Re: [IPsec] NUDGE: Reviewing the AD VPN drafts
Praveen Sathyanarayan <praveenys@juniper.net> Thu, 17 October 2013 00:23 UTC
Return-Path: <praveenys@juniper.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD5121F9808 for <ipsec@ietfa.amsl.com>; Wed, 16 Oct 2013 17:23:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.649
X-Spam-Level:
X-Spam-Status: No, score=-4.649 tagged_above=-999 required=5 tests=[AWL=0.750, BAYES_00=-2.599, J_CHICKENPOX_35=0.6, J_CHICKENPOX_82=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q+ZOPCn7KhCY for <ipsec@ietfa.amsl.com>; Wed, 16 Oct 2013 17:23:00 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe003.messaging.microsoft.com [207.46.163.26]) by ietfa.amsl.com (Postfix) with ESMTP id DE18021F9649 for <ipsec@ietf.org>; Wed, 16 Oct 2013 17:22:56 -0700 (PDT)
Received: from mail88-co9-R.bigfish.com (10.236.132.254) by CO9EHSOBE016.bigfish.com (10.236.130.79) with Microsoft SMTP Server id 14.1.225.22; Thu, 17 Oct 2013 00:22:56 +0000
Received: from mail88-co9 (localhost [127.0.0.1]) by mail88-co9-R.bigfish.com (Postfix) with ESMTP id 2C0611E00A0; Thu, 17 Oct 2013 00:22:56 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT004.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -25
X-BigFish: VPS-25(zzbb2dI98dI9371I1432I4015Izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz8275ch1de098h1033IL8275dh1de097h186068h8275bhz2fh2a8h839he5bhf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h209eh1155h)
Received-SPF: pass (mail88-co9: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=praveenys@juniper.net; helo=BL2PRD0510HT004.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(377454003)(164054003)(199002)(189002)(479174003)(24454002)(51704005)(80976001)(80022001)(74706001)(69226001)(74876001)(31966008)(47446002)(83322001)(19580405001)(74366001)(74662001)(74502001)(66066001)(65816001)(19580395003)(76482001)(4396001)(81542001)(54316002)(56776001)(83506001)(76796001)(76786001)(76176001)(56816003)(77096001)(15975445006)(36756003)(81342001)(79102001)(85306002)(49866001)(50986001)(47736001)(81816001)(47976001)(77982001)(59766001)(51856001)(81686001)(46102001)(63696002)(83072001)(53806001)(54356001); DIR:OUT; SFP:; SCL:1; SRVR:BN1PR05MB153; H:BN1PR05MB153.namprd05.prod.outlook.com; CLIP:66.129.224.36; FPR:; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail88-co9 (localhost.localdomain [127.0.0.1]) by mail88-co9 (MessageSwitch) id 1381969373378603_21191; Thu, 17 Oct 2013 00:22:53 +0000 (UTC)
Received: from CO9EHSMHS018.bigfish.com (unknown [10.236.132.231]) by mail88-co9.bigfish.com (Postfix) with ESMTP id 4EB6A44008C; Thu, 17 Oct 2013 00:22:53 +0000 (UTC)
Received: from BL2PRD0510HT004.namprd05.prod.outlook.com (157.56.240.101) by CO9EHSMHS018.bigfish.com (10.236.130.28) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 17 Oct 2013 00:22:53 +0000
Received: from BN1PR05MB153.namprd05.prod.outlook.com (10.255.205.18) by BL2PRD0510HT004.namprd05.prod.outlook.com (10.255.100.39) with Microsoft SMTP Server (TLS) id 14.16.371.2; Thu, 17 Oct 2013 00:22:52 +0000
Received: from BN1PR05MB153.namprd05.prod.outlook.com (10.255.205.18) by BN1PR05MB153.namprd05.prod.outlook.com (10.255.205.18) with Microsoft SMTP Server (TLS) id 15.0.785.10; Thu, 17 Oct 2013 00:22:49 +0000
Received: from BN1PR05MB153.namprd05.prod.outlook.com ([169.254.12.178]) by BN1PR05MB153.namprd05.prod.outlook.com ([169.254.12.186]) with mapi id 15.00.0785.001; Thu, 17 Oct 2013 00:22:49 +0000
From: Praveen Sathyanarayan <praveenys@juniper.net>
To: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
Thread-Topic: [IPsec] NUDGE: Reviewing the AD VPN drafts
Thread-Index: AQHOv4rKfHQt0E+F/ku7uiacucYlkJnhv72AgAfLtwCAAvxgAIAJBJ4AgACDlwD//53UAIAB9ZGAgAAGI4A=
Date: Thu, 17 Oct 2013 00:22:49 +0000
Message-ID: <CE843FB3.1BE75A%praveenys@juniper.net>
In-Reply-To: <1A87A395651F8F439A0C9D8FE20EB0F529F21887@xmb-aln-x06.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.4.120824
x-originating-ip: [66.129.224.36]
x-forefront-prvs: 000227DA0C
Content-Type: text/plain; charset="iso-8859-2"
Content-ID: <E8B0CDFA545F674DAE0A85A8C7EE980E@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Subject: Re: [IPsec] NUDGE: Reviewing the AD VPN drafts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 00:23:05 -0000
