Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem

Lou Berger <lberger@labn.net> Fri, 16 November 2012 19:01 UTC

Return-Path: <lberger@labn.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0297C21F8872 for <ipsec@ietfa.amsl.com>; Fri, 16 Nov 2012 11:01:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.82
X-Spam-Level:
X-Spam-Status: No, score=-100.82 tagged_above=-999 required=5 tests=[AWL=0.245, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pe-lXjzW+PU for <ipsec@ietfa.amsl.com>; Fri, 16 Nov 2012 11:01:15 -0800 (PST)
Received: from oproxy8-pub.bluehost.com (oproxy8-pub.bluehost.com [69.89.22.20]) by ietfa.amsl.com (Postfix) with SMTP id E5F1B21F87E1 for <ipsec@ietf.org>; Fri, 16 Nov 2012 11:01:14 -0800 (PST)
Received: (qmail 8700 invoked by uid 0); 16 Nov 2012 19:00:48 -0000
Received: from unknown (HELO box313.bluehost.com) (69.89.31.113) by oproxy8.bluehost.com with SMTP; 16 Nov 2012 19:00:48 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=/nU9LYriv8BhjuaXDKyNif40CUyfZlIbcftQCPJclYw=; b=af2zO6H5D06qtZIbopJQcBX1dgQtPSGLlSCBFKWRtyk0B3kIxWJUA0+2ZL/DzmBl8NQ92fnsNGdXZTSsLemDIViHbSVoXPdAvnWtJPf8VQmgkQI4gnxj85g8pFev+Eow;
Received: from box313.bluehost.com ([69.89.31.113]:60155 helo=[127.0.0.1]) by box313.bluehost.com with esmtpa (Exim 4.76) (envelope-from <lberger@labn.net>) id 1TZR9e-0000g3-KB; Fri, 16 Nov 2012 12:00:48 -0700
Message-ID: <50A68D30.2040203@labn.net>
Date: Fri, 16 Nov 2012 14:00:00 -0500
From: Lou Berger <lberger@labn.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>
References: <50A5703F.4070305@labn.net> <CAOyVPHTWhv8=sP6kYkZmOEsjMsdr72P8fe=7w5XY0Hd_wP_9=w@mail.gmail.com> <50A58CDB.30402@labn.net> <CAOyVPHQ+n83DaVv6Q9Z0kvi0MyYrhPbB=L6ju4fwjTyRK1P22Q@mail.gmail.com> <50A682F8.9080907@labn.net> <CAOyVPHSvWhgaYm2s_8_37VuaR1e_5tiJai+04AKzm3HXkNwESg@mail.gmail.com> <50A689A9.1090803@labn.net> <CAOyVPHR1euA9TRnAp7V+OKjRkPARYYvQ+C0HnA70y-122sy9ZQ@mail.gmail.com>
In-Reply-To: <CAOyVPHR1euA9TRnAp7V+OKjRkPARYYvQ+C0HnA70y-122sy9ZQ@mail.gmail.com>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Identified-User: {1038:box313.bluehost.com:labnmobi:labn.net} {sentby:smtp auth 69.89.31.113 authed with lberger@labn.net}
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 19:01:16 -0000

Vishwas,

On 11/16/2012 1:48 PM, Vishwas Manral wrote:
> Hi Lou,
> 
> Got it. Can you suggest some text for this? I will try to incorporate
> the same into the document.

Assuming you don't like my prior attempt:
X.  The solution SHOULD support BGP/MPLS IP VPNs, see [RFC4364].

How about something like:
X. The solution MUST support Provider Edge (PE) based VPNs.

Note that this phrasing doesn't indicate a specific solutions which is
why I now suggest "MUST" vs "SHOULD".

