Re: draft-touch-ipsec-vpn-06.txt
Mark Duffy <mduffy@quarrytech.com> Fri, 23 January 2004 05:24 UTC
Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA29511 for <l3vpn-archive@odin.ietf.org>; Fri, 23 Jan 2004 00:24:06 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ajtn9-00086F-MN for l3vpn-archive@odin.ietf.org; Fri, 23 Jan 2004 00:23:40 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i0N5NdqW031129 for l3vpn-archive@odin.ietf.org; Fri, 23 Jan 2004 00:23:39 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ajtn9-000860-HM for l3vpn-web-archive@optimus.ietf.org; Fri, 23 Jan 2004 00:23:39 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA29482 for <l3vpn-web-archive@ietf.org>; Fri, 23 Jan 2004 00:23:35 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Ajtn2-0003e3-00 for l3vpn-web-archive@ietf.org; Fri, 23 Jan 2004 00:23:32 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Ajtjt-0003YS-00 for l3vpn-web-archive@ietf.org; Fri, 23 Jan 2004 00:20:18 -0500
Received: from [132.151.1.19] (helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1Ajti2-0003TA-00 for l3vpn-web-archive@ietf.org; Fri, 23 Jan 2004 00:18:22 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ajthh-0007oY-EZ; Fri, 23 Jan 2004 00:18:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AjthY-0007oA-KL for l3vpn@optimus.ietf.org; Fri, 23 Jan 2004 00:17:57 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA29383 for <l3vpn@ietf.org>; Fri, 23 Jan 2004 00:17:48 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AjthR-0003Se-00 for l3vpn@ietf.org; Fri, 23 Jan 2004 00:17:45 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AjteU-0003OW-00 for l3vpn@ietf.org; Fri, 23 Jan 2004 00:14:43 -0500
Received: from email.quarrytech.com ([4.17.144.4] helo=qtech1.quarrytech.com) by ietf-mx with esmtp (Exim 4.12) id 1Ajtcb-0003IX-00 for l3vpn@ietf.org; Fri, 23 Jan 2004 00:12:45 -0500
Received: from MDUFFY1.quarrytech.com (rocket.quarrytech.com [10.1.1.127]) by qtech1.quarrytech.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id XT41A53Z; Fri, 23 Jan 2004 00:11:50 -0500
Message-Id: <5.2.0.9.0.20040122200853.021a90e0@email>
X-Sender: mduffy@localhost
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Fri, 23 Jan 2004 00:10:19 -0500
To: Ross Callon <rcallon@juniper.net>, l3vpn@ietf.org
From: Mark Duffy <mduffy@quarrytech.com>
Subject: Re: draft-touch-ipsec-vpn-06.txt
Cc: Thomas Narten <narten@us.ibm.com>
In-Reply-To: <4.3.2.20040121153926.030be0a0@zircon.juniper.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: l3vpn-admin@ietf.org
Errors-To: l3vpn-admin@ietf.org
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Id: <l3vpn.ietf.org>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
> - Does the l3vpn working group feel that this document should be >reviewed by a public working group, such as the l3vpn working group, >prior to publication? I would think that should be more a matter of ietf policy regarding personal submission RFCs than what any wg thinks. Unless the policy is to ask relevant wg's :-) > - Do we have any technical comments on the document? The basic concept of forming virtual links by first applying IP-in-IP tunnelling, then securing them by applying transport mode IPsec to the resulting packets seems a good one to me. (And it is already embodied in at least one document that is a product of this wg.) As an aside, I would be quite interested for the working group to take on the effort to progress a *standard* for virtual links. It should go a step further and provide a way to convey to the far end what vpn context a given tunnel is for. Those deeply interested in this subject might want to look at <http://www.ietf.org/internet-drafts/draft-duffy-ppvpn-ipsec-vlink-00.txt> which provides a survey of issues in this space and of potential solutions. Anyway, back to draft-touch. I think the basic approach presented is sound and appropriate. I do think the message gets a little lost in all the description of other possible approaches and why they don't work. I found those descriptions difficult to follow. The draft expresses an interpretation of RFC 2401 that I believe is excessively rigid and literal. E.g. in concluding that transport mode may not be used between two gateways, and that protocol #4 encapsulations must be skipped past in evaluating SPD policy to look for a transport header deeper in the packet. The draft on page 7 states: There are two common implementation scenarios for tunnel mode SAs: One is based on firewall-like packet matching operations where tunnel mode SAs are not virtual interfaces, another is tunnel-based, and treats a tunnel mode SA as a virtual interface. The current IPsec architecture does not mandate one or the other. This is completely outside my understanding of RFC 2401. 2401 is completely oriented towards the policy based approach. I am unaware that it provides in any way for treating a tunnel mode SA as a virtual interface. In fact it does much to obstruct that viz. SPD policy and packet selectors. Nit: the link numbers on figure 3 do not seem to match some references to them in the preceding paragraphs. Previous revisions of this document contained the concept that if one sends an IKE proposal for transport mode protection for protocol #4, then one is signalling the intent that the tunnel is to be considered a virtual link. Perhaps that has been removed because offhand I cannot find it. I thought that was undesirable because it imposes a new meaning onto a possibly pre-existing behavior, and it is implicit rather than explicit. Regards, Mark
- draft-touch-ipsec-vpn-06.txt Ross Callon
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Hamid Ould-Brahim
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Eric Rosen
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Paul Knight
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Mark Duffy
- Re: draft-touch-ipsec-vpn-06.txt Lars Eggert
- Re: draft-touch-ipsec-vpn-06.txt Thomas Narten
- RE: draft-touch-ipsec-vpn-06.txt Eric Gray
- Re: draft-touch-ipsec-vpn-06.txt jeremy.de_clercq
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Lars Eggert
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Mohan Parthasarathy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Mark Duffy
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- FW: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: FW: draft-touch-ipsec-vpn-06.txt Lars Eggert
- Re: FW: draft-touch-ipsec-vpn-06.txt Mark Duffy
- RE: FW: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: FW: draft-touch-ipsec-vpn-06.txt Lars Eggert
- Re: FW: draft-touch-ipsec-vpn-06.txt Lars Eggert
- Re: draft-touch-ipsec-vpn-06.txt Rahul Aggarwal
- Re: draft-touch-ipsec-vpn-06.txt Yakov Rekhter
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- RE: draft-touch-ipsec-vpn-06.txt Claudio Lordello
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Eric Rosen
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch
- Re: draft-touch-ipsec-vpn-06.txt Eric Rosen
- Re: draft-touch-ipsec-vpn-06.txt Joe Touch