Re: [IPsec] DMVPN thoughts
"Mike Sullenberger (mls)" <mls@cisco.com> Tue, 26 November 2013 01:41 UTC
Return-Path: <mls@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3615B1AE108 for <ipsec@ietfa.amsl.com>; Mon, 25 Nov 2013 17:41:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.502
X-Spam-Level:
X-Spam-Status: No, score=-9.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhvN_lKqxzRj for <ipsec@ietfa.amsl.com>; Mon, 25 Nov 2013 17:41:39 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) by ietfa.amsl.com (Postfix) with ESMTP id E1A331AE107 for <ipsec@ietf.org>; Mon, 25 Nov 2013 17:41:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5861; q=dns/txt; s=iport; t=1385430099; x=1386639699; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=aEK1CmLcKpMvPU+tyIFIOb8URmOMK5swGh15zWg5cVQ=; b=iCDG2tk36bsDy7/qXYS1j0+MwJIREzb9PjnDNaDFPeN2ZVAd/t4OESI8 j5WnqeYyhnV2XsMZHcLB/1Jd/XF+zP7ZQ7fBlw7q8kHrQEo1KS1JhNk7S gx0lwSSRQmbd7K40OVBfgY6R2wAspM+6l+YVbhEnK1jn28fKc+NkUeoyl 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiMFAPj7k1KtJV2a/2dsb2JhbABZgwc4U7wpgSkWdIIlAQEBAwEBAQFrCwUHBAIBCBEEAQELHQcnAQoUCQgCBA4FCIdzBQENvlMXjlYxBwaDGoETA4kKjDuDf5BigyiCKg
X-IronPort-AV: E=Sophos;i="4.93,771,1378857600"; d="scan'208";a="2204141"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-6.cisco.com with ESMTP; 26 Nov 2013 01:41:37 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id rAQ1fbtk029902 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 26 Nov 2013 01:41:37 GMT
Received: from xmb-aln-x06.cisco.com ([169.254.1.132]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.03.0123.003; Mon, 25 Nov 2013 19:41:37 -0600
From: "Mike Sullenberger (mls)" <mls@cisco.com>
To: Timo Teras <timo.teras@iki.fi>
Thread-Topic: [IPsec] DMVPN thoughts
Thread-Index: AQHO575a5ix3rggJ0kqw7LvAWvejAZo2tMNQ
Date: Tue, 26 Nov 2013 01:41:36 +0000
Message-ID: <9D83DE546CB6DC47A3AE04086FDE35F523FD7185@xmb-aln-x06.cisco.com>
References: <20131122220529.0c5dba7d@vostro>
In-Reply-To: <20131122220529.0c5dba7d@vostro>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [171.69.88.254]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Mike Sullenberger (mls)" <mls@cisco.com>
Subject: Re: [IPsec] DMVPN thoughts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2013 01:41:41 -0000
Timo, Thank you very much for your comments. I had not realized that anyone had tried to implement our additions to NHRP, it is nice to hear that it wasn't "too hard" to do. I have a couple of comments, inline. Mike. Mike Sullenberger, DSE mls@cisco.com .:|:.:|:. Customer Advocacy CISCO > -----Original Message----- > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Timo Teras > Sent: Friday, November 22, 2013 12:05 PM > To: ipsec@ietf.org > Subject: [IPsec] DMVPN thoughts > > Hi everyone, > > Yaron Sheffer recently invited my to share my thoughts on DMVPN as it > seems to be one of the option being considered to be the AD VPN > standard. > > As brief background, I am the author of opennhrp [1] which can be used > to implement Cisco DMVPN style networks on Linux [2]. I have also > written multiple improvements to Linux kernel to support this kind of > networks. Additionally, I have enhanced ipsec-tools (racoon) [3] to be > suitable for this use, and am currently looking into integrating opennhrp > with strongswan [4]. > > The opennhrp project started back in 2007. It was implemented based > on the NHRP specification (RFC 2332) and with some insight take from > draft-ietf-ion-r2r-nhrp-03. The remaining Cisco NHRP extensions I > implemented based on protocol analysis. While it is not perfect match > with Cisco DMVPN, I have good success interoperating with Cisco > devices. The feature set of opennhrp is not as complete as Cisco - e.g. > IPv6 is not (yet) supported. > > It would have been very helpful to have draft-detienne-dmvpn-00 at > the time I was writing most of the code. I did considerable testing > against Cisco devices in 2007-2008 but since have been