[IPsec] My comments to the draft-ietf-ipsecme-ad-vpn-problem-03.txt
Tero Kivinen <kivinen@iki.fi> Fri, 21 December 2012 09:50 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5918421F8AD6 for <ipsec@ietfa.amsl.com>; Fri, 21 Dec 2012 01:50:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.96
X-Spam-Level:
X-Spam-Status: No, score=-102.96 tagged_above=-999 required=5 tests=[AWL=0.639, BAYES_00=-2.599, GB_I_LETTER=-2, J_BACKHAIR_35=1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBFlo1R-ra-j for <ipsec@ietfa.amsl.com>; Fri, 21 Dec 2012 01:50:10 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 83CE121F8A7E for <ipsec@ietf.org>; Fri, 21 Dec 2012 01:50:09 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id qBL9o3ZS008983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Fri, 21 Dec 2012 11:50:03 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id qBL9o3IB015778; Fri, 21 Dec 2012 11:50:03 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20692.12491.489818.760016@fireball.kivinen.iki.fi>
Date: Fri, 21 Dec 2012 11:50:03 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 57 min
X-Total-Time: 1119 min
Subject: [IPsec] My comments to the draft-ietf-ipsecme-ad-vpn-problem-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Dec 2012 09:50:11 -0000
I now read the lastest version. The terminology is much clearer now, and the document is much easier to read. I still see that not all of my comments in previous versions have been added to the document (some even from my 2012-03-14 email http://www.ietf.org/mail-archive/web/ipsec/current/msg07558.html, i.e the changes to section 3.1, 3.2 and 3.3). I am now going through my comments from 2012-09-10 email http://www.ietf.org/mail-archive/web/ipsec/current/msg07910.html and see which still apply). ---------------------------------------------------------------------- Now that we have new terminology, it would be nice to have all terms defined in the terminology to use capital letter, so it would be clear that Hub/Gateway/Spoke/Endpoint etc has special meaning... ---------------------------------------------------------------------- > 4.1. Gateway and Endpoint Requirements > ... > 2. Gateways and endpoints MUST allow IPsec Tunnels to be setup > without any configuration changes, even when peer addresses get > updated every time the device comes up. This implies that SPD > entries or other configuration based on peer IP address will need to > be automatically updated, avoided, or handled in some manner to avoid > a need to manually update policy whenever an address changes. In this I was trying to ask whether this is supposed to for existing already configured Gateways and endpoints, and as now the 1 has been changed to include gateway or endpoints addition/removal/changes, it is quite clear this only covers the normal operational use, i.e. when the gateways and endpoints are already configured. Perhaps changing it something like 2. Existing member Gateways and endpoints of the ADVPN MUST allow IPsec Tunnels to be setup with other members of the ADVPN without any configuration changes, even when peer addresses get updated every time the device comes up. This implies that SPD entries or other configuration based on peer IP address will need to be automatically updated, avoided, or handled in some manner to avoid a need to manually update policy whenever an address changes. to make it clear that we are not talking about the initial configuration but the actual normal use case of 2 peers which are already part of the ADVPN. BTW, perhaps we should add "ADVPN Peer" to the terminology and say it is any member (gateway, endpoint, hub or spoke) of the ADVPN and use "other ADVPN peers" above instead of "other members of the ADVPN". Or see if there is any other uses for peer than exactly that, and then define "Peer" to be same as ADVPN Peer... ---------------------------------------------------------------------- > 4. In the full mesh and dynamic full mesh topology, Spokes MUST > allow for direct communication with other spoke gateways and > endpoints. In the star topology mode, direct communication between > spokes MUST be disallowed. I have question here, why are we defining things for strict star topology mode, as the 2.2 says star topology is not good, and we need to have spoke to spoke communications. So 2.2 does NOT justify the last sentence in this requirement that forbids spoke to spoke communications for star topology mode. What is the justification for it? If we are not defining things for star topology we should not put any restrictions to it either. In my March email I pointed out that star topology is