Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
Praveen Sathyanarayan <praveenys@juniper.net> Wed, 05 February 2014 23:31 UTC
Return-Path: <praveenys@juniper.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD4B1A0224 for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 15:31:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bpDXFG303w1F for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 15:31:39 -0800 (PST)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe002.messaging.microsoft.com [213.199.154.205]) by ietfa.amsl.com (Postfix) with ESMTP id AE6491A021F for <ipsec@ietf.org>; Wed, 5 Feb 2014 15:31:38 -0800 (PST)
Received: from mail97-am1-R.bigfish.com (10.3.201.246) by AM1EHSOBE021.bigfish.com (10.3.207.143) with Microsoft SMTP Server id 14.1.225.22; Wed, 5 Feb 2014 23:31:37 +0000
Received: from mail97-am1 (localhost [127.0.0.1]) by mail97-am1-R.bigfish.com (Postfix) with ESMTP id 3515A4404A1; Wed, 5 Feb 2014 23:31:37 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT001.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -4
X-BigFish: VPS-4(z579ehzbb2dI98dI9371Ic89bh4015Izz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1de098h8275bh1de097hz2fh109h2a8h839h93fhe5bhf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24ach24d7h2516h2545h1155h)
Received-SPF: pass (mail97-am1: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=praveenys@juniper.net; helo=BL2PRD0510HT001.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(189002)(24454002)(199002)(164054003)(479174003)(377454003)(59766001)(47446002)(86362001)(74662001)(74502001)(74876001)(47736001)(94316002)(80022001)(65816001)(54316002)(56776001)(56816005)(66066001)(90146001)(74366001)(74706001)(63696002)(69226001)(94946001)(81342001)(93136001)(81542001)(79102001)(93516002)(31966008)(76482001)(85306002)(49866001)(36756003)(77982001)(80976001)(85852003)(19580395003)(83506001)(92726001)(92566001)(87266001)(83072002)(87936001)(81816001)(81686001)(19580405001)(47976001)(50986001)(2656002)(76786001)(76796001)(53806001)(4396001)(51856001)(46102001)(54356001)(83322001)(95416001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO2PR05MB667; H:CO2PR05MB665.namprd05.prod.outlook.com; CLIP:66.129.239.15; FPR:FCD4F3A5.A4CA97D8.FDF31C7B.C6F93871.203D9; InfoNoRecordsMX:1; A:1; LANG:en;
Received: from mail97-am1 (localhost.localdomain [127.0.0.1]) by mail97-am1 (MessageSwitch) id 1391643094889937_16450; Wed, 5 Feb 2014 23:31:34 +0000 (UTC)
Received: from AM1EHSMHS018.bigfish.com (unknown [10.3.201.253]) by mail97-am1.bigfish.com (Postfix) with ESMTP id CAE92C00D9; Wed, 5 Feb 2014 23:31:34 +0000 (UTC)
Received: from BL2PRD0510HT001.namprd05.prod.outlook.com (157.56.240.101) by AM1EHSMHS018.bigfish.com (10.3.207.156) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 5 Feb 2014 23:31:34 +0000
Received: from CO2PR05MB667.namprd05.prod.outlook.com (10.141.230.23) by BL2PRD0510HT001.namprd05.prod.outlook.com (10.255.100.36) with Microsoft SMTP Server (TLS) id 14.16.411.0; Wed, 5 Feb 2014 23:31:26 +0000
Received: from CO2PR05MB665.namprd05.prod.outlook.com (10.141.230.11) by CO2PR05MB667.namprd05.prod.outlook.com (10.141.230.23) with Microsoft SMTP Server (TLS) id 15.0.868.8; Wed, 5 Feb 2014 23:31:12 +0000
Received: from CO2PR05MB665.namprd05.prod.outlook.com ([10.141.230.11]) by CO2PR05MB665.namprd05.prod.outlook.com ([10.141.230.11]) with mapi id 15.00.0868.013; Wed, 5 Feb 2014 23:31:12 +0000
From: Praveen Sathyanarayan <praveenys@juniper.net>
To: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>, Yoav Nir <ynir@checkpoint.com>
Thread-Topic: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
Thread-Index: AQHPGFBmIvsjxkaNukGJzmUJkO7gl5qYT5OAgAtpFQCAAwe3AIAAEC+AgAANYQA=
Date: Wed, 05 Feb 2014 23:31:11 +0000
Message-ID: <CF18098A.3F4D9%praveenys@juniper.net>
References: <88259CEC-4D10-48EC-8A21-0D2F348EEE3F@cisco.com> <CF0BCF53.6AC0F%praveenys@juniper.net> <A7DCDB4D-CE88-473C-9584-91F2B571E8FF@checkpoint.com> <574468F8-9203-451C-A145-C9E1DD51D781@cisco.com> <CF17F447.3F461%praveenys@juniper.net>
In-Reply-To: <CF17F447.3F461%praveenys@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [66.129.239.15]
x-forefront-prvs: 01136D2D90
Content-Type: text/plain; charset="utf-8"
Content-ID: <58066E643191E14EB629A9F7D9D086CB@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "<ipsec@ietf.org> WG" <ipsec@ietf.org>
