IETF Logo Mail Archive

Re: [IPsec] Large Scale VPN

Praveen Sathyanarayan <praveenys@juniper.net> Tue, 03 January 2012 20:35 UTC

Return-Path: <praveenys@juniper.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3753811E80FC for <ipsec@ietfa.amsl.com>; Tue, 3 Jan 2012 12:35:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MOfiiwZMxJjo for <ipsec@ietfa.amsl.com>; Tue, 3 Jan 2012 12:34:59 -0800 (PST)
Received: from exprod7og113.obsmtp.com (exprod7og113.obsmtp.com [64.18.2.179]) by ietfa.amsl.com (Postfix) with ESMTP id 37D6F11E80C7 for <ipsec@ietf.org>; Tue, 3 Jan 2012 12:34:59 -0800 (PST)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob113.postini.com ([64.18.6.12]) with SMTP ID DSNKTwNmZsWQYSP6H255jLH72/33Y0SSxXLN@postini.com; Tue, 03 Jan 2012 12:34:59 PST
Received: from EMBX01-HQ.jnpr.net ([fe80::c821:7c81:f21f:8bc7]) by P-EMHUB02-HQ.jnpr.net ([fe80::88f9:77fd:dfc:4d51%11]) with mapi; Tue, 3 Jan 2012 12:32:13 -0800
From: Praveen Sathyanarayan <praveenys@juniper.net>
To: Mike Sullenberger <MLS@cisco.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Date: Tue, 03 Jan 2012 12:32:11 -0800
Thread-Topic: [IPsec] Large Scale VPN
Thread-Index: AczKVsaow14jz2kkS6yLXHHbnsRHzQ==
Message-ID: <CB20F932.7A2D8%praveenys@juniper.net>
In-Reply-To: <01O9UR5SKAYW96VL1D@Cisco.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.1.0.101012
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [IPsec] Large Scale VPN
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 20:35:00 -0000

I would like to re-iterate again.

1.) Juniper solution is not based on GRE. Juniper solution is based on
"pure" IPSec in tunnel mode. It works very well.
2.) Juniper implementation has many proprietary messages to solve all
scenarios. NHRP is required, but it is not complete.
3.) Authentication method to authenticate spokes can be proprietary.

We believe there is a need for standard, so that different vendors can
interop.

-- Praveen


On 12/21/11 5:16 PM, "Mike Sullenberger" <MLS@cisco.com> wrote:

Everyone,

I noticed that in the four vendor presentations in the "P2P VPN - side
meeting" in TAIPEI that none of vendors chose to extend or augment
IKE/IPsec
to solve this class of problems.  This is not to say that vendors haven't
chosen to extend IKE/IPsec to solve other classes of issues, I.e. XAuth and
Mode-config.

My firm belief is that IKE/IPsec is at the wrong level to solve or
standardize the creation of encrypted dynamic mesh networks.  DMVPN, as one
example, has for over 8 years solved this issue by using protocols that are
specifically designed for the different needs for creating encrypted
dynamic
mesh networks.  If you modify IKE/IPsec to perform these functions then you
will end up having to add (redo) the functionality of already existing
protocols in IKE/IPsec and the result will not be able to do as "good" a
job.

   1. I have no problem with creating a problem statment including use
      cases, but I am not sure how usefull this will be coming from the
      ipsecME WG when the solution for the problem statement shouldn't
      be done in IKE/IPsec.

   2. I don't see how nor why the ipsecME WG should be involved in vendors
      publishing an informational RFCs about their solutions. I didn't
think
      that there is a need for a WG's approval or help to publish an
      informational RFC.

      Note, we (Cisco) have said that we are willing to submit an
      informational RFC about DMVPN and having it ready by August 2012 is
      fine.

   3. Again I firmly believe that a standardized solution to encrypted
      dynamic mesh networks should not be done by modifying IKE/IPsec.
      Therefore the ipsecME WG is the not the right IETF WG to analyze and
      or select a solution.

   4. At least three vendors (Cisco, Juniper and Alcatel) have very
      successfully implemented large-scale encrypted dynamic mesh networks
      by using IKE/IPsec for encryption, GRE for protocol independent
      tunneling, NHRP for endpoint discovery and Routing protocols (even
      static routing) for the routing/forwarding of data traffic (subnets)
      through the encrypted tunnels.

I therefore vote against this change to the ipsecME WG charter.

-1

Thanks,

Mike Sullenberger

>If we want Paul and Yaron to take this to our AD, we need to show
>that there are more people who think these work items are a good
>idea. More people than just me and MCR.  So please show your
>support (or objections!) soon. An "I think this is a good idea",
>"I think we should use ternary logic", or "+1" is all it takes.
>
>Yoav
>
>On Dec 8, 2011, at 10:06 PM, Yoav Nir wrote:
>>
>> Agree. How about:
>>
>> In an environment with many IPsec gateways and remote clients that
>> share an established trust infrastructure (in a single
>> administrative domain or across multiple domains), customers want
>> to get on-demand point-to-point IPsec capability for efficiency.
>> However, this cannot be feasibly accomplished only with today's
>> IPsec and IKE due to problems with address lookup, reachability,
>> policy configuration, etc.
>>
>> The IPsecME working group will handle this large scale VPN problem
>> by delivering the following:
>>
>> * The working group will create a problem statement document
>>   including use cases, definitions and proper requirements for
>>   discovery and updates. This document would be solution-agnostic.
>>   Should reach WG last call around October 2012.
>>
>> * The working group will review and help publish Informational
>>   documents describing current vendor proprietary solutions.
>>   These should be ready for IETF last call by August 2012.
>>
>> * The working group will choose a common solution for the
>>   discovery and update problems that will satisfy the
>>   requirements in the problem statement document. The working
>>   group may standardize one of the vendor solutions, a
>>   combination, an superset of such a solution, or a new
>>   protocol.
>>
>>

+------------------------------------------------+
| Mike Sullenberger; DSE                         |
| mls@cisco.com                .:|:.:|:.         |
| Customer Advocacy              CISCO           |
+------------------------------------------------+



+------------------------------------------------+
| Mike Sullenberger; DSE                         |
| mls@cisco.com                .:|:.:|:.         |
| Customer Advocacy              CISCO           |
+------------------------------------------------+
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email