sometimes used for policy reasons, but that addition never made to the document. Those policy reasons might be one reason why some setups would still use star topology even with ADVPN, but I would expect it to be more like half star half mesh setup, where some traffic goes through star and some traffic bypasses it, so even there the last sentence does not work out. ---------------------------------------------------------------------- > 5. One spoke MUST NOT be able to impersonate another spoke. Note, that this does not say anything about the Hubs or Endpoints. For Endpoints I think there should be same requirement, i.e. one Endpoint MUST NOT be able to impersonate another Endpoint or Gateway. Btw, I think it would also be unacceptable for Spoke to impersonate of being Hub, so the "another Spoke" should be changed to "any other Gateway". Note, also that Spokes and Hubs quite often can impersonate Endpoints, as Endpoints might use weak form authentication (shared secrets), and the Spokes have access to them. Also when using temporary credentials given by Spokes/Hubs etc to the Endpoints for Point-to-Point communication between two Endpoints the entity who gave those out might be able to impersonate Endpoints (unless the temporary credentials is in form of certificate signed by some CA). When I pointed this out last time, I got answer that this document is trying to impose the "typical enterprice connectivity scenario" here, but I think we should think these requirements, not rely on some unspoken enterprice connectivity scenario. Especially as it do limit our options and will affect our threat model. So I would like to see expictly whether Hubs should be able to impersonate other Gateways / Endpoints and same for Endpoints. Also last time the comment was that with this "typical enterprice connectivity scenario" spoke to hub connections are static, but now we have requirement 7 which says that gateway might handoff sessions to another gateway. Gateway includes hubs, so hub can handoff spokes to another hub if he feels like. If this was not intended, then 7 should be changed so it says "Spokes SHOULD allow for easy handoff of a session to another Spoke, ...". Also as this connectivity scenario is not documented anywhere, so if it is wanted, we should add text for it, i.e. most likely change the Hub and Spoke definitions to say that connections between Hubs and Spokes are mostly static. ---------------------------------------------------------------------- > 6. Gateways SHOULD allow for seamless handoff of sessions in case > endpoints are roaming, even if they cross policy boundaries. This > would mean the data traffic is minimally affected even as the handoff > happens. External factors like firewall, NAT box will not be > considered part of this solution. > > This requirement is driven by use case 2.1. Today's endpoints are > mobile and transition often between different networks (from 4G to > WiFi and among various WiFi networks). This is still unclear. Last time I proposed two options, and I was said that both of them might be correct, but neither one of them are what is really said above. As the 2.1 is Endpoint-to-Endpoint use case, I assume this is supposed to say that "Spokes SHOULD allow for seamless handoff of sessions to Point-to-Point communication mode between Endpoints that used to be connected to Spoke, in case ...". I.e. This does not cover the Endpoint moving from one Spoke to another, but two Endpoints talking through Spokes moving to the Point-to-Point mode, I think the Endpoint moving from one Spoke to another Spoke is covered by requirement 7. Right? ---------------------------------------------------------------------- > 7. Gateways SHOULD allow for easy handoff of a session to another > gateway, to optimize latency, bandwidth, load balancing, > availability, or other factors, based on policy. > > This requirement is driven by use case 2.3. And as 2.3 is Endpoint-to-Gateway, I assume this is the case where Spoke gives one Endpoint to another Spoke..., i.e. "Spokes SHOULD allow for easy handoff of a Endpoint to another Spoke, ...". Am I correct here? And if we assume Hub<->Spoke connection is mostly static we do not allow Hubs to handoff Spokes to another Hubs (if we do want to say that, then we can use the "Gateways" above). These 6 and 7 use term "session" which is not very well defined. There are multiple possible meanings for it, and I think it would be good idea to try to define which one of them is meant. -- kivinen@iki.fi
- [IPsec] My comments to the draft-ietf-ipsecme-ad-… Tero Kivinen
- Re: [IPsec] My comments to the draft-ietf-ipsecme… Vishwas Manral