Subject: Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 23:31:41 -0000
Hi Fred, I see draft-detienne¹s view of discovery of tunnel-peer is a routing issue. So DMVPN solution predominantly a routing solution. So, draft-detienne may work good for routing vendors. But it is not a solution for non-routing vendors. As an example, mobile devices increasingly can do more features like FaceTime/Skype/Hangout, Airdrop. To do these, expecting mobile devices to run BGP protocol, to discover a direct tunnel is not a reasonable expectation. Or for that matter expecting a firewall device to run routing protocol, is not a reasonable expectation either. More comments inline. Thanks, Praveen On 2/5/14, 5:45 AM, "Frederic Detienne (fdetienn)" <fdetienn@cisco.com> wrote: > We can no longer call that a simple solution. There are pieces that meet >some of the requirements but are in contradiction with others. > Similarly, draft-sathyanarayan offers multiple implementation or >deployment systems (policy based or tunnel based) which are not >compatible at protocol level. It means implementations have to cover BOTH >methods to guarantee interoperability. [PRAVEEN] I disagree. How will a spoke running OSPF and other spoke running BGP interop in draft-detienne? Your answer was, (previously in virtual conference) was that it does not matter. Because, as long as Hub supports both routing protocols, there is no issue. The same thing applies here. If you have route based implementation on a SpokeA and Policy based implementation SpokeB, it can still open a direct IPSec tunnel without causing any interoperability. And of course, there is no need of running routing protocol between the spokes, even in our solution. To take a practical example: one domain may initially be rule based, the other tunnel based. What happens when those domains must now cooperate ? Both issues above will prevent proper cross-domain interoperability. In particular, a "policy-based" spoke will not be able to talk to a "tunnel based" hub as per this draftŠ it would take a decision as to which is the fallback mode and a dual implementation on at least one of the devices. [PRAVEEN] No issues here. As long as you support rfc5996, and you exchange TSi and Tsr payloads, you are ready to setup a tunnel and forward the traffic. On route based VPN side, you get TSi and TSr payload that defines the SPD entries. These SPD entries are bound to your tunnel interface. Route that exist before the shortcut tunnel, still points to tunnel interface. As this tunnel-interface is now has dynamic SPD entries, it now knows how to forward all/selective traffic to the shortcut tunnel. And of course the Policy based domain side it is straight forward. Where do you see the issue? Thanks, Praveen
- [IPsec] clariciations for draft-sathyanarayan-ips… Frederic Detienne (fdetienn)
- Re: [IPsec] clariciations for draft-sathyanarayan… Frederic Detienne (fdetienn)
- Re: [IPsec] clariciations for draft-sathyanarayan… Praveen Sathyanarayan
- Re: [IPsec] clariciations for draft-sathyanarayan… Frederic Detienne (fdetienn)
- Re: [IPsec] clariciations for draft-sathyanarayan… Praveen Sathyanarayan
- Re: [IPsec] clariciations for draft-sathyanarayan… Frederic Detienne (fdetienn)
- [IPsec] Moving prefixes -- clariciations for draf… Frederic Detienne (fdetienn)
- Re: [IPsec] Moving prefixes -- clariciations for … Praveen Sathyanarayan
- Re: [IPsec] Moving prefixes -- clariciations for … Yoav Nir
- Re: [IPsec] clariciations for draft-sathyanarayan… Timo Teras
- Re: [IPsec] Moving prefixes -- clariciations for … Frederic Detienne (fdetienn)
- Re: [IPsec] Moving prefixes -- clariciations for … Frederic Detienne (fdetienn)
- Re: [IPsec] Moving prefixes -- clariciations for … Praveen Sathyanarayan
- Re: [IPsec] Moving prefixes -- clariciations for … Frederic Detienne (fdetienn)
- Re: [IPsec] Moving prefixes -- clariciations for … Praveen Sathyanarayan
- Re: [IPsec] Moving prefixes -- clariciations for … Frederic Detienne (fdetienn)
- Re: [IPsec] clariciations for draft-sathyanarayan… Daniel Migault
- Re: [IPsec] clariciations for draft-sathyanarayan… Timo Teras
- Re: [IPsec] Moving prefixes -- clariciations for … Praveen Sathyanarayan
- Re: [IPsec] clariciations for draft-sathyanarayan… Daniel Migault
- Re: [IPsec] clariciations for draft-sathyanarayan… Timo Teras