Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem

Vishwas Manral <vishwas.ietf@gmail.com> Wed, 05 December 2012 20:06 UTC

Return-Path: <vishwas.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4819521F8AF5 for <ipsec@ietfa.amsl.com>; Wed, 5 Dec 2012 12:06:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.148
X-Spam-Level:
X-Spam-Status: No, score=-3.148 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kCWX+YPERkug for <ipsec@ietfa.amsl.com>; Wed, 5 Dec 2012 12:06:44 -0800 (PST)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 110BB21F8722 for <ipsec@ietf.org>; Wed, 5 Dec 2012 12:06:43 -0800 (PST)
Received: by mail-qc0-f172.google.com with SMTP id b25so3223722qca.31 for <ipsec@ietf.org>; Wed, 05 Dec 2012 12:06:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=I68MjjVHtQ0T+lmh7uBU/oj3z99kQSB65veQPxRkbWc=; b=e2uaEsbnyewlG/JXbK++9R+qAiriBYmW9AQEXGwKfGoHdN+mRKR7nO0YV6L9yn7iWR uoTzv+fCwel0sB2RPL986Bec4pn8vKIsig1PUD6JsxaiMQm6sYVE7oYQJN7KJxwTTWJO hAxPxkP8zFJ+6271CyNPT/m4xD4SqB5fbEJKnh6ENIhv1xrJVjJcSv7S5dqsvGHhu7Lx Ie+UT921gE3+HhamA90E8eNAXzI1rfx9wTP1ZY6+OiBLuRaAxN4GaIJSkteLEuiJ6aU1 zHk9dwoOiWDG+9FRH5I+8QyLGxwyRKgBFH7ApJB0KNssRUNn4U6nQo9y3Yrt2yITo6h7 brLw==
MIME-Version: 1.0
Received: by 10.229.234.158 with SMTP id kc30mr7042913qcb.52.1354738003447; Wed, 05 Dec 2012 12:06:43 -0800 (PST)
Received: by 10.229.92.77 with HTTP; Wed, 5 Dec 2012 12:06:43 -0800 (PST)
In-Reply-To: <50BFA4C0.1060909@labn.net>
References: <50A5703F.4070305@labn.net> <CAOyVPHTWhv8=sP6kYkZmOEsjMsdr72P8fe=7w5XY0Hd_wP_9=w@mail.gmail.com> <50A58CDB.30402@labn.net> <CAOyVPHQ+n83DaVv6Q9Z0kvi0MyYrhPbB=L6ju4fwjTyRK1P22Q@mail.gmail.com> <50A682F8.9080907@labn.net> <CAOyVPHSvWhgaYm2s_8_37VuaR1e_5tiJai+04AKzm3HXkNwESg@mail.gmail.com> <50A689A9.1090803@labn.net> <CAOyVPHR1euA9TRnAp7V+OKjRkPARYYvQ+C0HnA70y-122sy9ZQ@mail.gmail.com> <50A68D30.2040203@labn.net> <CAOyVPHR4OVNuvMU-UxZAJUoKFugCWwUQq0dSRo-7gY=Y886LoQ@mail.gmail.com> <CAOyVPHRopwvE5U3ZF7kDxNe59OgTk7ydoFG6iqvZdOFUCvaGyA@mail.gmail.com> <50BE30D9.4030903@labn.net> <CAOyVPHSXQQt_31Y2MP+iMe8d0MCxSyKzVvCLL-HLkcggaOKuMw@mail.gmail.com> <50BE4A60.1000303@labn.net> <CAOyVPHSkGVvGD2bMgk-vp3DO0o9N9Zt6mf4SnaL4L9ZFR8NRHg@mail.gmail.com> <50BFA4C0.1060909@labn.net>
Date: Wed, 05 Dec 2012 12:06:43 -0800
Message-ID: <CAOyVPHQu+NyQvxMjHJ0=0YtrH6rerU-etEmqQKTKP4jt4sHZgw@mail.gmail.com>
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Lou Berger <lberger@labn.net>
Content-Type: multipart/alternative; boundary="001636c928a975907a04d020859e"
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2012 20:06:46 -0000

Hi Lou,

> Thanks for your close reading of the document. I am attaching the
> > changed document. Please let me know if it looks good.
> >
> >     On 11/15/2012 7:14 PM, Vishwas Manral wrote:
> >     >     - In section 2.2, I think mentioning something about the
> routing
> >     >     implications is worthwhile. How about at the end of the
> >     section adding
> >     >     something along the lines of :
> >     >
> >     >         Additionally, the routing implications of
> gateway-to-gateway
> >     >         communication must be addressed.  In the simple case,
> >     >         selectors provide sufficient information for a gateway to
> >     >         forward traffic appropriately.  In other cases, additional
> >     >         tunneling (e.g., GRE) and routing (e.g., OSPF) protocols
> are
> >     >         run over IPsec tunnels, and the configuration impact on
> those
> >     >         protocols must be considered.  There is also the case when
> >     >         L3VPNs operate over IPsec Tunnels.
> >     >
> >     > We can add something in the lines of additional protocols are run
> over
> >     > the IPsec tunnels and the solution should make an effort to allow
> for
> >     > additional protocols like OSPF to be run optimally without too many
> >     > changes in configuration.
> >
>
> I don't see any changes in 2.2 related to this (old) comment on routing
> implications, am I missing something?
>
> I am a bit confused here.

