[Mip4] Re: Request for text proposal for your scenario
"Adrangi, Farid" <farid.adrangi@intel.com> Thu, 11 September 2003 20:51 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA13334 for <mip4-archive@odin.ietf.org>; Thu, 11 Sep 2003 16:51:28 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19xYPA-0007bC-6i for mip4-archive@odin.ietf.org; Thu, 11 Sep 2003 16:51:04 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h8BKp4SM029210 for mip4-archive@odin.ietf.org; Thu, 11 Sep 2003 16:51:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19xYP9-0007b3-DD for mip4-web-archive@optimus.ietf.org; Thu, 11 Sep 2003 16:51:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA13305 for <mip4-web-archive@ietf.org>; Thu, 11 Sep 2003 16:50:56 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19xYP7-0006Bs-00 for mip4-web-archive@ietf.org; Thu, 11 Sep 2003 16:51:01 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19xYP6-0006Bp-00 for mip4-web-archive@ietf.org; Thu, 11 Sep 2003 16:51:00 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19xYP7-0007aj-OT; Thu, 11 Sep 2003 16:51:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19xYP4-0007aM-56 for mip4@optimus.ietf.org; Thu, 11 Sep 2003 16:50:58 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA13299 for <mip4@ietf.org>; Thu, 11 Sep 2003 16:50:51 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19xYP2-0006Bg-00 for mip4@ietf.org; Thu, 11 Sep 2003 16:50:56 -0400
Received: from hermes.py.intel.com ([146.152.216.3]) by ietf-mx with esmtp (Exim 4.12) id 19xYP0-0006BO-00 for mip4@ietf.org; Thu, 11 Sep 2003 16:50:55 -0400
Received: from petasus.py.intel.com (petasus.py.intel.com [146.152.221.4]) by hermes.py.intel.com (8.11.6p2/8.11.6/d: outer.mc, v 1.83 2003/09/05 14:45:27 rfjohns1 Exp $) with ESMTP id h8BKjdh25737 for <mip4@ietf.org>; Thu, 11 Sep 2003 20:45:39 GMT
Received: from orsmsxvs040.jf.intel.com (orsmsxvs040.jf.intel.com [192.168.65.206]) by petasus.py.intel.com (8.11.6p2/8.11.6/d: inner.mc, v 1.35 2003/05/22 21:18:01 rfjohns1 Exp $) with SMTP id h8BKo6s29365 for <mip4@ietf.org>; Thu, 11 Sep 2003 20:50:06 GMT
Received: from orsmsx332.amr.corp.intel.com ([192.168.65.60]) by orsmsxvs040.jf.intel.com (NAVGW 2.5.2.11) with SMTP id M2003091113502229948 for <mip4@ietf.org>; Thu, 11 Sep 2003 13:50:22 -0700
Received: from orsmsx407.amr.corp.intel.com ([192.168.65.50]) by orsmsx332.amr.corp.intel.com with Microsoft SMTPSVC(5.0.2195.5329); Thu, 11 Sep 2003 13:50:22 -0700
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0
Date: Thu, 11 Sep 2003 13:50:22 -0700
Message-ID: <A95D547FCC54AB47BC55E104D424339B22CB05@orsmsx407.jf.intel.com>
Thread-Topic: Re: Request for text proposal for your scenario
Thread-Index: AcN4jk87uftoppHyQhuKg7lW0GEybAABKYJwAARM+PA=
From: "Adrangi, Farid" <farid.adrangi@intel.com>
To: mip4@ietf.org
X-OriginalArrivalTime: 11 Sep 2003 20:50:22.0549 (UTC) FILETIME=[519A8050:01C378A6]
Content-Transfer-Encoding: quoted-printable
Subject: [Mip4] Re: Request for text proposal for your scenario
Sender: mip4-admin@ietf.org
Errors-To: mip4-admin@ietf.org
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable
Hi Gopal, Ok. As per my understanding of your scenario, I infer a few things from it: 1) MN may be several hops away from the VPN/FA 2) FA advertisement is done inside the IPsec tunnel established between the MN and VPN/FA. 3) MN roaming in a foreign network cannot be place behind a FA. For example, the following picture is not possible: MN ---FA----one or hops----FA/VPN1 4) VPN1/FA could also be your remote access VPN. So, the picture can be simplified as follows MN ----one or more hops -----FA/VPN ---Intranet Note: I get frighten when I see nested IPsec tunnels, in particular established by different IPsec client software running on the client device!!! So, since the scenario does not support #3 above, then the only problem that we have is with SA refreshes when the MN changes its point of attachment. Do I have a correct