IETF Logo Mail Archive

Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem

Vishwas Manral <vishwas.ietf@gmail.com> Fri, 16 November 2012 19:10 UTC

Return-Path: <vishwas.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A04921F8A67 for <ipsec@ietfa.amsl.com>; Fri, 16 Nov 2012 11:10:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.473
X-Spam-Level:
X-Spam-Status: No, score=-2.473 tagged_above=-999 required=5 tests=[AWL=-0.075, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PReBDlbHMaxZ for <ipsec@ietfa.amsl.com>; Fri, 16 Nov 2012 11:10:56 -0800 (PST)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 47F9521F85FC for <ipsec@ietf.org>; Fri, 16 Nov 2012 11:10:55 -0800 (PST)
Received: by mail-lb0-f172.google.com with SMTP id y2so2587737lbk.31 for <ipsec@ietf.org>; Fri, 16 Nov 2012 11:10:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=x7kOKukCFAMtsT7FxvPZh7XQb7jmT5f1oZUL+Paj4SY=; b=stvlz3wwQllKWwWmnppgcWCt6u380TMn9K4bXdB9QueCEazLPpXwupJ5RLD/sl8cq6 7IizZQnOa+SAQboffnDBSPfyCpysTG6Ywl1rroyN7nffp2TUz25PBQg1+nP7//6F6zK1 /p/ukGrP0/gcJqhs0KtX5ved52ha5BlhhLMmUPMTrD11oyfn5UqN47DIGfXPFedhRngM AoIiuA1GlZkN3RA0PPjIYPx8rSHCFYh/wr7HWov5Awb1aT9GjLWLckqXI4MALWoxsTrq d84TTOV5/SfVdphojmnzM9pMqZjBPMiyBKarO12FE8Ouj7acookqgXNigPy5DS3ggpBn SSEQ==
MIME-Version: 1.0
Received: by 10.152.104.240 with SMTP id gh16mr5168863lab.56.1353093054080; Fri, 16 Nov 2012 11:10:54 -0800 (PST)
Received: by 10.114.75.110 with HTTP; Fri, 16 Nov 2012 11:10:54 -0800 (PST)
In-Reply-To: <50A68D30.2040203@labn.net>
References: <50A5703F.4070305@labn.net> <CAOyVPHTWhv8=sP6kYkZmOEsjMsdr72P8fe=7w5XY0Hd_wP_9=w@mail.gmail.com> <50A58CDB.30402@labn.net> <CAOyVPHQ+n83DaVv6Q9Z0kvi0MyYrhPbB=L6ju4fwjTyRK1P22Q@mail.gmail.com> <50A682F8.9080907@labn.net> <CAOyVPHSvWhgaYm2s_8_37VuaR1e_5tiJai+04AKzm3HXkNwESg@mail.gmail.com> <50A689A9.1090803@labn.net> <CAOyVPHR1euA9TRnAp7V+OKjRkPARYYvQ+C0HnA70y-122sy9ZQ@mail.gmail.com> <50A68D30.2040203@labn.net>
Date: Fri, 16 Nov 2012 11:10:54 -0800
Message-ID: <CAOyVPHR4OVNuvMU-UxZAJUoKFugCWwUQq0dSRo-7gY=Y886LoQ@mail.gmail.com>
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Lou Berger <lberger@labn.net>
Content-Type: multipart/alternative; boundary="f46d04088e11d6272604cea186a5"
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 19:10:57 -0000

Thanks Lou,

Let me heard back from the WG on this, if they have any opinion. If not we
can go ahead with your suggestion.

-Vishwas

On Fri, Nov 16, 2012 at 11:00 AM, Lou Berger <lberger@labn.net> wrote:

