IETF Logo Mail Archive

Re: [IPsec] AD-VPN Protocol Selection

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 03 February 2014 15:02 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB7551A00F4 for <ipsec@ietfa.amsl.com>; Mon, 3 Feb 2014 07:02:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.707
X-Spam-Level: ***
X-Spam-Status: No, score=3.707 tagged_above=-999 required=5 tests=[FH_RELAY_NODNS=1.451, RDNS_NONE=1.274, SPF_SOFTFAIL=0.972, T_TVD_MIME_NO_HEADERS=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9OgcDheOanby for <ipsec@ietfa.amsl.com>; Mon, 3 Feb 2014 07:02:33 -0800 (PST)
Received: from tuna.sandelman.ca (unknown [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) by ietfa.amsl.com (Postfix) with ESMTP id 806091A00E1 for <ipsec@ietf.org>; Mon, 3 Feb 2014 07:02:30 -0800 (PST)
Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id 4D61A20032; Mon, 3 Feb 2014 11:19:22 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 7595664656; Mon, 3 Feb 2014 10:02:30 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 626BF63AD7; Mon, 3 Feb 2014 10:02:30 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Harms, Patrick" <Patrick.Harms@vwfs.com>
In-Reply-To: <87BCDFB0B867FB4A85DB44EE8946E2458407E6F6@FSDEBSSXD111.fs01.vwf.vwfs-ad>
References: <87BCDFB0B867FB4A85DB44EE8946E2458407E6F6@FSDEBSSXD111.fs01.vwf.vwfs-ad>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Mon, 03 Feb 2014 10:02:30 -0500
Message-ID: <9636.1391439750@sandelman.ca>
Sender: mcr@sandelman.ca
Cc: "'ipsec@ietf.org'" <ipsec@ietf.org>
Subject: Re: [IPsec] AD-VPN Protocol Selection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 15:02:38 -0000

Harms, Patrick <Patrick.Harms@vwfs.com> wrote:
    > - is allowing to add 'spokes' without configuration changes on the 'hub'
    > devices (8.1 dmvpn draft)

    > For me, this is an important point. Changing the configuration on the hub
    > routers, everytime a spoke is added to the network, would make the rollout
    > process to complex and is a possible source of failures.

I don't see how you can add a spoke in any system without requiring some
changes to at least one hub and/or the database/LDAP/etc. which keeps track
of all the spokes.

    > Based on the theories (advpn draft and dmvpn) and real world experience
    > (dmvpn), I would favor dmvpn, because the handling and operating sounds less
    > complex. (eg. lower amount of steps in tunnel initiation, single logical
    > interface for tunnel termination etc.)

Do you care about mobile (handheld) devices?

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works

v2.23.0 | Report a Bug | By Email