IETF Logo Mail Archive

Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03

Praveen Sathyanarayan <praveenys@juniper.net> Mon, 27 January 2014 17:13 UTC

Return-Path: <praveenys@juniper.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB2AB1A0387 for <ipsec@ietfa.amsl.com>; Mon, 27 Jan 2014 09:13:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W74uZiWZp16J for <ipsec@ietfa.amsl.com>; Mon, 27 Jan 2014 09:13:56 -0800 (PST)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe003.messaging.microsoft.com [207.46.163.26]) by ietfa.amsl.com (Postfix) with ESMTP id 7457E1A0384 for <ipsec@ietf.org>; Mon, 27 Jan 2014 09:13:56 -0800 (PST)
Received: from mail109-co9-R.bigfish.com (10.236.132.236) by CO9EHSOBE033.bigfish.com (10.236.130.96) with Microsoft SMTP Server id 14.1.225.22; Mon, 27 Jan 2014 17:13:54 +0000
Received: from mail109-co9 (localhost [127.0.0.1]) by mail109-co9-R.bigfish.com (Postfix) with ESMTP id 2043B401D7; Mon, 27 Jan 2014 17:13:54 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT002.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -26
X-BigFish: VPS-26(z579ehzbb2dI98dI9371I148cI1432I4015Izz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1de098h1033IL17326ah8275bh8275dh1de097h186068hz2fh109h2a8h839h947he5bhf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24d7h1155h)
Received-SPF: pass (mail109-co9: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=praveenys@juniper.net; helo=BL2PRD0510HT002.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(164054003)(199002)(189002)(52604005)(51704005)(479174003)(24454002)(377454003)(69226001)(2656002)(81542001)(74876001)(74706001)(81342001)(87936001)(92726001)(54316002)(56776001)(92566001)(59766001)(77982001)(76176001)(63696002)(51856001)(79102001)(36756003)(4396001)(80976001)(76796001)(81686001)(19580395003)(90146001)(56816005)(19580405001)(83322001)(47736001)(93516002)(76482001)(54356001)(50986001)(76786001)(47976001)(49866001)(53806001)(86362001)(85306002)(47446002)(94316002)(74502001)(87266001)(83072002)(85852003)(65816001)(74366001)(31966008)(83506001)(93136001)(81816001)(46102001)(66066001)(74662001)(80022001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO2PR05MB665; H:CO2PR05MB665.namprd05.prod.outlook.com; CLIP:66.129.239.14; FPR:; InfoNoRecordsA:1; MX:1; LANG:en;
Received: from mail109-co9 (localhost.localdomain [127.0.0.1]) by mail109-co9 (MessageSwitch) id 1390842832110879_29486; Mon, 27 Jan 2014 17:13:52 +0000 (UTC)
Received: from CO9EHSMHS005.bigfish.com (unknown [10.236.132.237]) by mail109-co9.bigfish.com (Postfix) with ESMTP id 1690E36004A; Mon, 27 Jan 2014 17:13:52 +0000 (UTC)
Received: from BL2PRD0510HT002.namprd05.prod.outlook.com (157.56.240.101) by CO9EHSMHS005.bigfish.com (10.236.130.15) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 27 Jan 2014 17:13:51 +0000
Received: from CO2PR05MB665.namprd05.prod.outlook.com (10.141.230.11) by BL2PRD0510HT002.namprd05.prod.outlook.com (10.255.100.37) with Microsoft SMTP Server (TLS) id 14.16.395.1; Mon, 27 Jan 2014 17:13:47 +0000
Received: from CO2PR05MB665.namprd05.prod.outlook.com (10.141.230.11) by CO2PR05MB665.namprd05.prod.outlook.com (10.141.230.11) with Microsoft SMTP Server (TLS) id 15.0.859.15; Mon, 27 Jan 2014 17:13:45 +0000
Received: from CO2PR05MB665.namprd05.prod.outlook.com ([10.141.230.11]) by CO2PR05MB665.namprd05.prod.outlook.com ([10.141.230.11]) with mapi id 15.00.0859.020; Mon, 27 Jan 2014 17:13:45 +0000
From: Praveen Sathyanarayan <praveenys@juniper.net>
To: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
Thread-Topic: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
Thread-Index: AQHPGFBmIvsjxkaNukGJzmUJkO7gl5qYT5OA
Date: Mon, 27 Jan 2014 17:13:44 +0000
Message-ID: <CF0BCF53.6AC0F%praveenys@juniper.net>
In-Reply-To: <88259CEC-4D10-48EC-8A21-0D2F348EEE3F@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.0.121105
x-originating-ip: [66.129.239.14]
x-forefront-prvs: 0104247462
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <1D9C71ECAC51A246BF02E1C5854594B3@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "<ipsec@ietf.org> WG" <ipsec@ietf.org>
Subject: Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2014 17:13:59 -0000

Hi Fred,

Comments inline.

Thanks,
Praveen

On 1/23/14 7:32 AM, "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
wrote:

>> 
>>   1.2 What happens when a prefix administratively changes from behind
>>one
>> branch to another ? How do servers get notified about that ?
>>  
>> [PRAVEEN] That¹s an interesting point Fred, and thanks for bringing it
>>up. First, please refer the ADVPN_INFO Payload and PROTECTED_DOMAIN
>>sections (3.6 and 3.9, respectively) of
>>http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03. As a
>>general rule, each spoke can download updated PROTECTED_DOMAIN
>>information periodically, which advertises everything behind the hub and
>>all other spokes combined. Of course, this does not change if some
>>subnet has moved from behind spoke A to behind another spoke, B.
>>However, the Lifetime attribute of the ADVPN_INFO payload is key here.
>>We could see this being employed in a straightforward manner to allow
>>for this transition: a) the subnet can "disappear" and be unreachable
>>for one Lifetime, or b) the original spoke can redirect to the new spoke.
>
>It turns out I did read those sections and this is exactly what surprised
>me. Your answer is even more surprising.


[PRAVEEN] For one-liner question, we could only imagine the scenario that
you are trying to solve. And this is what we could come up. May be you can
provide more detailed question on what scenario you would like to solve.
We could help in answering those scenarios.

When admin changes the prefix of a spoke, spoke¹s existing static tunnel
with Hub, gets re-negotatiaged for updated prefix in Tsi/TSr payload. This
event updates the Hub about changed prefix information. Is that what you
wanted to know? 

>
>Before going any further, is this resource exclusively exchanged between
>hub & spoke or also between spokes ?


[PRAVEEN] ³resource² you means ADVPN_INFO payload or Subnet information?
ADVPN_INFO exchanged between spokes. Subnet information exchanged part of
Tsi and TSr during IKE negotiation (which means between hub & spoke and
between spokes as well).

>
>thanks,
>
>	fred
>_______________________________________________
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec
>
>

v2.23.0 | Report a Bug | By Email