IETF Logo Mail Archive

Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03

"Frederic Detienne (fdetienn)" <fdetienn@cisco.com> Wed, 05 February 2014 13:45 UTC

Return-Path: <fdetienn@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE731A012D for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 05:45:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMgxz8BUIQed for <ipsec@ietfa.amsl.com>; Wed, 5 Feb 2014 05:45:18 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by ietfa.amsl.com (Postfix) with ESMTP id B350D1A0121 for <ipsec@ietf.org>; Wed, 5 Feb 2014 05:45:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1964; q=dns/txt; s=iport; t=1391607918; x=1392817518; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=BBhWHiL8XihotWcOaSq1gDvbiAtK4y1Htc5nydx9wPU=; b=CPtYv6w9jCQExDtDMta+pIAyNC6sF/HcJVPBtygsQolYQ3TsPJJJT53F BAJKlx/bzxgNOmKr/6jNf8H7hY6WQechvPJzE5xtA5QRhu6vxxVrDyFN4 PBksM41Xz5/CRbeobYvELwFZIXTIXPWx6zbpuiz5xALJqq8RMYj3mdzpu w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhIFAHw/8lKtJV2b/2dsb2JhbABZgwyBD75DgQ8WdIIlAQEBAwF5BQsCAQgOCi4yJQIEDgUbh2IIzzgXjkIzB4MkgRQBA5grkiGBb4E+gio
X-IronPort-AV: E=Sophos;i="4.95,786,1384300800"; d="scan'208";a="18134074"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-1.cisco.com with ESMTP; 05 Feb 2014 13:45:17 +0000
Received: from xhc-aln-x15.cisco.com (xhc-aln-x15.cisco.com [173.36.12.89]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s15DjH8x019710 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 5 Feb 2014 13:45:17 GMT
Received: from xmb-aln-x06.cisco.com ([169.254.1.227]) by xhc-aln-x15.cisco.com ([173.36.12.89]) with mapi id 14.03.0123.003; Wed, 5 Feb 2014 07:45:17 -0600
From: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
To: Yoav Nir <ynir@checkpoint.com>
Thread-Topic: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
Thread-Index: AQHPG4MvdTmd1tpwSEqyl/V9y2lTr5qkFtcAgAMHuAA=
Date: Wed, 05 Feb 2014 13:45:16 +0000
Message-ID: <574468F8-9203-451C-A145-C9E1DD51D781@cisco.com>
References: <88259CEC-4D10-48EC-8A21-0D2F348EEE3F@cisco.com> <CF0BCF53.6AC0F%praveenys@juniper.net> <A7DCDB4D-CE88-473C-9584-91F2B571E8FF@checkpoint.com>
In-Reply-To: <A7DCDB4D-CE88-473C-9584-91F2B571E8FF@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.74.184]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <F08AD2C58271984B99892777BA0E8432@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<ipsec@ietf.org> WG" <ipsec@ietf.org>, Praveen Sathyanarayan <praveenys@juniper.net>
Subject: Re: [IPsec] Moving prefixes -- clariciations for draft-sathyanarayan-ipsecme-advpn-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 13:45:20 -0000

On 03 Feb 2014, at 16:28, Yoav Nir <ynir@checkpoint.com> wrote:
> […]

> The missing piece here is the propagation of the union protected domain information among all the 1st tier nodes. This is fairly simple in a single enterprise network where such nodes are managed centrally. I can also see how in more heterogenous environments routing protocols could be used. Or the WG can develop some new mechanism (although I don't think that's a good idea). I think this is more useful than requiring 2nd tier [1] devices to participate in routing protocols.

this is precisely one of the major complains against draft-sathyanarayan. It translates into multiple forms at various levels.

Some things can work in some use cases but it forever needs development for other use cases. The changes between v0 and v3 are significant and they will keep augmenting.

We can no longer call that a simple solution. There are pieces that meet some of the requirements but are in contradiction with others.

Similarly, draft-sathyanarayan offers multiple implementation or deployment systems (policy based or tunnel based) which are not compatible at protocol level. It means implementations have to cover BOTH methods to guarantee interoperability.

To take a practical example: one domain may initially be rule based, the other tunnel based. What happens when those domains must now cooperate ?

Both issues above will prevent proper cross-domain interoperability. In particular, a "policy-based" spoke will not be able to talk to a "tunnel based" hub as per this draft… it would take a decision as to which is the fallback mode and a dual implementation on at least one of the devices.

In draft-detienne, the tunnels between the hubs need to support one of the existing routing protocols (we would recommend BGP for large domains). This guarantees interoperability end-to-end.

thanks,

	fred

v2.23.0 | Report a Bug | By Email