Re: [IPsec] AD-VPN Protocol Selection
"Harms, Patrick" <Patrick.Harms@vwfs.com> Tue, 04 February 2014 08:30 UTC
Return-Path: <prvs=1055a6032=patrick.harms@vwfs.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 252AF1A03A1 for <ipsec@ietfa.amsl.com>; Tue, 4 Feb 2014 00:30:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yBGc6FRQUqie for <ipsec@ietfa.amsl.com>; Tue, 4 Feb 2014 00:30:33 -0800 (PST)
Received: from mx1.vwfsag.de (mx1.vwfsag.de [193.25.183.82]) by ietfa.amsl.com (Postfix) with ESMTP id 8331B1A018E for <ipsec@ietf.org>; Tue, 4 Feb 2014 00:30:32 -0800 (PST)
Received: from unknown (HELO gf-web-vsmgw2.fs01.vwf.vwfs-ad) ([10.41.77.141]) by sr-web-mgw2.fs01.vwf.vwfs-ad with ESMTP; 04 Feb 2014 09:30:32 +0100
Received: from gf-web-vsmgw2.fs01.vwf.vwfs-ad (localhost [127.0.0.1]) by gf-web-vsmgw2.fs01.vwf.vwfs-ad (VWFS) with ESMTP id C7D5222806E; Tue, 4 Feb 2014 09:30:31 +0100 (CET)
Received: from FSDEBSSXC001.fs01.vwf.vwfs-ad (fsdebssxc001.fs01.vwf.vwfs-ad [10.43.13.175]) by gf-web-vsmgw2.fs01.vwf.vwfs-ad (VWFS) with ESMTP id B642522806D; Tue, 4 Feb 2014 09:30:31 +0100 (CET)
Received: from FSDEBSSXD111.fs01.vwf.vwfs-ad ([169.254.5.32]) by FSDEBSSXC001.fs01.vwf.vwfs-ad ([10.43.13.175]) with mapi id 14.03.0158.001; Tue, 4 Feb 2014 09:30:31 +0100
From: "Harms, Patrick" <Patrick.Harms@vwfs.com>
To: 'Yoav Nir' <ynir@checkpoint.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>
Thread-Topic: [IPsec] AD-VPN Protocol Selection
Thread-Index: AQHPIPD5+kLkiqFxxkKIOq68LODxjZqjmHeAgAErH7A=
Date: Tue, 04 Feb 2014 08:30:30 +0000
Message-ID: <87BCDFB0B867FB4A85DB44EE8946E2458407E7E9@FSDEBSSXD111.fs01.vwf.vwfs-ad>
References: <87BCDFB0B867FB4A85DB44EE8946E2458407E6F6@FSDEBSSXD111.fs01.vwf.vwfs-ad> <9636.1391439750@sandelman.ca> <44042206-E996-487F-9451-F42643E2D823@checkpoint.com>
In-Reply-To: <44042206-E996-487F-9451-F42643E2D823@checkpoint.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.43.0.124]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "'ipsec@ietf.org'" <ipsec@ietf.org>
Subject: Re: [IPsec] AD-VPN Protocol Selection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 08:30:36 -0000
>> >> Harms, Patrick <Patrick.Harms@vwfs.com> wrote: >>> - is allowing to add 'spokes' without configuration changes on the 'hub' >>> devices (8.1 dmvpn draft) >> >>> For me, this is an important point. Changing the configuration on the >>> hub routers, everytime a spoke is added to the network, would make >>> the rollout process to complex and is a possible source of failures. >> >> I don't see how you can add a spoke in any system without requiring >> some changes to at least one hub and/or the database/LDAP/etc. which >> keeps track of all the spokes. > > 1. You set up a CA > 2. You accept connections from anyone presenting a certificate from that CA 3. You trust everything they tell you in routing protocols. Yes, that is one of my ideas. Set up a CA with an auto-enrollment process for the certificates (eg SCEP). Of course, it is very important to have a solid process to handle with certificates, rollouts, stolen devices, operations etc. >As long as only well-behaved spokes get issued certificates, and they never get compromised, everything is fine. > >>> Based on the theories (advpn draft and dmvpn) and real world >>> experience (dmvpn), I would favor dmvpn, because the handling and >>> operating sounds less complex. (eg. lower amount of steps in tunnel >>> initiation, single logical interface for tunnel termination etc.) >> >> Do you care about mobile (handheld) devices? > >Hey, those are higher-specced than the dual-pentium III at 800MHz with 512 MB or RAM that we were selling as a high-end gateway when I started working at Check Point :-) > >Yoav I am on the lucky side, and do not have to care about handheld devices. Patrick Volkswagen Financial Services AG Sitz/Registered seat: Braunschweig Registergericht/Registration court: Amtsgericht Braunschweig HRB Nr./Commercial Register No.: 3790 Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Hans Dieter Pötsch Vorstand/Board of Management: Frank Witter (Vorsitzender/Chairman), Dr. Mario Daberkow, Frank Fiedler, Christiane Hesse, Dr. Michael Reinhart, Lars-Henner Santelmann Wichtiger Hinweis: Die vorgenannten Angaben werden jeder E-Mail automatisch hinzugefügt und lassen keine Rückschlüsse auf den Rechtscharakter der E-Mail zu. Important note: The above information is automatically added to this e-mail. This addition does not constitute a representation that the content of this e-mail is legally relevant and/or is intended to be legally binding upon Volkswagen Financial Services AG.
- [IPsec] AD-VPN Protocol Selection Harms, Patrick
- Re: [IPsec] AD-VPN Protocol Selection Michael Richardson
- Re: [IPsec] AD-VPN Protocol Selection Yoav Nir
- Re: [IPsec] AD-VPN Protocol Selection Harms, Patrick
- Re: [IPsec] AD-VPN Protocol Selection Michael Richardson
- Re: [IPsec] AD-VPN Protocol Selection Yoav Nir
- [IPsec] AD-VPN Protocol Selection Jim Montgomery
- Re: [IPsec] AD-VPN Protocol Selection Frederic Detienne (fdetienn)