Re: [IPsec] clariciations for draft-sathyanarayan-ipsecme-advpn-03
Daniel Migault <mglt.ietf@gmail.com> Thu, 06 February 2014 08:20 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794191A0092 for <ipsec@ietfa.amsl.com>; Thu, 6 Feb 2014 00:20:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XX1vH35vySQ3 for <ipsec@ietfa.amsl.com>; Thu, 6 Feb 2014 00:20:10 -0800 (PST)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 471731A018E for <ipsec@ietf.org>; Thu, 6 Feb 2014 00:20:10 -0800 (PST)
Received: by mail-wi0-f169.google.com with SMTP id e4so1286696wiv.0 for <ipsec@ietf.org>; Thu, 06 Feb 2014 00:20:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nhhXBpiW4B9r55tSx8aVpRDWhoovWlN6EojvkEizqvA=; b=DqwyHGbuPU3hQM8eeMH/Ut61hQegi1YdoSXAUchs1zjFFsyaDf9f5uMhOxe9GrCKKV lpDwBCOHMe5Htvh+9OYZJ3ECc7rk/haDYvuF31x3/9BVT2m94+2Hq3YpY+qiYnuOEuG+ VKveOmdjbPXmV6MSghm7wf3bj2E3hGhx/7h2tk6cAEpDh8J3z5CdWAG8eQgLCy8oNlrm PHOwbcUSHcI7QPfEs1EhbmMcoFS8J/xW4YWpqfcCHlNky0P3z3SdnneiG7oE8ztQGuOH w5kDL9Q+LsV6cjqeDOJ517oH1M56e7NCXvgOSTqjJGPXNj5MpX3AhnyFJKy4j4kS2SXv g90g==
MIME-Version: 1.0
X-Received: by 10.180.13.33 with SMTP id e1mr20515652wic.38.1391674808697; Thu, 06 Feb 2014 00:20:08 -0800 (PST)
Received: by 10.194.171.129 with HTTP; Thu, 6 Feb 2014 00:20:08 -0800 (PST)
In-Reply-To: <20140205135046.61c4f7a5@vostro>
References: <7DC80D6C-3342-43C3-9407-E5D25CB5F5CD@cisco.com> <CF02A72F.6A65A%praveenys@juniper.net> <20140205135046.61c4f7a5@vostro>
Date: Thu, 06 Feb 2014 09:20:08 +0100
Message-ID: <CADZyTkmaZL9=0_cuu4TYw0M_846TWONMcOWQyEYr24m4YOyGWQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Timo Teras <timo.teras@iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "<ipsec@ietf.org> WG" <ipsec@ietf.org>, "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>, Praveen Sathyanarayan <praveenys@juniper.net>
Subject: Re: [IPsec] clariciations for draft-sathyanarayan-ipsecme-advpn-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 08:20:18 -0000
Hi Timo, Thanks for the feed back. We are happy you provide requirements over "dynamically routing subnets" as a MUST. ADVPN responds to the requirements listed in RFC7018. If there is a requirement that does not match you opinion, can you please point it out? Just to make it clear this 1 day time has never been mentioned in the draft and is your assumption. The use of TTL does not impose a 1 day and ADVPN can take advantage of the Redirect Mechanism or MOBIKE for multihoming. As you can see the ADVPN solution can take advantage of all previous and future featured designed for IKEv2. As you point out the key characteristic of our design is its flexibility. RFC5685 is not limited to client-gateway, the second line of the section 10 you pointed out says: [...] the mechanism can also be used between any two IKEv2 peers. " So no additional specification are required. You mention load balancing may be an issue. Can you please specify the issue you see? One last point to clarify. it seems that you are trying to say ADVPN misses some features provided by routing protocols. In fact ADVPN can take advanatge of ALL of these features as ANY routing protocol can run on the top of ADVPN. This was a MUST requirement of RFC5685. If you see a scenrio that you think does not fit ADVPN, please document it so we can address your specific issue. Best Regards Daniel On Wed, Feb 5, 2014 at 12:50 PM, Timo Teras <timo.teras@iki.fi> wrote: > On Mon, 20 Jan 2014 18:14:58 +0000 > Praveen Sathyanarayan <praveenys@juniper.net> wrote: > >> 1.2 What happens when a prefix administratively changes from behind >> one branch to another ? How do servers get notified about that ? >> >> [PRAVEEN] That's an interesting point Fred, and thanks for bringing >> it up. First, please refer the ADVPN_INFO Payload and >> PROTECTED_DOMAIN sections (3.6 and 3.9, respectively) of >> http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03. As a >> general rule, each spoke can download updated PROTECTED_DOMAIN >> information periodically, which advertises everything behind the hub >> and all other spokes combined. Of course, this does not change if >> some subnet has moved from behind spoke A to behind another spoke, B. >> However, the Lifetime attribute of the ADVPN_INFO payload is key >> here. We could see this being employed in a straightforward