IETF Logo Mail Archive

Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03

"Frederic Detienne (fdetienn)" <fdetienn@cisco.com> Thu, 06 February 2014 04:45 UTC

Return-Path: <fdetienn@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7811A0374 for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 20:45:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmI6N_PlJUyh for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 20:45:01 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by ietfa.amsl.com (Postfix) with ESMTP id 7D96A1A0277 for <ipsec@ietf.org>; Wed, 5 Feb 2014 20:45:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5728; q=dns/txt; s=iport; t=1391661900; x=1392871500; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=EG9rqswaU3awGZScyKssY8lwr/0mPG8C+e5ayGi880k=; b=RPeeqHMrTpyEnEU4LGJC1TYfALW+L2OLpkUbRr7m8pWJsm91Suu0ruzc k0F9wrpBFKv5kqSF1P9gFEosDBmGGQyiGo+p5G5yCaHJ1+s9ghjWhu/nm okmURktNl5IIBjOrRgU5ew0kNiZLc2dWKhVgTmGuzvh8/UspGiYQHH8U+ Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAM0S81KtJXG9/2dsb2JhbABZgwy/doEHFnSCJQEBAQMBaBEFCwIBCBgdETIlAgQOBRuHYgjOYxeOExEBHTMHgySBFASYK5IhgW+BPoFx
X-IronPort-AV: E=Sophos;i="4.95,791,1384300800"; d="scan'208";a="18360566"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by alln-iport-4.cisco.com with ESMTP; 06 Feb 2014 04:44:59 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id s164ixxJ014207 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Feb 2014 04:44:59 GMT
Received: from xmb-aln-x06.cisco.com ([169.254.1.227]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.03.0123.003; Wed, 5 Feb 2014 22:44:58 -0600
From: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
To: Praveen Sathyanarayan <praveenys@juniper.net>
Thread-Topic: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
Thread-Index: AQHPG4MvdTmd1tpwSEqyl/V9y2lTr5qYT5OAgAtpFQCAAwe3AIAAEC+AgAANYQCAANdrZw==
Date: Thu, 06 Feb 2014 04:44:58 +0000
Message-ID: <5C13728B-72D0-42A3-996C-858430C334BD@cisco.com>
References: <88259CEC-4D10-48EC-8A21-0D2F348EEE3F@cisco.com> <CF0BCF53.6AC0F%praveenys@juniper.net> <A7DCDB4D-CE88-473C-9584-91F2B571E8FF@checkpoint.com> <574468F8-9203-451C-A145-C9E1DD51D781@cisco.com> <CF17F447.3F461%praveenys@juniper.net>, <CF18098A.3F4D9%praveenys@juniper.net>
In-Reply-To: <CF18098A.3F4D9%praveenys@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<ipsec@ietf.org> WG" <ipsec@ietf.org>, Yoav Nir <ynir@checkpoint.com>
Subject: Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 04:45:06 -0000

Hi Praveen,

I suppose it would be convenient for you to minimize DMVPN to a "routing solution" however draft-detienne covers more than that.

The remote access client case is fully covered. Without routing protocol. This point was clarified sometime in November (I believe) and draft-detienne was updated accordingly.

Now back to the discussion, I think I now do understand precisely how you see the negotiation going. It turns out we support all these methods already and we know the complexity of it.

I would like to verify a few more points because it is not trivial at all.

What I am exposing here is that draft-sathyanarayan will quickly grow out of control as it tries to encompass all possible negotiation methods.

In practice, it means only a couple vendors will be able to implement it decently and will likely clash quite hard. All this at the expense of users who are lured by failed promises.

More inline on this topic then I will slowly move on to the next points.

Thanks,

   Fred

(sent from mobile)

> On 06 Feb 2014, at 00:31, "Praveen Sathyanarayan" <praveenys@juniper.net> wrote:
> 
> Hi Fred,
> 
> I see draft-detienne¹s view of discovery of tunnel-peer is a routing
> issue. So DMVPN solution predominantly a routing solution. So,
> draft-detienne may work good for routing vendors.

