IETF Logo Mail Archive

Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem

Vishwas Manral <vishwas.ietf@gmail.com> Wed, 05 December 2012 17:54 UTC

Return-Path: <vishwas.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8D721F8BAE for <ipsec@ietfa.amsl.com>; Wed, 5 Dec 2012 09:54:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.298
X-Spam-Level:
X-Spam-Status: No, score=-3.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDSDMGlljUd6 for <ipsec@ietfa.amsl.com>; Wed, 5 Dec 2012 09:54:13 -0800 (PST)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 88BA221F8BA9 for <ipsec@ietf.org>; Wed, 5 Dec 2012 09:54:12 -0800 (PST)
Received: by mail-qa0-f44.google.com with SMTP id z4so2368910qan.10 for <ipsec@ietf.org>; Wed, 05 Dec 2012 09:54:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rGcwvhhPRX2Ya/7LDQk0ZJvkGHf3m/BZs5KoSJEyrdI=; b=njii3l0hFd5zdIKwfeqAhXP9LaeJXxJKNwvu+AhqBqY27SwSsyPhLz7TvZBeJhmBME do3n7qPBr0jBw6ImN9DpLtc7mJBpmLWD6/+4wXWO6w72qttTE1RwQWyhdWWsbcj0Ll49 Ui1aRDYofCrkQJlZp3URx8I1LO8VApC2XaKoO8+jFB4B834IhnqV9p7LXjBOrMftnzHe ZTGK+aUsPumRJKuDwsfLiBYSXAupNsdtmfxpZLinCXiNttRtwWWrTB7m5bsCpD2ot/G7 Og7rS87uFsDbaIfuhYxSGq9+iytxD2xUxV/sSGa/QyBjbrlfnNv13gAjOkxGfaQ1fk96 EuDg==
MIME-Version: 1.0
Received: by 10.49.128.37 with SMTP id nl5mr33817123qeb.59.1354730051885; Wed, 05 Dec 2012 09:54:11 -0800 (PST)
Received: by 10.229.92.77 with HTTP; Wed, 5 Dec 2012 09:54:11 -0800 (PST)
In-Reply-To: <50BE4A60.1000303@labn.net>
References: <50A5703F.4070305@labn.net> <CAOyVPHTWhv8=sP6kYkZmOEsjMsdr72P8fe=7w5XY0Hd_wP_9=w@mail.gmail.com> <50A58CDB.30402@labn.net> <CAOyVPHQ+n83DaVv6Q9Z0kvi0MyYrhPbB=L6ju4fwjTyRK1P22Q@mail.gmail.com> <50A682F8.9080907@labn.net> <CAOyVPHSvWhgaYm2s_8_37VuaR1e_5tiJai+04AKzm3HXkNwESg@mail.gmail.com> <50A689A9.1090803@labn.net> <CAOyVPHR1euA9TRnAp7V+OKjRkPARYYvQ+C0HnA70y-122sy9ZQ@mail.gmail.com> <50A68D30.2040203@labn.net> <CAOyVPHR4OVNuvMU-UxZAJUoKFugCWwUQq0dSRo-7gY=Y886LoQ@mail.gmail.com> <CAOyVPHRopwvE5U3ZF7kDxNe59OgTk7ydoFG6iqvZdOFUCvaGyA@mail.gmail.com> <50BE30D9.4030903@labn.net> <CAOyVPHSXQQt_31Y2MP+iMe8d0MCxSyKzVvCLL-HLkcggaOKuMw@mail.gmail.com> <50BE4A60.1000303@labn.net>
Date: Wed, 05 Dec 2012 09:54:11 -0800
Message-ID: <CAOyVPHSkGVvGD2bMgk-vp3DO0o9N9Zt6mf4SnaL4L9ZFR8NRHg@mail.gmail.com>
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Lou Berger <lberger@labn.net>
Content-Type: multipart/mixed; boundary="047d7b676e6e825bc404d01eab7f"
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2012 17:54:15 -0000

Hi Lou,

Thanks for your close reading of the document. I am attaching the changed
document. Please let me know if it looks good.

