IETF Logo Mail Archive

Re: [IPsec] clariciations for draft-sathyanarayan-ipsecme-advpn-03

Daniel Migault <mglt.ietf@gmail.com> Wed, 19 February 2014 20:57 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6D501A0150 for <ipsec@ietfa.amsl.com>; Wed, 19 Feb 2014 12:57:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFu9lh5s6OVh for <ipsec@ietfa.amsl.com>; Wed, 19 Feb 2014 12:57:31 -0800 (PST)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id 1C3B41A0152 for <ipsec@ietf.org>; Wed, 19 Feb 2014 12:57:30 -0800 (PST)
Received: by mail-we0-f177.google.com with SMTP id t61so780672wes.22 for <ipsec@ietf.org>; Wed, 19 Feb 2014 12:57:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jRvnWAPqp06NCueAd/v6a4Ukh52vSogyv/XtW2n7lGI=; b=BK6z+hMgDDOkJgCW5KnbcyGQi/MJWsASZSACLyJlJeGygNDI+/8DYPK63RWou9VD3Q atR0674Ktya/9NwnolZs8PwzH0zadCk6Y9Ux00ncoawq2it0CPJ5RT8uFZCSTQkAcHyK +x0dD1++oaIZ3T39ZJCo9IhlF2o8HrtM9zSULuNcyt20cecl+wohTdsHDFWSxUCtSxR5 amQU8ChkLX7zwm+asUtwazef1XdRnQuTxA+Q/GFmlu1Jr6p6zTotQaPmJTmaleK3qGZO 3GNKsLYvjBXCmkOS2w2GXsREH/8HrESDZZdSXCpkBi5fgGamRZhz4F05xjjSiyn+6UPt znmA==
MIME-Version: 1.0
X-Received: by 10.180.77.129 with SMTP id s1mr3535277wiw.56.1392843446854; Wed, 19 Feb 2014 12:57:26 -0800 (PST)
Received: by 10.194.171.129 with HTTP; Wed, 19 Feb 2014 12:57:26 -0800 (PST)
In-Reply-To: <20140206120738.06195c09@vostro>
References: <7DC80D6C-3342-43C3-9407-E5D25CB5F5CD@cisco.com> <CF02A72F.6A65A%praveenys@juniper.net> <20140205135046.61c4f7a5@vostro> <CADZyTkmaZL9=0_cuu4TYw0M_846TWONMcOWQyEYr24m4YOyGWQ@mail.gmail.com> <20140206120738.06195c09@vostro>
Date: Wed, 19 Feb 2014 21:57:26 +0100
Message-ID: <CADZyTk=qbeuMOoL6sTEkYBMr8JPh7YQjr=2-rUfA8iL-B+cDDQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Timo Teras <timo.teras@iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/IbK3YIrNEmjnJdio-blk8A8LlCU
Cc: "<ipsec@ietf.org> WG" <ipsec@ietf.org>, "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>, Praveen Sathyanarayan <praveenys@juniper.net>
Subject: Re: [IPsec] clariciations for draft-sathyanarayan-ipsecme-advpn-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 20:57:34 -0000

Hi,

Thanks for the feed back, please see inline my response.

BR,
Daniel

On Thu, Feb 6, 2014 at 11:07 AM, Timo Teras <timo.teras@iki.fi> wrote:
> On Thu, 6 Feb 2014 09:20:08 +0100
> Daniel Migault <mglt.ietf@gmail.com> wrote:
>
>> Thanks for the feed back.
>>
>> We are happy you provide requirements over "dynamically routing
>> subnets" as a MUST. ADVPN responds to the requirements listed in
>> RFC7018. If there is a requirement that does not match you opinion,
>> can you please point it out?
>>
>> Just to make it clear this 1 day time has never been mentioned in the
>> draft and is your assumption. The use of TTL does not impose a 1 day
>> and ADVPN can take advantage of the Redirect Mechanism or MOBIKE for
>> multihoming. As you can see the ADVPN solution can take advantage of
>> all previous and future featured designed for IKEv2. As you point out
>> the key characteristic of our design is its flexibility.
>
> It was Praveen's suggestion in the email I replied. My point was that
> having that sort of default TTL does not sound good. And to me it
> sounds like having very low TTL (in level of seconds or minutes) is too
> heavy to be used in practice. So the TTL mechanism does not really
> sound feasible to me.

Fine so TTL is a simple way to provide resilience, but not an
optimized one. MOBIKE address this issue for IPsec.

>
>> RFC5685 is not limited to client-gateway, the second line of the
>> section 10 you pointed out says: [...] the mechanism can also be used
>> between any two IKEv2 peers. " So no additional specification are
>> required.
>
> You missed the next sentance:
> "However, the mechanism can also be used between any two IKEv2 peers.
>  But this protocol is asymmetric, meaning that only the original
>  responder can redirect the original initiator to another server."
>

Suppose A establish an IPsec session with node B. B can use a Redirect
not A. If A has not the capacity to handle the communication it should
not initiate it, and let C initiate the communication. This may be a
disadvantage is A and B are "equal", but in that case A and B should
be organized as clusters and redirect may not be the best way.


> Spoke A established tunnel to spoke B. A is thus original initiator.
> But the routing change is on spoke B subnet. B cannot send Redirect
> according to the above. You'd need to specify additional mechanism for
> that, or re-specify the original one. I believe this restriction is due
> to security considerations for client-gateway type connectivity.
>
>> You mention load balancing may be an issue. Can you please specify the
>> issue you see?
>
> Could you specify how in practice I could implement one subnet to be
> load-balanced to spoke nodes?
>
If I correctly understand your scenario, you are looking at load
balancing the traffic of your private network between two spokes. Any
IP-load balancer could split and load balance the traffic between the
two spokes.
On the other hand you might also want to have multiple spokes under a
given IP address. In that case, load balancing is performed according
to the hash of the IP addresses or according to values of the SPI.
Solution like cluster IP load balance the traffic between the two
spokes [1].

[1] http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability

>> One last point to clarify. it seems that you are trying to say ADVPN
>> misses some features provided by routing protocols. In fact ADVPN can
>> take advanatge of ALL of these features as ANY routing protocol can
>> run on the top of ADVPN. This was a MUST requirement of RFC5685. If
>> you see a scenrio that you think does not fit ADVPN, please document
>> it so we can address your specific issue.
>
> I thought the advantage was to _not_ run routing protocol.

You are right ADVPN does not necessarily need routing protocol. It can
have one or not, it is up to the scenarios you want to address.

> If running  routing protocol is supported, can you please specify how a routing
> protocol is to be integrated with the IKE traffic exchange? Yes, it is
> possible, but non-trivial, thus I would like to see some specification
> mapping how to do that mapping.

I do not see the issue. Can you point out the issue more specifically.

>
> And like someone else asked, how is MPLS routed?

Maybe you could encapsulates MPLS traffic in GRE/IP. Everything
possible with DMVPN is possible with ADVPN.

>
> Thanks,
>  Timo



-- 
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58

v2.23.0 | Report a Bug | By Email