> Vishwas,
>
> On 11/16/2012 1:48 PM, Vishwas Manral wrote:
> > Hi Lou,
> >
> > Got it. Can you suggest some text for this? I will try to incorporate
> > the same into the document.
>
> Assuming you don't like my prior attempt:
> X.  The solution SHOULD support BGP/MPLS IP VPNs, see [RFC4364].
>
> How about something like:
> X. The solution MUST support Provider Edge (PE) based VPNs.
>
> Note that this phrasing doesn't indicate a specific solutions which is
> why I now suggest "MUST" vs "SHOULD".
>
> Lou
>
> >
> > Thanks,
> > Vishwas
> >
> > On Fri, Nov 16, 2012 at 10:44 AM, Lou Berger <lberger@labn.net
> > <mailto:lberger@labn.net>> wrote:
> >
> >     Vishwas,
> >             Sure, but it's the BGP information that indicates what IPsec
> >     tunnels
> >     are needed / when the SAs get established...
> >
> >     Again, I just asking for language that points to this use case, not
> >     implementation details.
> >
> >     Thanks,
> >     Lou
> >
> >     On 11/16/2012 1:34 PM, Vishwas Manral wrote:
> >     > Hi Lou,
> >     >
> >     >> I'm not sure I agree with this statement.  Let's say you have
> >     >> a BGP VPN that uses IPsec tunnels between the PEs (which
> >     >> was described in a couple of expired drafts and can be supported
> >     >> using RFC5566), and then wants to be able to use dynamic PE
> >     >> to PE IPsec tunnels.  Does this fit your "2 different layer"
> >     >> perspective?
> >     > IPsec with ADVPN secures the tunnel and creates the mesh underlay
> on
> >     > need basis/ or automatically. L3VPN creates the overlay,
> >     identifies the
> >     > tenant/ customer a packet belongs to and passes the packet on.
> >     >
> >     > Where do we see the need for tighter integration here? Is it
> allowing
> >     > the ability to create groups of ADVPN instances?
> >     >
> >     > Thanks,
> >     > Vishwas
> >     >
> >     > On Fri, Nov 16, 2012 at 10:16 AM, Lou Berger <lberger@labn.net
> >     <mailto:lberger@labn.net>
> >     > <mailto:lberger@labn.net <mailto:lberger@labn.net>>> wrote:
> >     >
> >     >     Vishwas,
> >     >
> >     >     Please see below.
> >     >
> >     >     On 11/16/2012 12:49 PM, Vishwas Manral wrote:
> >     >     > Hi Lou,
> >     >     >
> >     >     > Thanks for the quick reply. Just a few comments prefixed
> >     with a "VM>":
> >     >     >
> >     >     >     >
> >     >     >     > We can add something in the lines of additional
> protocols
> >     >     are run over
> >     >     >     > the IPsec tunnels and the solution should make an
> >     effort to
> >     >     allow for
> >     >     >     > additional protocols like OSPF to be run optimally
> without
> >     >     too many
> >     >     >     > changes in configuration.
> >     >     >     >
> >     >     >     > Infact we have a requirement to the effect in section
> 4.1
> >     >     >
> >     >     >     yes, this is what I referred to as 4.2 below, and
> >     suggested some
> >     >     >     replacement text...
> >     >     >
> >     >     > OK got it.
> >     >     >
> >     >     >     >
> >     >     >     >     Gateways MUST allow tunnel binding, such that
> >     >     applications like
> >     >     >     >    Routing using the tunnels can work seamlessly
> >     without any
> >     >     >     updates to
> >     >     >     >    the higher level application configuration i.e.
>  OSPF
> >     >     >     configuration.
> >     >     >     >
> >     >     >     >     - In section 4.2, how about:
> >     >     >     >        (replacement text)
> >     >     >     >        3.  Gateways MUST allow for the operation of
> >     >     tunneling and
> >     >     >     >        routing protocols operating over spoke-to-spoke
> >     IPsec
> >     >     Tunnels
> >     >     >     >        with minimal, or no, configuration impact.
> >     >     >
> >     >     > VM> Ok will specifically specify tunnels and routing
> protocols.
> >     >     >
> >     >
> >     >     Great.
> >     >
> >     >     >
> >     >     >     >
> >     >     >     >
> >     >     >     >        X.  The solution SHOULD support BGP/MPLS IP
> >     VPNs, see
> >     >     >     [RFC4364].
> >     >     >     >
> >     >     >     >     If you want, you can make the "SHOULD" a "MUST",
> and
> >     >     "support"
> >     >     >     could be
> >     >     >     >     "be compatible with".
> >     >     >     >
> >     >     >     > I do not want to go ahead into details of what other
> >     routing
> >     >     solutions
> >     >     >     > it should support.
> >     >     >     >
> >     >     >     > With that said I am not sure what you mean by having
> BGP
> >     >     MPLS VPN
> >     >     >     in an
> >     >     >     > ADVPN scenario. BGP MPLS VPN is a provider provisioned
> VPN
> >     >     solution,
> >     >     >     > this is a customer provisioned one.