Thanks Fred for clarifications. -- Praveen On 10/16/13 10:00 AM, "Frederic Detienne (fdetienn)" <fdetienn@cisco.com> wrote: On 15 Oct 2013, at 20:05, Praveen Sathyanarayan <praveenys@juniper.net> wrote: >> >> Are there any other detail that are not part of this draft, that is >> required for interoperating with existing DMVPN solution? > > I think the draft is exhaustive. > > [PRAVEEN] Thanks. Good to know. I can think of, handling of NAT in DMVPN > (looks like there is some special mechanism). The DMVPN product features a NAT mechanism necessary for plain GRE (no IPsec) in order to figure the public outside address. Since we are talking about IKE/IPsec only here, that information can be drawn from IKE itself. > And are there anything > specific changes to routing protocols to support on NBMA network? No change is required to the routing protocols. By treating the connections as tunnels and tunnel interfaces or tunnel endpoints, routing protocols run natively over these. It really only depends on the modularity of the routing protocol implementation. > Description on policy based routing requirement for policing traffic. There is no specific requirement for policy based routing. To be absolutely precise, as described in the draft, we inject NHRP entries in the routing table by pointing to a next-hop or an output interface. I suppose you could call that policy routing somehow or you could call NHRP a routing protocol... but all you need is in the document. We manipulate the routing table using all possible sources (NHRP, Routing protocols, IKE,...) but our draft does not strictly command how packets are forwarded inside a gateway. >> And, is there >> any other feature that DMVPN supports today (and not required for >> interoperability) that is not part of this draft? > > yes. Not sure how much more you want to know... > > [PRAVEEN] Yes means there are features that are related to DMVPN, that >are > not described in the current draft? yes too but this is a different question. You asked me a precise, closed question and I answered with a precise "yes". Let me rewrite the answers to both questions in a low context form: A1) There is no other feature that DMVPN/FlexVPN (product names) supports today (and not required for interoperability) that is not part of the draft. A2) There are other features related to DMVPN/FlexVPN (product names) that are not in the draft (but they are not required for interoperability). thanks, fred > Thanks, > Praveen > > >> Thanks, >> Praveen >> >> >> On 10/9/13 8:23 AM, "Frederic Detienne (fdetienn)" <fdetienn@cisco.com> >> wrote: >> >> Hi Yoav, >> >> Thanks indeed for your comments! Please find additional [Fred] comments >> inline. >> >> On 07 Oct 2013, at 19:47, Manish Kumar (manishkr) <manishkr@cisco.com> >> wrote: >> >>> Hi Yoav, >>> >>> Thanks for your comments. I would try adding clarity to some of these >>> inline [Manish] to supplement what Mike said. >>> >>> Manish >>> >>> >>> On 03/10/13 12:14 AM, "Yoav Nir" <ynir@checkpoint.com> wrote: >>> >>>> Hi >>>> >>>> I have read the DM-VPN draft. I would not call my reading a review, as >>>> it >>>> was quite superficial, but here's some thoughts: >>>> >>>> - I have to admit that I'm still having trouble wrapping my head >>>>around >>>> some of the concepts. I understand domain-based and route-pased VPNs, >>>> as >>>> well as IPsec and GRE tunnels. But I haven't thought of all the VPN >>>> endpoints as actually being on the same network. In fact I always >>>> thought >>>> of VPN as an abstract concept or as a bunch of tunnels, not as a real >>>> network. Having said that, I'm still trying to get used to the idea of >>>> NHRP being used for discovery (and to the idea of NHRP itself). To my >>>> mind a VPN is not an NBMA, but that does not mean an NBMA cannot serve >>>> as >>>> a good model for a VPN. >>> >>> [Manish]: What the applications running over the VPN see a VPN as (NBMA >>> or >>> otherwise), depends a lot on the services provided on the VPN and the >>> draft doesn't preclude any possibilities that way. >>> RFC 4301 already prescribes the arms and ammunitions needed to protect >>> IP >>> packets (when used in connection with GRE can be used to protect IP >>> multicast as well as non-IP packets) over untrusted networks. Also, as >>> appropriately noted in the requirements document, 4301 is silent on the >>> way the IPSec databases are populated. So the problem is essentially of >>> discovery and resolution. The discovery can be left to the routing >>> protocol but the resolution would still be needed unless IGPs are >>> multi-protocol, which they typically aren't. Even if they were, this >>> would >>> need a next-hop preservation which won't scale. So, essentially DMVPN >>> picks up an appropriate address resolution protocol in NHRP which is >>> enhanced to support both discovery and resolution. This is combined >>>with >>> GRE to make sure IP multicast and non-IP packets can be >>> seamlessly(without >>> changing any other layer/protocol) carried across the same tunnel and >>> also >>> to simplify the SPDs. >> >> [Fred] I would add that any forwarding database is good as long as it >> meets the security requirements of the administrator. Routing tables are >> used for the description but policy routing can be used tooĊ VRF's or >> routing context are frequently used in practice as well. There are not >> "pure" routing tables anymore. >> >> When it comes to L2 forwarding, the SPD today does not even fit anymore >> and a total revamp would be necessary. >> >> By