On 11/15/2012 7:14 PM, Vishwas Manral wrote:
> >     - In section 2.2, I think mentioning something about the routing
> >     implications is worthwhile. How about at the end of the section
> adding
> >     something along the lines of :
> >
> >         Additionally, the routing implications of gateway-to-gateway
> >         communication must be addressed.  In the simple case,
> >         selectors provide sufficient information for a gateway to
> >         forward traffic appropriately.  In other cases, additional
> >         tunneling (e.g., GRE) and routing (e.g., OSPF) protocols are
> >         run over IPsec tunnels, and the configuration impact on those
> >         protocols must be considered.  There is also the case when
> >         L3VPNs operate over IPsec Tunnels.
> >
> > We can add something in the lines of additional protocols are run over
> > the IPsec tunnels and the solution should make an effort to allow for
> > additional protocols like OSPF to
>
> Also in section 2.2, the text now says:
>
>    The solution should work in cases where the endpoints are
>    administrated by separate management domains, albeit, ones that have
>    an existing trust relationship (for example two organisations who are
>    collaborating on a project, they may wish to join their networks,
>    whilst retaining independent control over configuration)It is for
>    this purpose spoke-to-spoke tunnels are dynamically created and torn-
>    down.  It is highly desirable that the solution works for the star,
>    full mesh as well as dynamic full mesh topology.
>
> This revision now reads that the primary reason for dynamic
> spoke-to-spoke tunnels is separate management domains.  I somehow don't
> think this was the intent.
>

I have reordered the sentences.

>
> In section 4.1 we had discussed replacement text for 3:
> On 11/16/2012 12:49 PM, Vishwas Manral wrote:
> >>On 11/15/2012 5:44 PM, Lou Berger wrote:
> >>     - In section 4.2, how about:
> >>        (replacement text)
> >>        3.  Gateways MUST allow for the operation of tunneling and
> >>        routing protocols operating over spoke-to-spoke IPsec Tunnels
> >>        with minimal, or no, configuration impact.
> >
> >VM> Ok will specifically specify tunnels and routing protocols.
>
> You have the following alternate / revised text:
>    3.  In many cases additional tunneling protocols (i.e.  GRE) or
>    Routing protocols (i.e.  OSPF) are run over the IPsec tunnels.
>    Gateways MUST allow for the operation of tunneling and Routing
>    protocols operating over spoke-to-spoke IPsec Tunnels with minimal or
>    no, configuration impact.  Routing using the tunnels can work
>    seamlessly without any updates to the higher level application
>    configuration i.e.  OSPF configuration, when the tunnel parameter
>    changes.
>
> I think this text is closer, but I think a few additional changes are
> needed:
>  - GRE and OSPF are examples, so "i.e." should be replaced with "e.g."
>  - I think the final sentence is likely to be incorrect in many / most
>    real world cases, so would drop the sentence (from "Routing using
>    the tunnels can work...")
>
I changed the "can" to a SHOULD for the second part. The idea is no changes
should happen in configuration and our current solution allows that for
most cases (hence SHOULD).

>
> You also said you'd address the minor comments:
> On 11/15/2012 5:44 PM, Lou Berger wrote:
> > - In section 2.1, you introduce the term "NAT gateway" and then later
> > use just "gateway" when I suspect you mean "NAT gateway".  I suggest
> > using the term "NAT" and thereby not introduce possible confusion
> > between the gateway term defined in section 1.1 and "NAT gateways".
>
> Updated it. I agree we can separate out the terms NAT gateway/ Gateway,
though for most parts it may be the same device. Prepend NAT to change it
to NAT gateway, as just replacing it with NAT made the sentence out of
place.


> and
>
> > - In sections 2.2, and Section 3.2 you say dynamic addresses makes
> > static configuration impossible.  This doesn't reflect the use of
> > dynamic dns to handle this issues (and is currently supported by some
> > vendors.)
>
> Do you have any reference and suggested text for this? I have not seen the
same in our customer cases.

Thanks,
Vishwas

v2.36.0 | Report a Bug | By Email | System Status