received: from OPEXCLILMA4.corporate.adroot.infra.ftgroup ([fe80::65de:2f08:41e6:ebbe]) by OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06%19]) with mapi id 14.03.0399.000; Fri, 15 Jun 2018 09:52:33 +0200
From: stephane.litkowski@orange.com
To: Ron Bonica <rbonica@juniper.net>, "bess@ietf.org" <bess@ietf.org>
Thread-Topic: New Version Notification for draft-rosen-bess-secure-l3vpn-00.txt
Thread-Index: AQHUAb0/C+i0io0nekOi/XAFLuZhe6RbeAcwgAPOgDCAAJITcIABHn0w
Date: Fri, 15 Jun 2018 07:52:32 +0000
Message-ID: <28899_1529049153_5B237041_28899_477_8_9E32478DFA9976438E7A22F69B08FF924B1D03DC@OPEXCLILMA4.corporate.adroot.infra.ftgroup>
References: <152874653557.2807.17161289464973121006.idtracker@ietfa.amsl.com> <CO1PR05MB443FF492ECE04553EF9E17BAE780@CO1PR05MB443.namprd05.prod.outlook.com> <21095_1528957044_5B220874_21095_95_5_9E32478DFA9976438E7A22F69B08FF924B1BA942@OPEXCLILMA4.corporate.adroot.infra.ftgroup> <CO1PR05MB443218ED439186A6F6A0215AE7D0@CO1PR05MB443.namprd05.prod.outlook.com>
In-Reply-To: <CO1PR05MB443218ED439186A6F6A0215AE7D0@CO1PR05MB443.namprd05.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/i7Lz2Kpoxp6cwBaU942yd9SoumU>
Subject: Re: [bess] New Version Notification for draft-rosen-bess-secure-l3vpn-00.txt
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2018 07:52:52 -0000

Hi Ron,

I fully understand the case you are describing and I support this work (speaking as individual).
I think it would be worth to clarify the goals/use cases and if you plan to address the use case that Robert has mentioned.

Brgds,


-----Original Message-----
From: Ron Bonica [mailto:rbonica@juniper.net] 
Sent: Thursday, June 14, 2018 16:53
To: LITKOWSKI Stephane OBS/OINIS; bess@ietf.org
Subject: RE: New Version Notification for draft-rosen-bess-secure-l3vpn-00.txt

Hi Stephane,

Yes, we are talking about a niche use case. We probably should have talked about the use case more in the draft.

Assume the following about an enterprise:

- It has many compartments (VPNs) that requires some degree of separation from one another
- It has many permanent sites
- It has a mission critical requirement for site mobility.

In response to some transient event (e.g., a natural disaster, a sporting event, a geopolitical event), the enterprise may have to add a new site. The site will be secured by the enterprise (hence, the C-PE) and will use whatever connectivity is available (e.g., hotel Wi-Fi).

The site is temporary. Once the transient event is over, the site goes away.

Yes, this is a niche use-case, but the market is large enough to warrant our attention.