Lou

> 
> Thanks,
> Vishwas
> 
> On Fri, Nov 16, 2012 at 10:44 AM, Lou Berger <lberger@labn.net
> <mailto:lberger@labn.net>> wrote:
> 
>     Vishwas,
>             Sure, but it's the BGP information that indicates what IPsec
>     tunnels
>     are needed / when the SAs get established...
> 
>     Again, I just asking for language that points to this use case, not
>     implementation details.
> 
>     Thanks,
>     Lou
> 
>     On 11/16/2012 1:34 PM, Vishwas Manral wrote:
>     > Hi Lou,
>     >
>     >> I'm not sure I agree with this statement.  Let's say you have
>     >> a BGP VPN that uses IPsec tunnels between the PEs (which
>     >> was described in a couple of expired drafts and can be supported
>     >> using RFC5566), and then wants to be able to use dynamic PE
>     >> to PE IPsec tunnels.  Does this fit your "2 different layer"
>     >> perspective?
>     > IPsec with ADVPN secures the tunnel and creates the mesh underlay on
>     > need basis/ or automatically. L3VPN creates the overlay,
>     identifies the
>     > tenant/ customer a packet belongs to and passes the packet on.
>     >
>     > Where do we see the need for tighter integration here? Is it allowing
>     > the ability to create groups of ADVPN instances?
>     >
>     > Thanks,
>     > Vishwas
>     >
>     > On Fri, Nov 16, 2012 at 10:16 AM, Lou Berger <lberger@labn.net
>     <mailto:lberger@labn.net>
>     > <mailto:lberger@labn.net <mailto:lberger@labn.net>>> wrote:
>     >
>     >     Vishwas,
>     >
>     >     Please see below.
>     >
>     >     On 11/16/2012 12:49 PM, Vishwas Manral wrote:
>     >     > Hi Lou,
>     >     >
>     >     > Thanks for the quick reply. Just a few comments prefixed
>     with a "VM>":
>     >     >
>     >     >     >
>     >     >     > We can add something in the lines of additional protocols
>     >     are run over
>     >     >     > the IPsec tunnels and the solution should make an
>     effort to
>     >     allow for
>     >     >     > additional protocols like OSPF to be run optimally without
>     >     too many
>     >     >     > changes in configuration.
>     >     >     >
>     >     >     > Infact we have a requirement to the effect in section 4.1
>     >     >
>     >     >     yes, this is what I referred to as 4.2 below, and
>     suggested some
>     >     >     replacement text...
>     >     >
>     >     > OK got it.
>     >     >
>     >     >     >
>     >     >     >     Gateways MUST allow tunnel binding, such that
>     >     applications like
>     >     >     >    Routing using the tunnels can work seamlessly
>     without any
>     >     >     updates to
>     >     >     >    the higher level application configuration i.e.  OSPF
>     >     >     configuration.
>     >     >     >
>     >     >     >     - In section 4.2, how about:
>     >     >     >        (replacement text)
>     >     >     >        3.  Gateways MUST allow for the operation of
>     >     tunneling and
>     >     >     >        routing protocols operating over spoke-to-spoke
>     IPsec
>     >     Tunnels
>     >     >     >        with minimal, or no, configuration impact.
>     >     >
>     >     > VM> Ok will specifically specify tunnels and routing protocols.
>     >     >
>     >
>     >     Great.
>     >
>     >     >
>     >     >     >
>     >     >     >
>     >     >     >        X.  The solution SHOULD support BGP/MPLS IP
>     VPNs, see
>     >     >     [RFC4364].
>     >     >     >
>     >     >     >     If you want, you can make the "SHOULD" a "MUST", and
>     >     "support"
>     >     >     could be
>     >     >     >     "be compatible with".
>     >     >     >
>     >     >     > I do not want to go ahead into details of what other
>     routing
>     >     solutions
>     >     >     > it should support.
>     >     >     >
>     >     >     > With that said I am not sure what you mean by having BGP
>     >     MPLS VPN
>     >     >     in an
>     >     >     > ADVPN scenario. BGP MPLS VPN is a provider provisioned VPN
>     >     solution,
>     >     >     > this is a customer provisioned one.
>     >     >
>     >     >     Ahh, interesting point.  When I read the document I was
>     >     looking to see
>     >     >     if it was scoped purely to CE/customer based solutions.
