IETF Logo Mail Archive

Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem

Lou Berger <lberger@labn.net> Wed, 05 December 2012 19:47 UTC

Return-Path: <lberger@labn.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A578C21F8C72 for <ipsec@ietfa.amsl.com>; Wed, 5 Dec 2012 11:47:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.415
X-Spam-Level:
X-Spam-Status: No, score=-101.415 tagged_above=-999 required=5 tests=[AWL=0.250, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_14=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICw8G7Gk3UPV for <ipsec@ietfa.amsl.com>; Wed, 5 Dec 2012 11:47:36 -0800 (PST)
Received: from oproxy6-pub.bluehost.com (oproxy6-pub.bluehost.com [67.222.54.6]) by ietfa.amsl.com (Postfix) with SMTP id B925C21F8C3F for <ipsec@ietf.org>; Wed, 5 Dec 2012 11:47:36 -0800 (PST)
Received: (qmail 10723 invoked by uid 0); 5 Dec 2012 19:47:14 -0000
Received: from unknown (HELO box313.bluehost.com) (69.89.31.113) by cpoproxy3.bluehost.com with SMTP; 5 Dec 2012 19:47:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=GdQT0I1ms3algzsguNTTeL/wEUtn6+3bhw03Q1eGNrM=; b=E9U1aWQ2f3w6bI9utw/3PTM9aqQxZglwCjn2YSBjQjOT4sKPiISyH9ubnlBcrlle6dzYVhJo3wlPv8bILRpz3vrGt4dYCw0PS+HRBgdXAUyLLaraBuiKvKotFG0HGSaT;
Received: from box313.bluehost.com ([69.89.31.113]:57196 helo=[127.0.0.1]) by box313.bluehost.com with esmtpa (Exim 4.76) (envelope-from <lberger@labn.net>) id 1TgKw4-000230-Nw; Wed, 05 Dec 2012 12:47:12 -0700
Message-ID: <50BFA4C0.1060909@labn.net>
Date: Wed, 05 Dec 2012 14:47:12 -0500
From: Lou Berger <lberger@labn.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>
References: <50A5703F.4070305@labn.net> <CAOyVPHTWhv8=sP6kYkZmOEsjMsdr72P8fe=7w5XY0Hd_wP_9=w@mail.gmail.com> <50A58CDB.30402@labn.net> <CAOyVPHQ+n83DaVv6Q9Z0kvi0MyYrhPbB=L6ju4fwjTyRK1P22Q@mail.gmail.com> <50A682F8.9080907@labn.net> <CAOyVPHSvWhgaYm2s_8_37VuaR1e_5tiJai+04AKzm3HXkNwESg@mail.gmail.com> <50A689A9.1090803@labn.net> <CAOyVPHR1euA9TRnAp7V+OKjRkPARYYvQ+C0HnA70y-122sy9ZQ@mail.gmail.com> <50A68D30.2040203@labn.net> <CAOyVPHR4OVNuvMU-UxZAJUoKFugCWwUQq0dSRo-7gY=Y886LoQ@mail.gmail.com> <CAOyVPHRopwvE5U3ZF7kDxNe59OgTk7ydoFG6iqvZdOFUCvaGyA@mail.gmail.com> <50BE30D9.4030903@labn.net> <CAOyVPHSXQQt_31Y2MP+iMe8d0MCxSyKzVvCLL-HLkcggaOKuMw@mail.gmail.com> <50BE4A60.1000303@labn.net> <CAOyVPHSkGVvGD2bMgk-vp3DO0o9N9Zt6mf4SnaL4L9ZFR8NRHg@mail.gmail.com>
In-Reply-To: <CAOyVPHSkGVvGD2bMgk-vp3DO0o9N9Zt6mf4SnaL4L9ZFR8NRHg@mail.gmail.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Identified-User: {1038:box313.bluehost.com:labnmobi:labn.net} {sentby:smtp auth 69.89.31.113 authed with lberger@labn.net}
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Some comments / questions on draft-ietf-ipsecme-ad-vpn-problem
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2012 19:47:37 -0000

Hi Vishwas,
	see below for response.

On 12/5/2012 12:54 PM, Vishwas Manral wrote:
> Hi Lou,
> 
> Thanks for your close reading of the document. I am attaching the
> changed document. Please let me know if it looks good.
> 
>     On 11/15/2012 7:14 PM, Vishwas Manral wrote:
>     >     - In section 2.2, I think mentioning something about the routing
>     >     implications is worthwhile. How about at the end of the
>     section adding
>     >     something along the lines of :
>     >
>     >         Additionally, the routing implications of gateway-to-gateway
>     >         communication must be addressed.  In the simple case,
>     >         selectors provide sufficient information for a gateway to
>     >         forward traffic appropriately.  In other cases, additional
>     >         tunneling (e.g., GRE) and routing (e.g., OSPF) protocols are
>     >         run over IPsec tunnels, and the configuration impact on those
>     >         protocols must be considered.  There is also the case when
>     >         L3VPNs operate over IPsec Tunnels.
>     >
>     > We can add something in the lines of additional protocols are run over
>     > the IPsec tunnels and the solution should make an effort to allow for
>     > additional protocols like OSPF to be run optimally without too many 
>     > changes in configuration.
> 

I don't see any changes in 2.2 related to this (old) comment on routing
implications, am I missing something?