manner to >> allow for this transition: a) the subnet can "disappear" and be >> unreachable for one Lifetime, or b) the original spoke can redirect >> to the new spoke. >> >> We don't think this matters much in the real world, because people >> don't just move entire subnets instantaneously. Typically, folks stop >> using a subnet in one place, then begin using it in another. This >> makes a lot of sense for several operational reasons, as you would >> imagine. In fact, experience shows that since routing doesn't update >> across the world immediately, best practice would, for instance, >> indicate that it's best to wait a day between stopping using the >> subnet in one place and starting to use it in another place. In this >> case, a Lifetime of one day or less should be just fine (and we're >> thinking that, in fact, an hour would be a reasonable Lifetime value >> in practice). >> >> We would indeed argue that using Lifetime allows us to make the basic >> implementation of ADVPN handle a transition from one administrative >> domain to another in a straightforward manner. A redirection based on >> RFC5685 re-uses an already defined mechanism and makes the transition >> immediate, if/when necessary. This is one more argument for >> draft-sathyanarayan-ipsecme-advpn as it illustrates the modularity of >> our ADVPN proposal _and_ keeps the implementation simple. > > I disagree. IMGO, dynamically routing subnets is a MUST. > > Multiple scenarios exist. But to name one: > > I have complex site with multiple internal links and dynamic internal > routing connected to ADVPN via two or more spokes (connected via > different ISP lines). > > All the spokes can route to all subnets inside that site to provide > redundancy, and in some cases load balancing. > > If one spoke's ISP line dies, or if the internal routing protocol > decides other wise (e.g. intra-site link fails), the spokes should > dynamically move the subnet from one to another. > > Having a failover time of _a day_ is unacceptable. > > The redirect mechanism seems to be limited to client-gateway > connections, and only the gateway can send it (rfc5685 point 10). This > is not true in advpn context as any spoke may want to later on redirect > the SA of subnet it originally initiated. Using redirect would need > additional specifications to be usable. > > Then there is also the case of load balancing... etc. > > I do agree that subnets should be authorized to be routed. I do that in > existing dmvpn install, by means of automatically filtering the > announced routes based on the presented certificate. That is, the > certificate tells which subnets it can announce. > > - Timo > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
- [IPsec] clariciations for draft-sathyanarayan-ips… Frederic Detienne (fdetienn)
- Re: [IPsec] clariciations for draft-sathyanarayan… Frederic Detienne (fdetienn)
- Re: [IPsec] clariciations for draft-sathyanarayan… Praveen Sathyanarayan
- Re: [IPsec] clariciations for draft-sathyanarayan… Frederic Detienne (fdetienn)
- Re: [IPsec] clariciations for draft-sathyanarayan… Praveen Sathyanarayan
- Re: [IPsec] clariciations for draft-sathyanarayan… Frederic Detienne (fdetienn)
- [IPsec] Moving prefixes -- clariciations for draf… Frederic Detienne (fdetienn)
- Re: [IPsec] Moving prefixes -- clariciations for … Praveen Sathyanarayan
- Re: [IPsec] Moving prefixes -- clariciations for … Yoav Nir
- Re: [IPsec] clariciations for draft-sathyanarayan… Timo Teras
- Re: [IPsec] Moving prefixes -- clariciations for … Frederic Detienne (fdetienn)
- Re: [IPsec] Moving prefixes -- clariciations for … Frederic Detienne (fdetienn)
- Re: [IPsec] Moving prefixes -- clariciations for … Praveen Sathyanarayan
- Re: [IPsec] Moving prefixes -- clariciations for … Frederic Detienne (fdetienn)
- Re: [IPsec] Moving prefixes -- clariciations for … Praveen Sathyanarayan
- Re: [IPsec] Moving prefixes -- clariciations for … Frederic Detienne (fdetienn)
- Re: [IPsec] clariciations for draft-sathyanarayan… Daniel Migault
- Re: [IPsec] clariciations for draft-sathyanarayan… Timo Teras
- Re: [IPsec] Moving prefixes -- clariciations for … Praveen Sathyanarayan
- Re: [IPsec] clariciations for draft-sathyanarayan… Daniel Migault
- Re: [IPsec] clariciations for draft-sathyanarayan… Timo Teras