>     >      Reading section
>     >     >     2 (intro) and 2.2, I saw no such restriction.  So I think
>     >     section 2.2
>     >     >     should be explicit on this point either way. Which is why I
>     >     proposed the
>     >     >     text "There is also the case when L3VPNs operate over IPsec
>     >     Tunnels."
>     >     >     (To explicitly include this case.)  If the WG wants this
>     case
>     >     excluded,
>     >     >     that's fine too.
>     >     >
>     >     > VM> It is not scoped purely as a CE device scenario, and
>     after seeing
>     >     > your comment I see no reason to leave that out of scope
>     (though if I
>     >     > understand your concern better I may feel otherwise). L3VPN
>     can work
>     >     > over GRE tunnels/ L2TP tunnels, which can themselves use IPsec.
>     >     Again in
>     >     > my view the L3VPN and the IPsec VPN are 2 different layers
>     in the
>     >     stack
>     >     > if they run on the same device.
>     >
>     >     I'm not sure I agree with this statement.  Let's say you have
>     a BGP VPN
>     >     that uses IPsec tunnels between the PEs (which was described
>     in a couple
>     >     of expired drafts and can be supported using RFC5566), and
>     then wants to
>     >     be able to use dynamic PE to PE IPsec tunnels.  Does this fit
>     your "2
>     >     different layer" perspective?
>     >
>     >     Either way, I think such usage should be explicitly in scope
>     as it is a
>     >     very different model / use case from CE-based IPsec VPNs.
>     >
>     >     > Do you see a reason to explicitly
>     >     > mention L3VPN in this case?
>     >
>     >     I'm open to different ways to cover the above.
>     >
>     >     Much thanks,
>     >     Lou
>     >     >
>     >     > Thanks,
>     >     > Vishwas
>     >     >
>     >     >
>     >     >
>     >     >     > I see the 2 working in different
>     >     >     > layers, and interacting only in edge gateways where both
>     >     solutions
>     >     >     have
>     >     >     > an edge.
>     >     >
>     >     >     Sure, but the problem exists for both.
>     >     >
>     >     >     Thanks,
>     >     >     Lou
>     >     >     >
>     >     >     >
>     >     >     >     I also have a few more minor comments:
>     >     >     >
>     >     >     > I am ok with the minor suggestions you have.
>     >     >     >
>     >     >     > Thanks,
>     >     >     > Vishwas
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >     - In section 2.1, you introduce the term "NAT
>     gateway" and
>     >     >     then later
>     >     >     >     use just "gateway" when I suspect you mean "NAT
>     gateway".  I
>     >     >     suggest
>     >     >     >     using the term "NAT" and thereby not introduce
>     possible
>     >     confusion
>     >     >     >     between the gateway term defined in section 1.1
>     and "NAT
>     >     >     gateways".
>     >     >     >
>     >     >     >     - In section 2.2, s/occupies/requires
>     >     >     >
>     >     >     >     - In sections 2.2, and Section 3.2 you say dynamic
>     >     addresses makes
>     >     >     >     static configuration impossible.  This doesn't reflect
>     >     the use of
>     >     >     >     dynamic dns to handle this issues (and is currently
>     >     supported
>     >     >     by some
>     >     >     >     vendors.)
>     >     >     >
>     >     >     >     Let me know what you think,
>     >     >     >     Lou
>     >     >     >     _______________________________________________
>     >     >     >     IPsec mailing list
>     >     >     >     IPsec@ietf.org <mailto:IPsec@ietf.org>
>     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>>
>     >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>
>     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>>>
>     >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>
>     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>>
>     >     >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>
>     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>>>>
>     >     >     >     https://www.ietf.org/mailman/listinfo/ipsec
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >
>     >     >
>     >
>     >
> 
>