                                                            Ron

> -----Original Message-----
> From: stephane.litkowski@orange.com <stephane.litkowski@orange.com>
> Sent: Thursday, June 14, 2018 2:17 AM
> To: Ron Bonica <rbonica@juniper.net>; bess@ietf.org
> Subject: RE: New Version Notification for draft-rosen-bess-secure-l3vpn-
> 00.txt
> 
> Hi Ron,
> 
> I have read quickly the document.
> I think the use case of having secure L3VPNs is valid and we already have all
> (or most of) the technology building blocks to do it.
> Now the draft takes a complete upside down approach comparing to our well
> known L3VPNs which are provider provisioned VPNs as you propose to build
> them at the CE side.
> This could be a valid approach but isn't it a niche use case ?
> 
> Customer sites connected over the Internet is for sure a use case to handle,
> and we already to it today by establishing an IPSec tunnel towards an SP-PE,
> the tunnel ends in the customer VRF.
> Customer data must not be exposed: also a valid use case. We have some
> customers doing IPSec transport within MPLS VPN for some specific traffic.
> On the other hand, from an SP point of view, when core links are not fully
> trusted, MACSEC or IPSec are also options.
> 
> I'm less convinced by the routing that should not be exposed. I agree that
> this is a possibility and a valid use case but I do not think that this is a big deal
> for most of customers (even those requiring more security). The good thing
> of MPLS VPN is the routing complexity is almost pushed to the SP and the
> customer has few things to do and they are happy with that.
> 
> The last case of the multitenancy on the customer side is also valid, but I also
> think that it is a niche use case.
> 
> My point is that the draft is currently focusing on one scenario which in my
> opinion addresses a niche use case while there may be intermediate
> scenarios (like no multitenancy and/or no need of routing protection) that
> could be more widely applicable.
> 
> Brgds,
> 
> Stephane
> 
> 
> -----Original Message-----
> From: BESS [mailto:bess-bounces@ietf.org] On Behalf Of Ron Bonica
> Sent: Monday, June 11, 2018 21:56
> To: bess@ietf.org
> Subject: [bess] FW: New Version Notification for draft-rosen-bess-secure-
> l3vpn-00.txt
> 
> Folks,
> 
> Please review and comment on this draft.
> 
>                                           Ron
> 
> 
> -----Original Message-----
> From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> Sent: Monday, June 11, 2018 3:49 PM
> To: Ron Bonica <rbonica@juniper.net>; Eric Rosen <erosen@juniper.net>;
> Eric Rosen <erosen@juniper.net>
> Subject: New Version Notification for draft-rosen-bess-secure-l3vpn-00.txt
> 
> 
> A new version of I-D, draft-rosen-bess-secure-l3vpn-00.txt
> has been successfully submitted by Eric C. Rosen and posted to the IETF
> repository.
> 
> Name:		draft-rosen-bess-secure-l3vpn
> Revision:	00
> Title:		Augmenting RFC 4364 Technology to Provide Secure Layer
> L3VPNs over Public Infrastructure
> Document date:	2018-06-11
> Group:		Individual Submission
> Pages:		19
> URL:         https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__tools.ietf.org_html_draft-2Drosen-2Dbess-2Dsecure-2Dl3vpn-
> 2D00&d=DwIFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
> ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=ynt6xEw1IEsGTlD_UKas9ALkZzKN_qfQO9ccs-
> D_xmk&s=WZHJlo1WtiFkNoPygS1bcJe-TVSTCSu4YrVoGckSTgA&e=
> Status:     https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__datatracker.ietf.org_doc_draft-2Drosen-2Dbess-2Dsecure-
> 2Dl3vpn_&d=DwIFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
> ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=ynt6xEw1IEsGTlD_UKas9ALkZzKN_qfQO9ccs-
> D_xmk&s=siUM7bajtgMwdB8RGQEqfGIskeMmvVgmJbueM2TQfmc&e=
> Htmlized:  https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__tools.ietf.org_html_draft-2Drosen-2Dbess-2Dsecure-2Dl3vpn-
> 2D00&d=DwIFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
> ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=ynt6xEw1IEsGTlD_UKas9ALkZzKN_qfQO9ccs-
> D_xmk&s=WZHJlo1WtiFkNoPygS1bcJe-TVSTCSu4YrVoGckSTgA&e=
> Htmlized:  https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__datatracker.ietf.org_doc_html_draft-2Drosen-2Dbess-2Dsecure-
> 2Dl3vpn&d=DwIFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
> ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=ynt6xEw1IEsGTlD_UKas9ALkZzKN_qfQO9ccs-
> D_xmk&s=8qEoWVnhEGQT-Xvmq5C8eGsH0eQv7zAhXoKmz7eN2Cw&e=
> 
> 
> Abstract:
>    The Layer 3 Virtual Private Network (VPN) technology described in RFC
>    4364 is focused on the scenario in which a network Service Provider
>    (SP) maintains a secure backbone network and offers VPN service over
>    that network to its customers.  Customers access the SP's network by
>    attaching "Customer Edge" (CE) routers to "Provider Edge" (PE)
>    routers, and exchanging cleartext IP packets.  PE routers generally
>    serve multiple customers, and prevent unauthorized communication
>    among customers.  Customer data sent across the backbone (from one PE
>    to another) is encapsulated in MPLS, using an MPLS label to associate
>    a given packet with a given customer.  The labeled packets are then
>    sent across the backbone network in the clear, using MPLS transport.
>    However, many customers want a VPN service that is secure enough to
>    run over the public Internet, and which does not require them to send
>    cleartext IP packets to a service provider.  Often they want to
>    connect directly to edge nodes of the public Internet, which does not
>    provide MPLS support.  Each customer may itself have multiple tenants
>    who are not allowed to intercommunicate with each other freely.  In
>    this case, the customer many need to provide a VPN service for the
>    tenants.  This document describes a way in which this can be achieved
>    using the technology of RFC 4364.  The functionality assigned therein
>    to a PE router can be placed instead in Customer Premises Equipment.
>    This functionality can be augmented by transmitting MPLS packets
>    through IPsec Security Associations.  The BGP control plane sessions
>    can also be protected by IPsec.  This allows a customer to use RFC
>    4364 technology to provide VPN service to its internal departments,
>    while sending only IPsec-protected packets to the Internet or other
>    backbone network, and eliminating the need for MPLS transport in the
>    backbone.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__www.ietf.org_mailman_listinfo_bess&d=DwIFAg&c=HAkYuh63rsuhr6Sc
> bfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=ynt6xEw1IEsGTlD_UKas9ALkZzKN_qfQO9ccs-
> D_xmk&s=qptmIVc7U_jc-kNnUXNcrnc9Gft_Utcc0-sn0jcMLJg&e=
> 
> __________________________________________________________
> __________________________________________________________
> _____
> 
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
> message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
> electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged
> information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete
> this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been
> modified, changed or falsified.
> Thank you.


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email