You said
" I think this text is closer, but I think a few additional changes are
needed:
 - GRE and OSPF are examples, so "i.e." should be replaced with "e.g."
 - I think the final sentence is likely to be incorrect in many / most
   real world cases, so would drop the sentence (from "Routing using
   the tunnels can work...")"

I performed the changes you asked for. For the second part I have told you
the reason below. What am I missing?

>
> >
> >
> >     In section 4.1 we had discussed replacement text for 3:
> >     On 11/16/2012 12:49 PM, Vishwas Manral wrote:
> >     >>On 11/15/2012 5:44 PM, Lou Berger wrote:
> >     >>     - In section 4.2, how about:
> >     >>        (replacement text)
> >     >>        3.  Gateways MUST allow for the operation of tunneling and
> >     >>        routing protocols operating over spoke-to-spoke IPsec
> Tunnels
> >     >>        with minimal, or no, configuration impact.
> >     >
> >     >VM> Ok will specifically specify tunnels and routing protocols.
> >
> >     You have the following alternate / revised text:
> >        3.  In many cases additional tunneling protocols (i.e.  GRE) or
> >        Routing protocols (i.e.  OSPF) are run over the IPsec tunnels.
> >        Gateways MUST allow for the operation of tunneling and Routing
> >        protocols operating over spoke-to-spoke IPsec Tunnels with
> minimal or
> >        no, configuration impact.  Routing using the tunnels can work
> >        seamlessly without any updates to the higher level application
> >        configuration i.e.  OSPF configuration, when the tunnel parameter
> >        changes.
> >
> >     I think this text is closer, but I think a few additional changes are
> >     needed:
> >      - GRE and OSPF are examples, so "i.e." should be replaced with
> "e.g."
> >      - I think the final sentence is likely to be incorrect in many /
> most
> >        real world cases, so would drop the sentence (from "Routing using
> >        the tunnels can work...")
> >
> > I changed the "can" to a SHOULD for the second part. The idea is no
> > changes should happen in configuration and our current solution allows
> > that for most cases (hence SHOULD).
>
> I think this is worse.  Now you're placing requirements on routing
> protocols which IMO should not care if (or be aware of when) the tunnel
> they are running on is IPsec or carried via IPsec.
>
> What additional point are you trying to make in the following sentence?
>    Routing using the tunnels SHOULD work
>    seamlessly without any updates to the higher level application
>    configuration i.e.  OSPF configuration, when the tunnel parameter
>    changes.
>
> Can the sentence just be dropped?
>
> VM> I think this is an important requirement. A tunnel should be able to
provide an interface by which when tunnel IP parameters change we do not
have to change any configuration for higher application like Routing. I had
earlier mentioned in more generic terms earlier but changed to the terms
provided based on feedback from the list.

The entire idea is the with scale configuration needs to be reduced and
that needs to happen across layers, so every layer needs to provide the
service. Let me know what it is I am unable to convey.

>
>
> I've seen this supported on some firewall products in conjunction with
> dynamic DNS.  I used one for a couple of years (the spoke used a dynamic
> address + DDNS.)  I certainly deffer to the WG on if such usage should
> be referenced in this document.  You are, after all, the experts on this
> and I'm just an occasional user...
>
> some possible text for section 2.2. could be:
> OLD
>    The gateways can themselves come up and down, getting different IP
>    addresses in the process, making static configuration impossible.
> NEW
>    The solution should also address the case where gateways use dynamic
>    IP addresses.
>
I am not sure how to 2 sentences mean the same thing, with DDNS inputs you
have given. Are you saying keep the old text as well as add the new text.

>
> and section 3.2, perhaps something like:
> OLD
>    This solution however does not work when the spokes get dynamic IP
>    address which the "hub gateways" cannot be configured with.
> NEW
>    This solution however is complicated by the case when the spokes
>    use dynamic IP addresses and DNS with dynamic updates must be used.
>
>  Same comment as above.

Thanks,
Vishwas

> Thanks,
> Lou
>
> >
> > Thanks,
> > Vishwas
> >
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >
>