> >     >     >
> >     >     >     Ahh, interesting point.  When I read the document I was
> >     >     looking to see
> >     >     >     if it was scoped purely to CE/customer based solutions.
> >     >      Reading section
> >     >     >     2 (intro) and 2.2, I saw no such restriction.  So I think
> >     >     section 2.2
> >     >     >     should be explicit on this point either way. Which is
> why I
> >     >     proposed the
> >     >     >     text "There is also the case when L3VPNs operate over
> IPsec
> >     >     Tunnels."
> >     >     >     (To explicitly include this case.)  If the WG wants this
> >     case
> >     >     excluded,
> >     >     >     that's fine too.
> >     >     >
> >     >     > VM> It is not scoped purely as a CE device scenario, and
> >     after seeing
> >     >     > your comment I see no reason to leave that out of scope
> >     (though if I
> >     >     > understand your concern better I may feel otherwise). L3VPN
> >     can work
> >     >     > over GRE tunnels/ L2TP tunnels, which can themselves use
> IPsec.
> >     >     Again in
> >     >     > my view the L3VPN and the IPsec VPN are 2 different layers
> >     in the
> >     >     stack
> >     >     > if they run on the same device.
> >     >
> >     >     I'm not sure I agree with this statement.  Let's say you have
> >     a BGP VPN
> >     >     that uses IPsec tunnels between the PEs (which was described
> >     in a couple
> >     >     of expired drafts and can be supported using RFC5566), and
> >     then wants to
> >     >     be able to use dynamic PE to PE IPsec tunnels.  Does this fit
> >     your "2
> >     >     different layer" perspective?
> >     >
> >     >     Either way, I think such usage should be explicitly in scope
> >     as it is a
> >     >     very different model / use case from CE-based IPsec VPNs.
> >     >
> >     >     > Do you see a reason to explicitly
> >     >     > mention L3VPN in this case?
> >     >
> >     >     I'm open to different ways to cover the above.
> >     >
> >     >     Much thanks,
> >     >     Lou
> >     >     >
> >     >     > Thanks,
> >     >     > Vishwas
> >     >     >
> >     >     >
> >     >     >
> >     >     >     > I see the 2 working in different
> >     >     >     > layers, and interacting only in edge gateways where
> both
> >     >     solutions
> >     >     >     have
> >     >     >     > an edge.
> >     >     >
> >     >     >     Sure, but the problem exists for both.
> >     >     >
> >     >     >     Thanks,
> >     >     >     Lou
> >     >     >     >
> >     >     >     >
> >     >     >     >     I also have a few more minor comments:
> >     >     >     >
> >     >     >     > I am ok with the minor suggestions you have.
> >     >     >     >
> >     >     >     > Thanks,
> >     >     >     > Vishwas
> >     >     >     >
> >     >     >     >
> >     >     >     >
> >     >     >     >     - In section 2.1, you introduce the term "NAT
> >     gateway" and
> >     >     >     then later
> >     >     >     >     use just "gateway" when I suspect you mean "NAT
> >     gateway".  I
> >     >     >     suggest
> >     >     >     >     using the term "NAT" and thereby not introduce
> >     possible
> >     >     confusion
> >     >     >     >     between the gateway term defined in section 1.1
> >     and "NAT
> >     >     >     gateways".
> >     >     >     >
> >     >     >     >     - In section 2.2, s/occupies/requires
> >     >     >     >
> >     >     >     >     - In sections 2.2, and Section 3.2 you say dynamic
> >     >     addresses makes
> >     >     >     >     static configuration impossible.  This doesn't
> reflect
> >     >     the use of
> >     >     >     >     dynamic dns to handle this issues (and is currently
> >     >     supported
> >     >     >     by some
> >     >     >     >     vendors.)
> >     >     >     >
> >     >     >     >     Let me know what you think,
> >     >     >     >     Lou
> >     >     >     >     _______________________________________________
> >     >     >     >     IPsec mailing list
> >     >     >     >     IPsec@ietf.org <mailto:IPsec@ietf.org>
> >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>>
> >     >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>
> >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>>>
> >     >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>
> >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>>
> >     >     >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>
> >     <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>>>>
> >     >     >     >     https://www.ietf.org/mailman/listinfo/ipsec
> >     >     >     >
> >     >     >     >
> >     >     >     >
> >     >     >
> >     >     >
> >     >
> >     >
> >
> >
>

v2.37.1 | Report a Bug | By Email | System Status