IETF Logo Mail Archive

[IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem

Lou Berger <lberger@labn.net> Thu, 15 November 2012 22:44 UTC

Return-Path: <lberger@labn.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF97821F8527 for <ipsec@ietfa.amsl.com>; Thu, 15 Nov 2012 14:44:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.347
X-Spam-Level:
X-Spam-Status: No, score=-100.347 tagged_above=-999 required=5 tests=[AWL=-0.101, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, J_CHICKENPOX_14=0.6, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGfgI7nh36U6 for <ipsec@ietfa.amsl.com>; Thu, 15 Nov 2012 14:44:38 -0800 (PST)
Received: from oproxy12-pub.bluehost.com (50-87-16-10.unifiedlayer.com [50.87.16.10]) by ietfa.amsl.com (Postfix) with SMTP id 2B9CA21F8467 for <ipsec@ietf.org>; Thu, 15 Nov 2012 14:44:38 -0800 (PST)
Received: (qmail 6776 invoked by uid 0); 15 Nov 2012 22:44:16 -0000
Received: from unknown (HELO box313.bluehost.com) (69.89.31.113) by oproxy12.bluehost.com with SMTP; 15 Nov 2012 22:44:16 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=NUD/8ZS+nfUKgau2AYdv3hUTHftIYNAOiabS1NE9xm4=; b=f9VVkpqPVBr2tZFuF2F6WLJau6uWoTEcIidF/TtshTwmjoYLiRJCN+x9Mq2RQdthCkbcFtXkbon/l4vdWwxSJH4nrHGZfNFDcwP9U0RhMpzJ4ESxrLGmeqz3X2hq09kd;
Received: from box313.bluehost.com ([69.89.31.113]:37617 helo=[127.0.0.1]) by box313.bluehost.com with esmtpa (Exim 4.76) (envelope-from <lberger@labn.net>) id 1TZ8AS-0001kh-6w; Thu, 15 Nov 2012 15:44:16 -0700
Message-ID: <50A5703F.4070305@labn.net>
Date: Thu, 15 Nov 2012 17:44:15 -0500
From: Lou Berger <lberger@labn.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: draft-ietf-ipsecme-ad-vpn-problem@tools.ietf.org
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Identified-User: {1038:box313.bluehost.com:labnmobi:labn.net} {sentby:smtp auth 69.89.31.113 authed with lberger@labn.net}
Cc: ipsec@ietf.org
Subject: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 22:44:38 -0000

Authors,

As I mentioned in last week's meeting, I have some comments on this
document from the routing perspective.  I don't think these are major,
but I still think they should be addressed.

In section 1.1, you define the term gateway.  I'm assuming that you are
using the term in the normal IPsec context, and that it includes IPsec
enabled routers.  Is this correct?  If not, the text should make this
clear, and you can ignore the rest of my mail!

Assuming such routers are within scope, there are some complicating
issues with IPsec enabled routers that I think should be called out.  I
don't think much text is needed to cover this case. I'm not sure the
best way to address these, but I have some suggestions to get the
conversation started (and yes, I expect that you'll edit the text):

- In section 2.2, I think mentioning something about the routing
implications is worthwhile. How about at the end of the section adding
something along the lines of :

    Additionally, the routing implications of gateway-to-gateway
    communication must be addressed.  In the simple case,
    selectors provide sufficient information for a gateway to
    forward traffic appropriately.  In other cases, additional
    tunneling (e.g., GRE) and routing (e.g., OSPF) protocols are
    run over IPsec tunnels, and the configuration impact on those
    protocols must be considered.  There is also the case when
    L3VPNs operate over IPsec Tunnels.

- In section 4.2, how about:
   (replacement text)
   3.  Gateways MUST allow for the operation of tunneling and
   routing protocols operating over spoke-to-spoke IPsec Tunnels
   with minimal, or no, configuration impact.

and (new text)

   X.  The solution SHOULD support BGP/MPLS IP VPNs, see [RFC4364].

If you want, you can make the "SHOULD" a "MUST", and "support" could be
"be compatible with".

I also have a few more minor comments:

- In section 2.1, you introduce the term "NAT gateway" and then later
use just "gateway" when I suspect you mean "NAT gateway".  I suggest
using the term "NAT" and thereby not introduce possible confusion
between the gateway term defined in section 1.1 and "NAT gateways".

- In section 2.2, s/occupies/requires

- In sections 2.2, and Section 3.2 you say dynamic addresses makes
static configuration impossible.  This doesn't reflect the use of
dynamic dns to handle this issues (and is currently supported by some
vendors.)

Let me know what you think,
Lou

v2.37.1 | Report a Bug | By Email | System Status