>     Also in section 2.2, the text now says:
> 
>        The solution should work in cases where the endpoints are
>        administrated by separate management domains, albeit, ones that have
>        an existing trust relationship (for example two organisations who are
>        collaborating on a project, they may wish to join their networks,
>        whilst retaining independent control over configuration)It is for
>        this purpose spoke-to-spoke tunnels are dynamically created and torn-
>        down.  It is highly desirable that the solution works for the star,
>        full mesh as well as dynamic full mesh topology.
> 
>     This revision now reads that the primary reason for dynamic
>     spoke-to-spoke tunnels is separate management domains.  I somehow don't
>     think this was the intent.
> 
> 
> I have reordered the sentences.

I think that works.

> 
> 
>     In section 4.1 we had discussed replacement text for 3:
>     On 11/16/2012 12:49 PM, Vishwas Manral wrote:
>     >>On 11/15/2012 5:44 PM, Lou Berger wrote:
>     >>     - In section 4.2, how about:
>     >>        (replacement text)
>     >>        3.  Gateways MUST allow for the operation of tunneling and
>     >>        routing protocols operating over spoke-to-spoke IPsec Tunnels
>     >>        with minimal, or no, configuration impact.
>     >
>     >VM> Ok will specifically specify tunnels and routing protocols.
> 
>     You have the following alternate / revised text:
>        3.  In many cases additional tunneling protocols (i.e.  GRE) or
>        Routing protocols (i.e.  OSPF) are run over the IPsec tunnels.
>        Gateways MUST allow for the operation of tunneling and Routing
>        protocols operating over spoke-to-spoke IPsec Tunnels with minimal or
>        no, configuration impact.  Routing using the tunnels can work
>        seamlessly without any updates to the higher level application
>        configuration i.e.  OSPF configuration, when the tunnel parameter
>        changes.
> 
>     I think this text is closer, but I think a few additional changes are
>     needed:
>      - GRE and OSPF are examples, so "i.e." should be replaced with "e.g."
>      - I think the final sentence is likely to be incorrect in many / most
>        real world cases, so would drop the sentence (from "Routing using
>        the tunnels can work...")
> 
> I changed the "can" to a SHOULD for the second part. The idea is no
> changes should happen in configuration and our current solution allows
> that for most cases (hence SHOULD).

I think this is worse.  Now you're placing requirements on routing
protocols which IMO should not care if (or be aware of when) the tunnel
they are running on is IPsec or carried via IPsec.

What additional point are you trying to make in the following sentence?
   Routing using the tunnels SHOULD work
   seamlessly without any updates to the higher level application
   configuration i.e.  OSPF configuration, when the tunnel parameter
   changes.

Can the sentence just be dropped?

> 
> 
>     You also said you'd address the minor comments:
>     On 11/15/2012 5:44 PM, Lou Berger wrote:
>     > - In section 2.1, you introduce the term "NAT gateway" and then later
>     > use just "gateway" when I suspect you mean "NAT gateway".  I suggest
>     > using the term "NAT" and thereby not introduce possible confusion
>     > between the gateway term defined in section 1.1 and "NAT gateways".
> 
> Updated it. I agree we can separate out the terms NAT gateway/ Gateway,
> though for most parts it may be the same device. Prepend NAT to change
> it to NAT gateway, as just replacing it with NAT made the sentence out
> of place.

okay.  I probably just would had stayed with "NAT" and dropped
"gateway", but that's your call.

>  
> 
>     and
> 
>     > - In sections 2.2, and Section 3.2 you say dynamic addresses makes
>     > static configuration impossible.  This doesn't reflect the use of
>     > dynamic dns to handle this issues (and is currently supported by some
>     > vendors.)
> 
> Do you have any reference and suggested text for this? I have not seen
> the same in our customer cases.

I've seen this supported on some firewall products in conjunction with
dynamic DNS.  I used one for a couple of years (the spoke used a dynamic
address + DDNS.)  I certainly deffer to the WG on if such usage should
be referenced in this document.  You are, after all, the experts on this
and I'm just an occasional user...

some possible text for section 2.2. could be:
OLD
   The gateways can themselves come up and down, getting different IP
   addresses in the process, making static configuration impossible.
NEW
   The solution should also address the case where gateways use dynamic
   IP addresses.

and section 3.2, perhaps something like:
OLD
   This solution however does not work when the spokes get dynamic IP
   address which the "hub gateways" cannot be configured with.
NEW
   This solution however is complicated by the case when the spokes
   use dynamic IP addresses and DNS with dynamic updates must be used.

Thanks,
Lou

> 
> Thanks,
> Vishwas
> 
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.37.1 | Report a Bug | By Email | System Status