Re: [IPsec] Comments on proposed draft-ietf-ipsecme-ad-vpn-problem-02

Brian Weis <> Thu, 13 December 2012 21:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AE15321F86C2 for <>; Thu, 13 Dec 2012 13:48:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -109.999
X-Spam-Status: No, score=-109.999 tagged_above=-999 required=5 tests=[AWL=-0.601, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y-w4pf69v7fT for <>; Thu, 13 Dec 2012 13:48:18 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A9B6F21F8653 for <>; Thu, 13 Dec 2012 13:48:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=12424; q=dns/txt; s=iport; t=1355435298; x=1356644898; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=DszcbJN7mfI2Q/pbhgKe3CRhYx3jVGyvf6tHcojJLJg=; b=f7P+oZGKmbHCBB07AfEiXEo7YiJV3ilGhJOkWxxc+JWFVfI46QvTCB3c nZVp5D/CMSCfYiZxj8iFJaQxnxtWx75QiFYdQmd3Uuhz4vAiAKYSz2wg3 vKZoLIyOp7FbHoivs1wx7+sPRaBR7OG6Sw/cdWB/abOHvb2/DTzv/vF71 o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AigHAPZMylCrRDoH/2dsb2JhbABFg0i7KBZzgh4BAQEDAQEBAWsLBQsLGC4hBjAGExuHZgMJBQEMsyENiVEEi25pg2JhA4hgi1OBVos3hRGDFA
X-IronPort-AV: E=Sophos; i="4.84,276,1355097600"; d="scan'208,217"; a="66499568"
Received: from ([]) by with ESMTP; 13 Dec 2012 21:48:07 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id qBDLm7Wn008567 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 13 Dec 2012 21:48:07 GMT
Content-Type: multipart/alternative; boundary="Apple-Mail=_FE874739-0BB3-4B47-BC5A-AF6CE1C1309F"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Brian Weis <>
In-Reply-To: <>
Date: Thu, 13 Dec 2012 13:48:06 -0800
Message-Id: <>
References: <> <>
To: Vishwas Manral <>
X-Mailer: Apple Mail (2.1499)
Cc: "" <>,, Stephen Hanna <>
Subject: Re: [IPsec] Comments on proposed draft-ietf-ipsecme-ad-vpn-problem-02
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Dec 2012 21:48:19 -0000

Hi Vishwas,

See a couple of notes inline.

On Dec 13, 2012, at 9:54 AM, Vishwas Manral <> wrote:

> Hi Brian,
> Thanks a lot for your comments and sorry I did not reply immediately. I have still been waiting for the version 2 to upload. I have sent it to the address.
> My comments are inline and will be updated in version 03. We could do it in version 02 too if it does not get posted soon enough.

Updating version 03 is fine with me. I was a bit late with the comments.

> The only issue I have is with the L3VPN comment and would want Lou Berger's opinion on it, as he thought the text would add value there (though if you see previous comments I am more of the opinion similar to yours).
> On Tue, Dec 11, 2012 at 12:30 PM, Brian Weis <> wrote:
> Hi Steve & Vishwas,
> Here are a couple of comments on the proposed -02 sent a few days ago.
> Requirement 1 says "gateways and endpoints MUST minimize configuration changes when a new gateway or endpoint is added, removed or changed." While I certainly agree with the sentiment behind the requirement, this statement is about as strong as "gateways and endpoints MUST perform well", or "gateways and endpoints MUST be easy to use". In other words, it isn't a testable assertion that can be evaluated. Also the body of the document says "it is desired that there be minimal configuration on each gateway", which does not support a MUST requirement. This ought to be a SHOULD rather than a MUST.
> Changed the MUST to a SHOULD. 
> Requirement 8 has gone through several versions, but I think it could still be made clearer. It first requires Gateways and endpoints "to work when they are behind NAT boxes", and then makes a bunch of necessary exceptions. The following replacement text attempts to make the same points as the original but might be clearer:
>    8.  Gateways and endpoints MUST have the capability to participate
>    in an AD VPN even when they are located behind NAT boxes. However,
>    in some cases they may be deployed in such a way that they will not be
>    fully reachable behind a NAT box.  It is especially difficult
>    to handle cases where the Hub is behind a NAT box.  Where the
>    two endpoints are both behind separate NATs, communication between
>    these spokes SHOULD be supported using workarounds
>    such as port forwarding by the NAT or detecting when two spokes
>    are behind uncooperative NATs and using a hub in that case.
> VM> Updated. 
> Requirement 14 says "The ADVPN solution MUST support Provider Edge (PE) based VPN's". This requirement seems unfair to the end point use cases in 2.1 and 2.3, or even gateway-to-gateway ADVPN solutions that have nothing to do with L3VPNs! I think you're trying to say it must be possible to build an ADVPN solution that meets the requirements of L3VPN, which I have no problem with but I don't think think this it's a fair requirement to put in Section 4. Is there anything beyond the new text you added in 2.2 regarding L3VPN that needs to be said?
> VM> No I did not add any extra text for L3VPN besides this one. The idea was that if IPsec over GRE as PE to PE communication tunnels the ADVPN technology should not preclude such a solution.Like I have said earlier I do not have strong opinion regarding this requirement. Lou thought this should be there and I asked the list if there were objections to this, and I did not hear anyone object, so I added it.

Thanks for the background. It should be possible to address Lou's concern underlying  concern without adding a requirement that is onerous for ADVPN use cases where L3VPN doesn't apply. The Section 2.2 text I referred to is "There is also the case when L3VPNs operate over IPsec Tunnels." Maybe that could be expanded into a new paragraph in lieu of a requirement? I notice the use of lower case "must" is used in this section. 

> Lets try to hear from Lou on this.

Lou, would something like the following text in Section 2.2 be a satisfactory replacement for Requirement 14?

    There is also the case when L3VPNs operate over IPsec Tunnels, 
    for example Provider Edge (PE) based VPN's. An AD VPN must
    support L3VPN as an application protected by the IPsec


> There's a couple remaining nits:
> Section 2.2: s/A fully meshed solution is would/A fully meshed solution would/
> Section 4: s/This sectiondefines/This section defines/
> VM> Updated.
> Thanks,
> Vishwas 
> Thanks,
> Brian
> _______________________________________________
> IPsec mailing list