concentrating > more on fully opennhrp based DMVPN networks - so I have not paid > close attention on the latest Cisco updates. > > However, after brief read of the draft, it seems to be missing at least: > - Authentication extension (code 7; from RFC 2332) payload format which > seems to be Cisco specific - at least RFC 2332 does not specify it [Mike Sullenberger] Yes you are correct, back in 1995 when the initial NHRP implementation was done, only a simple clear-text authentication was done using a SPI value of 1 and not including the src-addr field, just the Authentication Data field. Since then we have thought about fixing this, but since DMVPN is encrypted with IPsec and we use the strong authentication in ISAKMP/IKEv2, there hasn't been a big impetus to get this fixed. > - NAT address extension (code 9; Cisco specified, and apparently even > conflicts with some RFC drafts), and it's CIE based payload content > specification [Mike Sullenberger] This is true. In hind-sight we probably should have made this a vendor private extension. > - The specifics how Request ID field should be used. My experience > shows that Request ID is stored along with the registrations, and > needs to match in Purge requests for the Purge operation to succeed > (IMHO, such Request ID matching should not be done). [Mike Sullenberger] I would have to check this, but I don't think that we bother to match up the request-id from a purge message with the original resolution request/reply that created the mapping entry. We do match the request-id between the resolution request and reply. > The one defect for me with DMVPN was that hubs are not automatically > discovered (or maybe there's something for this nowadays?). Thus > opennhrp has one extension: "dynamic-map" configuration stanza. It > binds the NHSes to a DNS entry. The A records of that DNS name are > used as NBMA addresses of the NHSes. During initial NHRP registration > the NHRP Registration Requests are sent to the network broadcast > address with hop count 1, and the NHS network address is picked up > from the NHRP Registration Reply. The list of NHS servers is of course > synchronized regularly. So as minimum, this or some similar hub > autodetection mechanism should be added to dmvpn spec. [Mike Sullenberger] We do have this mechanism now. You can specify the NHS as a FQDN and at tunnel initialization time we will use DNS to translate the name to an address. From then on the address is used, though if access to the NHS goes down then we initial retry with the address, but if that still fails we will do another DNS lookup on the name in case the address has changed. We also use the mechanism as described in RFC2332 to get the NHS network address from the NHRP registration reply. > Additionally, running multiple DMVPN instances on single router would > require a standards compliant way to negotiate GRE key in IKE traffic > selectors. There seems to have been discussions about that back in 2008 > on this list, but it seems nothing came out of it. So I think this issue > should be brought to discussion again too. [Mike Sullenberger] I am not really that "keen" on adding GRE tunnel key negotiation to IKE. I prefer keeping these two layers a little more separated. Though I possibly could be convinced otherwise. > I personally do like how the DMVPN stack works and would like to see it > standardized. However, I do understand that it might not be perfect fit > or even preference for all. > > Cheers, > Timo > > [1] http://sourceforge.net/projects/opennhrp/ > [2] > http://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_%28DMVPN > %29 > [3] http://ipsec-tools.sourceforge.net/ > [4] https://lists.strongswan.org/pipermail/dev/2013- > November/000945.html > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] DMVPN thoughts Timo Teras
- Re: [IPsec] DMVPN thoughts Mike Sullenberger (mls)
- Re: [IPsec] DMVPN thoughts Timo Teras
- Re: [IPsec] DMVPN thoughts Mike Sullenberger (mls)