Re: [IPsec] AD-VPN Protocol Selection
"Frederic Detienne (fdetienn)" <fdetienn@cisco.com> Wed, 05 February 2014 23:29 UTC
Return-Path: <fdetienn@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52D9C1A0224 for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 15:29:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nhs-nBOMY5Q5 for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 15:29:18 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by ietfa.amsl.com (Postfix) with ESMTP id C52D51A0299 for <ipsec@ietf.org>; Wed, 5 Feb 2014 15:29:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1499; q=dns/txt; s=iport; t=1391642957; x=1392852557; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=hHLzuK0/h+JCESvY3d0ziOaNN3uFoGOKlk873IurFUk=; b=auwkoLsSLHXtIiams50H+Lhmh91sno7tonyuBDBoNaerUM0kMknIgU7d jNtxVq3rHihBuEvOWaQ8/qDvems+mF4wyxxLZLevHV/bgkw1uAemxQxVj rgm+WzE+XsD7mBwAjnF4I5KjU1kNeFKwB/aamMceoK+Iw4YrR/5wz6kh2 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkIFAIrI8lKtJXG8/2dsb2JhbABZgww4vzSBChZ0giUBAQEDAQEBATc0CwULAgEIGB4QJwslAQEEDgWHfQgNznATBI5CMweDJIEUBJgrkiGDLQ
X-IronPort-AV: E=Sophos;i="4.95,789,1384300800"; d="scan'208";a="18307116"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by alln-iport-2.cisco.com with ESMTP; 05 Feb 2014 23:29:16 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id s15NTGjR021177 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 5 Feb 2014 23:29:16 GMT
Received: from xmb-aln-x06.cisco.com ([169.254.1.227]) by xhc-rcd-x05.cisco.com ([173.37.183.79]) with mapi id 14.03.0123.003; Wed, 5 Feb 2014 17:29:16 -0600
From: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [IPsec] AD-VPN Protocol Selection
Thread-Index: Ac8g29viSNWMxCSdS+mwPoqNzCPObQAR2Q0AAGm1W0U=
Date: Wed, 05 Feb 2014 23:29:15 +0000
Message-ID: <D07E12C6-9357-4B67-A01F-37E7DBF371B4@cisco.com>
References: <87BCDFB0B867FB4A85DB44EE8946E2458407E6F6@FSDEBSSXD111.fs01.vwf.vwfs-ad>, <9636.1391439750@sandelman.ca>
In-Reply-To: <9636.1391439750@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "Harms, Patrick" <Patrick.Harms@vwfs.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] AD-VPN Protocol Selection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 23:29:22 -0000
> On 03 Feb 2014, at 16:02, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote: > > > Harms, Patrick <Patrick.Harms@vwfs.com> wrote: >> - is allowing to add 'spokes' without configuration changes on the 'hub' >> devices (8.1 dmvpn draft) > >> For me, this is an important point. Changing the configuration on the hub >> routers, everytime a spoke is added to the network, would make the rollout >> process to complex and is a possible source of failures. > > I don't see how you can add a spoke in any system without requiring some > changes to at least one hub and/or the database/LDAP/etc. which keeps track > of all the spokes. Not sure you have read the requirements but it is one of them. The difficulty if the exercise is to be able to support both static and dynamic policies with a single protocol. >> Based on the theories (advpn draft and dmvpn) and real world experience >> (dmvpn), I would favor dmvpn, because the handling and operating sounds less >> complex. (eg. lower amount of steps in tunnel initiation, single logical >> interface for tunnel termination etc.) > > Do you care about mobile (handheld) devices? Somehow you must be mistaken in believing it can't be done. > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] AD-VPN Protocol Selection Harms, Patrick
- Re: [IPsec] AD-VPN Protocol Selection Michael Richardson
- Re: [IPsec] AD-VPN Protocol Selection Yoav Nir
- Re: [IPsec] AD-VPN Protocol Selection Harms, Patrick
- Re: [IPsec] AD-VPN Protocol Selection Michael Richardson
- Re: [IPsec] AD-VPN Protocol Selection Yoav Nir
- [IPsec] AD-VPN Protocol Selection Jim Montgomery
- Re: [IPsec] AD-VPN Protocol Selection Frederic Detienne (fdetienn)