decoupling the output tunnel selection (or next-hop selection) from >> the IPsec policy, we can take advantage of various forwarding policy >> engines. >> >> >>>> - I like how the process described in section 4.3 to 4.6 quickly >>>> converges. If host a behind gateway A sends packets to host e behind >>>> gateway E, and the packets travel though the tunnels AB, BC, CD, and >>>> DE, >>>> then the discovery process might go through several hops, but the next >>>> tunnel to be set up is AE. There is no case of setting up AC or AD. >> >>>> - Reading section 4.8, I see that within a single DM-VPN, there is a >>>> natural progression from hub&spoke to mesh. There doesn't seem to be a >>>> place for policy on whether a shortcut should or should not be >>>> established. The resolution request is forwarded until the egress >>>>node. >>>> So if, for example, you have two government agencies, each with its >>>>own >>>> set of gateways, and two gateways (one belonging to each agency) have >>>>a >>>> tunnel between them, there are two possible configurations: a single >>>> DM-VPN, in which case they become a mesh, or two DM-VPNs, so that the >>>> interdomain tunnel endpoints are egress nodes on their respective >>>> DM-VPNs. Is there a way to implement a policy so that some shortcuts >>>> are >>>> created between those other gateways? >> >>>> - Section 4.10 seems to be missing something. Suppose gateway A is >>>> forwarding traffic to gateway B, and receives an Indirection >>>> notification. So A sends a Resolution request. After a while, it >>>> receives >>>> a Resolution reply with TunS2 and PubS2 addresses. So now A should >>>>open >>>> a >>>> tunnel with TunS2 (right? I'm not clear about the fields). So section >>>> 4.10 says that authentication between these two nodes will be done >>>> using >>>> certificates. Considering that A has only just heard of TunS2's >>>> existence, what fields are there going to be in the certificate that >>>> will >>>> let A know that this is indeed TunS2? While a single domain might have >>>> some convention for this, AD-VPN is supposed to be good for multiple >>>> administrative domains, so there should be some rule about this. >> >> >> [Fred] We link the tunnel to an IKE profile. This IKE profile turns >> contains the identity, identity filter, certificate and certificate >> filter >> to send to and to accept from the remote peer. So we can create IKE >> profiles for each DMVPN and send or accept specific certs. Typically, O >> or >> OU fields are used. >> >> regards, >> >> fred >> >>>> - The same section hints at using certificate fields for filtering. >>>> This >>>> sounds weird. Suppose two gateways learn of each other through the >>>> resolution process. Now they try to connect, only to find out that the >>>> certificate fields do not allow them to connect. So we've gone through >>>> an >>>> entire IKE handshake just to discover that policy prohibits forming >>>> this >>>> tunnel? And because caches expire, the gateways will try again and >>>> again >>>> to form this tunnel, all the time failing on authorization. >>> >>> [Manish]: Iff routing and NHRP policies(in general, all upper layer >>> policies) allow the shortcut, IKE proceeds till Auth the first time and >>> fails; this can be conveyed back to the upper layer (NHRP) with an >>> appropriate error code, which sends a NACK resolution reply. The NACK >>> serves to stop further resolutions either permanently or for an >>>interval >>> either configured or communicated by the peer. >>> >>>> >>>> >>>> Yoav >>>> >>>> _______________________________________________ >>>> IPsec mailing list >>>> IPsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/ipsec >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> >> >> >> > > > > >
- [IPsec] NUDGE: Reviewing the AD VPN drafts Paul Hoffman
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Yoav Nir
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Michael Richardson
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Yoav Nir
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Yoav Nir
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Michael Richardson
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Michael Richardson
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Mike Sullenberger (mls)
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Manish Kumar (manishkr)
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Toby Mao
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Frederic Detienne (fdetienn)
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Praveen Sathyanarayan
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Frederic Detienne (fdetienn)
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Praveen Sathyanarayan
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Frederic Detienne (fdetienn)
- Re: [IPsec] NUDGE: Reviewing the AD VPN drafts Praveen Sathyanarayan