IETF Logo Mail Archive

Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03

Praveen Sathyanarayan <praveenys@juniper.net> Wed, 05 February 2014 23:31 UTC

Return-Path: <praveenys@juniper.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD4B1A0224 for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 15:31:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bpDXFG303w1F for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 15:31:39 -0800 (PST)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe002.messaging.microsoft.com [213.199.154.205]) by ietfa.amsl.com (Postfix) with ESMTP id AE6491A021F for <ipsec@ietf.org>; Wed, 5 Feb 2014 15:31:38 -0800 (PST)
Received: from mail97-am1-R.bigfish.com (10.3.201.246) by AM1EHSOBE021.bigfish.com (10.3.207.143) with Microsoft SMTP Server id 14.1.225.22; Wed, 5 Feb 2014 23:31:37 +0000
Received: from mail97-am1 (localhost [127.0.0.1]) by mail97-am1-R.bigfish.com (Postfix) with ESMTP id 3515A4404A1; Wed, 5 Feb 2014 23:31:37 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT001.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -4
X-BigFish: VPS-4(z579ehzbb2dI98dI9371Ic89bh4015Izz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1de098h8275bh1de097hz2fh109h2a8h839h93fhe5bhf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24ach24d7h2516h2545h1155h)
Received-SPF: pass (mail97-am1: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=praveenys@juniper.net; helo=BL2PRD0510HT001.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(189002)(24454002)(199002)(164054003)(479174003)(377454003)(59766001)(47446002)(86362001)(74662001)(74502001)(74876001)(47736001)(94316002)(80022001)(65816001)(54316002)(56776001)(56816005)(66066001)(90146001)(74366001)(74706001)(63696002)(69226001)(94946001)(81342001)(93136001)(81542001)(79102001)(93516002)(31966008)(76482001)(85306002)(49866001)(36756003)(77982001)(80976001)(85852003)(19580395003)(83506001)(92726001)(92566001)(87266001)(83072002)(87936001)(81816001)(81686001)(19580405001)(47976001)(50986001)(2656002)(76786001)(76796001)(53806001)(4396001)(51856001)(46102001)(54356001)(83322001)(95416001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO2PR05MB667; H:CO2PR05MB665.namprd05.prod.outlook.com; CLIP:66.129.239.15; FPR:FCD4F3A5.A4CA97D8.FDF31C7B.C6F93871.203D9; InfoNoRecordsMX:1; A:1; LANG:en;
Received: from mail97-am1 (localhost.localdomain [127.0.0.1]) by mail97-am1 (MessageSwitch) id 1391643094889937_16450; Wed, 5 Feb 2014 23:31:34 +0000 (UTC)
Received: from AM1EHSMHS018.bigfish.com (unknown [10.3.201.253]) by mail97-am1.bigfish.com (Postfix) with ESMTP id CAE92C00D9; Wed, 5 Feb 2014 23:31:34 +0000 (UTC)
Received: from BL2PRD0510HT001.namprd05.prod.outlook.com (157.56.240.101) by AM1EHSMHS018.bigfish.com (10.3.207.156) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 5 Feb 2014 23:31:34 +0000
Received: from CO2PR05MB667.namprd05.prod.outlook.com (10.141.230.23) by BL2PRD0510HT001.namprd05.prod.outlook.com (10.255.100.36) with Microsoft SMTP Server (TLS) id 14.16.411.0; Wed, 5 Feb 2014 23:31:26 +0000
Received: from CO2PR05MB665.namprd05.prod.outlook.com (10.141.230.11) by CO2PR05MB667.namprd05.prod.outlook.com (10.141.230.23) with Microsoft SMTP Server (TLS) id 15.0.868.8; Wed, 5 Feb 2014 23:31:12 +0000
Received: from CO2PR05MB665.namprd05.prod.outlook.com ([10.141.230.11]) by CO2PR05MB665.namprd05.prod.outlook.com ([10.141.230.11]) with mapi id 15.00.0868.013; Wed, 5 Feb 2014 23:31:12 +0000
From: Praveen Sathyanarayan <praveenys@juniper.net>
To: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>, Yoav Nir <ynir@checkpoint.com>
Thread-Topic: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
Thread-Index: AQHPGFBmIvsjxkaNukGJzmUJkO7gl5qYT5OAgAtpFQCAAwe3AIAAEC+AgAANYQA=
Date: Wed, 05 Feb 2014 23:31:11 +0000
Message-ID: <CF18098A.3F4D9%praveenys@juniper.net>
References: <88259CEC-4D10-48EC-8A21-0D2F348EEE3F@cisco.com> <CF0BCF53.6AC0F%praveenys@juniper.net> <A7DCDB4D-CE88-473C-9584-91F2B571E8FF@checkpoint.com> <574468F8-9203-451C-A145-C9E1DD51D781@cisco.com> <CF17F447.3F461%praveenys@juniper.net>
In-Reply-To: <CF17F447.3F461%praveenys@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [66.129.239.15]
x-forefront-prvs: 01136D2D90
Content-Type: text/plain; charset="utf-8"
Content-ID: <58066E643191E14EB629A9F7D9D086CB@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "<ipsec@ietf.org> WG" <ipsec@ietf.org>
Subject: Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 23:31:41 -0000

Hi Fred,

I see draft-detienne¹s view of discovery of tunnel-peer is a routing
issue. So DMVPN solution predominantly a routing solution. So,
draft-detienne may work good for routing vendors.

But it is not a solution for non-routing vendors. As an example, mobile
devices increasingly can do more features like FaceTime/Skype/Hangout,
Airdrop. To do these, expecting mobile devices to run BGP protocol, to
discover a direct tunnel is not a reasonable expectation. Or for that
matter expecting a firewall device to run routing protocol, is not a
reasonable expectation either.

More comments inline.


Thanks,
Praveen



On 2/5/14, 5:45 AM, "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
wrote:

> We can no longer call that a simple solution. There are pieces that meet
>some of the requirements but are in contradiction with others.

> Similarly, draft-sathyanarayan offers multiple implementation or
>deployment systems (policy based or tunnel based) which are not
>compatible at protocol level. It means implementations have to cover BOTH
>methods to guarantee interoperability.

[PRAVEEN] I disagree. How will a spoke running OSPF and other spoke
running BGP interop in draft-detienne?  Your answer was, (previously in
virtual conference) was that it does not matter. Because, as long as Hub
supports both routing protocols, there is no issue. The same thing applies
here. If you have route based implementation on a SpokeA and Policy based
implementation SpokeB, it can still open a direct IPSec tunnel without
causing any interoperability. And of course, there is no need of running
routing protocol between the spokes, even in our solution.

To take a practical example: one domain may initially be rule based, the
other tunnel based. What happens when those domains must now cooperate ?


Both issues above will prevent proper cross-domain interoperability. In
particular, a "policy-based" spoke will not be able to talk to a "tunnel
based" hub as per this draftŠ it would take a decision as to which is the
fallback mode and a dual implementation on at least one of the devices.


[PRAVEEN] No issues here. As long as you support rfc5996, and you exchange
TSi and Tsr payloads, you are ready to setup a tunnel and forward the
traffic. On route based VPN side, you get TSi and TSr payload that defines
the SPD entries. These SPD entries are bound to your tunnel interface.
Route that exist before the shortcut tunnel, still points to tunnel
interface. As this tunnel-interface is now has dynamic SPD entries, it now
knows how to forward all/selective traffic to the shortcut tunnel. And of
course the Policy based domain side it is straight forward. Where do you
see the issue? 


Thanks,
Praveen

v2.23.0 | Report a Bug | By Email