IETF Logo Mail Archive

Re: [IPsec] routing protocols for ADVPN

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 09 December 2013 13:55 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F351A1AE2D3 for <ipsec@ietfa.amsl.com>; Mon, 9 Dec 2013 05:55:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44mcyVeR5dQv for <ipsec@ietfa.amsl.com>; Mon, 9 Dec 2013 05:55:36 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9AE1AE2DE for <ipsec@ietf.org>; Mon, 9 Dec 2013 05:55:35 -0800 (PST)
Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id 8867920038; Mon, 9 Dec 2013 10:09:03 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id E200263B89; Mon, 9 Dec 2013 08:55:20 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id CDF5663848; Mon, 9 Dec 2013 08:55:20 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
In-Reply-To: <FA5DF9DF-9C66-4391-956C-EF5F960E969E@cisco.com>
References: <19440.1386355293@sandelman.ca> <9B680FCE-8C84-4CB0-8772-EA18B853068A@cisco.com>, <24940.1386526107@sandelman.ca> <4DA84062-FA71-4651-9DED-5BAD6FB623BA@cisco.com> <31446.1386536850@sandelman.ca> <FA5DF9DF-9C66-4391-956C-EF5F960E969E@cisco.com>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Mon, 09 Dec 2013 08:55:20 -0500
Message-ID: <10325.1386597320@sandelman.ca>
Sender: mcr@sandelman.ca
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>
Subject: Re: [IPsec] routing protocols for ADVPN
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 13:55:39 -0000

Frederic Detienne (fdetienn) <fdetienn@cisco.com> wrote:
    >> Again, as I said.
    >> This protocl is infinitely flexible, which means that there is no
    >>interoperability.

    > So like…  everyone implements all the cypher suites in IKE so IKE does
    > not work ? or  BGP is inflexible and/or there is no interoperability ?
    > Or the Internet uses a single protocol ?

We have specified a number of mandatory to implement cipher protocols.
IKE *itself* is mandatory if you are doing automatic keying.  IKE performs
the operation of getting agreement on various things.  This is how the
Internet works.

    > Now if it helps clarifying our position:

    > - no routing protocol is mandatory. It is up to the customer to specify
    > the adjunction of a routing protocol in their RFP (should they need a
    > routing protocol)

RFP?   I speak regularly about the need for specific profiles or
applicability statements so that customers can be very clear in their RFPs.
You have just turned over the entire test process to the customer: we might
as well go home.

    > - IKE CFG Exchange MUST be supported as it is defined in IKEv2 and is
    > not specified as optional.

I understand that this is going to specify the IP of the virtual interface on
which the routing is going to occur.   I don't know how it is going to
automatically tune any of the important things, including the way the routing
policy is going to be influenced.

I also think that you've completely missed how the software is going to get
deployed onto mobile devices: it won't be Cisco or Juniper providing some
software that installs on an Android or iOS or WinPhone device, it's going to
be Google/Samsung/Motorola/HTC and Apple and Microsoft.

The customer's RFP will be limited by what they can get from those companies,
and if you don't specify it well enough, please expect to make code changes
to your core routing platforms to accomodate interoperability issues there.

    >>> The smartphone version can be happily limited to CFG exchange which is
    >>> part of IKE. No routing protocol necessary.
    >>
    >> So, how does my smartphone tell your smartphone where it is so that
    >> the RTP
    >> traffic can flow directly, if neither one of us has a routing
    > >protocol, or if
    >> we have different onces?

    > Because there is no reliance AT ALL on the routing protocol (or IKE CFG
    > policies) between spokes. Between spokes, the only protocols in play
    > are NHRP and IPsec/IKE as given in draft-detienne.

    > It is NHRP that installs that discovers the shortcut path and the
    > shortcut policy is installed solely based on that protocol. The routing
    > protocol(s) (or IKEv2 CFG subnets) is/are irrelevant.

Ah. I see.
I don't need a routing protocol, I just need NHRP on the smartphone.
Thank you for this clarification.

    > Can someone PLEASE explain me how draft-sathyanarayan covers multicast,
    > scalability (more than 256 networks per branch) and dynamic network
    > changes behind the spoke ? I will have other questions after that.

multicast is a good question.
I would like to understand why 256 networks per branch is an issue beyond the
problem of IPv4 RFC1918 address space.

    >> We see modification of anything else as a challenge; and a security
    >> threat.

    > That is another strange point… what "else" does draft-detienne "modify"
    > ? Can you elaborate on that ?

Routing protocols have been deseperately hard to secure.  Many organizations
that wish to deploy ADVPN mechanisms want to do so across multiple
administrative and jurisdictional domains: a group key based mechanism common
in OSPF isn't going to pass the security thread analysis.

We will need mechanisms such as SIDR (RPKI) achieve the same level of
security with a layered approach as we have with star-topology based IKE.

And I'm still unclear which routing protocol lets routes for RTP traffic be
redirected, but not port-80 (or port-139!) traffic.  So there will have to be
extensions there too.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works

v2.23.0 | Report a Bug | By Email