> But it is not a solution for non-routing vendors. As an example, mobile
> devices increasingly can do more features like FaceTime/Skype/Hangout,
> Airdrop. To do these, expecting mobile devices to run BGP protocol, to
> discover a direct tunnel is not a reasonable expectation. Or for that
> matter expecting a firewall device to run routing protocol, is not a
> reasonable expectation either.
> 
> More comments inline.
> 
> 
> Thanks,
> Praveen
> 
> 
> 
> On 2/5/14, 5:45 AM, "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
> wrote:
> 
>> We can no longer call that a simple solution. There are pieces that meet
>> some of the requirements but are in contradiction with others.
> 
>> Similarly, draft-sathyanarayan offers multiple implementation or
>> deployment systems (policy based or tunnel based) which are not
>> compatible at protocol level. It means implementations have to cover BOTH
>> methods to guarantee interoperability.
> 
> [PRAVEEN] I disagree. How will a spoke running OSPF and other spoke
> running BGP interop in draft-detienne?  Your answer was, (previously in
> virtual conference) was that it does not matter. Because, as long as Hub
> supports both routing protocols, there is no issue. The same thing applies
> here. If you have route based implementation on a SpokeA and Policy based
> implementation SpokeB, it can still open a direct IPSec tunnel without
> causing any interoperability. And of course, there is no need of running
> routing protocol between the spokes, even in our solution.

The big difference is here:

domain1 can deploy a routed based network only by picking a vendor focusing on that method only. In this case, the TSi TSr may be 0.0.0.0/0 0.0.0.0/0

Domain2 may deploy a pure policy based implementation.

Now how does domain 2 accept domain1's proposals ? And vice versa ?

As you explain below, the route based method probably has to fall back to a policy type negotiation.

If domain1 admin made that choice, one can assume there is a reason. Now we end up with a double negotiation method.

Also how does spoke domain 1 initiate to hub domain 2 ? How does that hub know how to narrow down the TSi to ? It does not know that spoke yet...

What now if domain 3 wants GRE/IPsec ? I remember an early email saying it can be negotiated too.

Draft-sathyanarayan possibly allows any protocol to be negotiated but it focuses on the policy based method and does not mention at all how interop is achieved.


> To take a practical example: one domain may initially be rule based, the
> other tunnel based. What happens when those domains must now cooperate ?
> 
> 
> Both issues above will prevent proper cross-domain interoperability. In
> particular, a "policy-based" spoke will not be able to talk to a "tunnel
> based" hub as per this draftŠ it would take a decision as to which is the
> fallback mode and a dual implementation on at least one of the devices.
> 
> 
> [PRAVEEN] No issues here. As long as you support rfc5996, and you exchange
> TSi and Tsr payloads, you are ready to setup a tunnel and forward the
> traffic. On route based VPN side, you get TSi and TSr payload that defines
> the SPD entries. These SPD entries are bound to your tunnel interface.
> Route that exist before the shortcut tunnel, still points to tunnel
> interface. As this tunnel-interface is now has dynamic SPD entries, it now
> knows how to forward all/selective traffic to the shortcut tunnel. And of
> course the Policy based domain side it is straight forward. Where do you
> see the issue? 

So I presume TSi TSr of the routed spoke will be 0.0.0.0/0 0.0.0.0/0 ?

This then gets narrowed down by the policy spoke ?

We would create a tunnel per peer to achieve that. Your comment is interesting however as it raises a complexity.

On a policy spoke1, the initial policy is

10.0.0.0/24 10.0.0.0/8 to hub

Then spoke2 is discovered hosting 10.0.1.0/24

Now the SPD says

10.0.0.0/24 10.0.0.0/8 to hub
10.0.0.0/24 10.0.1.0/24 to spoke2

I know implementations that will not behave well in this case. The SPDB does not guarantee a best match or sorted search.

What should they do ?

Thanks,

  Fred

> Thanks,
> Praveen
> 
>

v2.23.0 | Report a Bug | By Email