understanding of your scenario? BR, FArid -----Original Message----- From: Gopal Dommety [mailto:gdommety@cisco.com] Sent: Thursday, September 11, 2003 10:58 AM To: Jayshree Bharatia; Adrangi, Farid Cc: mccap@lucent.com; henrik@levkowetz.com Subject: RE: Request for text proposal for your scenario Hello Farid, Henrick and Jayashree, the scenario I was referring to is as followis: MN---------|VPN/FA|-----------------[VPN2]---------HA VPN1 Provides Encryption/decryption for the link and access to the visiting domain. VPN 2 is optional for remote access. Thanks Gopal At 10:52 AM 9/11/2003 -0500, Jayshree Bharatia wrote: >Hello Farid, > >I would think that there may or may not be IPSec tunnel between the MN and >the FA/VPN. If there is, than it will have similar issue as discussed in >the proposed text. If there is no IPSec, the traffic will be unprotected >between these two entities. > >Regards, >Jayshree > > -----Original Message----- > > From: Adrangi, Farid > [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com] > > Sent: Wednesday, September 10, 2003 4:32 PM > > To: Bharatia, Jayshree [RICH1:2H13:EXCH] > > Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com > > Subject: RE: Request for text proposal for your scenario > > > > > > Thanks Jayshree. Couple of clarifications: > > > > From your description, it is my understanding that there is > > only one IPsec tunnel, and that is between the FA/VPN in the > > foreign and the VPN GW in the VPN domain. In other words, No > > IPsec tunnel between the MN and the VPN GW in VPN domain and > > hence data traffic between the MN and the FA is not > > protected. Is my understanding correct? I will have more > > questions/comments based on your answers. Thanks for the > > text and hopefully we can wrap this up this week. BR, Farid > > > > > > -----Original Message----- > > From: Jayshree Bharatia > [<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.com] > > Sent: Wednesday, September 10, 2003 12:15 PM > > To: Adrangi, Farid > > Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com > > Subject: RE: Request for text proposal for your scenario > > > > Hi Farid, > > > > The following is my proposed text for the co-located FA-VPN > > GW scenario. > > > > > > Reagrds, > > Jayshree > > --------------------- > > > > 2.6 Combined VPN Gateway and MIPv4 FA > > > > MIPv4 FA and the VPN Gateway are running on the same physical machine. > > > > > > ..Foreign Network... .....VPN Domain..(Intranet).... > > . . . . > > . +----+ +-----+ . +----+ +-------+ +-------+ . > > . |MNs | | FA | . | VPN| | Router| | HAs | . > > . |away| | + | .<=========>| GW | | 1..n | | | . > > . | | | VPN | . | | +-------+ +-------+ . > > . | | | GW | . | | . > > . +----+ +-----+ . +----+ +-------+ +-------+ . > > . . . | CN | | MNs | . > > .................... . | 1..n | | home | . > > . +-------+ +-------+ . > > . . > > ............................... > > > > > > In this scenario, two VPN gateways are involved where the FA > > is considered to be the trusted entity. The mipv4 tunnel is > > running inside the IPSec-ESP. For end-to-end security model, > > the VPN Gateway within the VPN Domain must protect the IP > > traffic originating at the MN. Since the point of attachment > > changes corresponding to the movement of the MN, it is > > essential that the VPN tunnel security association must be > > refreshed after each IP subnet handoff. Hence, this scenario > > is not practical where the mobility is involved due to performance > > implications for the real-time applications. > > > > > -----Original Message----- > > > From: Adrangi, Farid > [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com] > > > Sent: Wednesday, September 03, 2003 7:54 PM > > > To: Bharatia, Jayshree [RICH1:2H13:EXCH] > > > Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com > > > Subject: Request for text proposal for your scenario > > > > > > > > > > > > Hello Jayshree, > > > Could you please propose a text for the scenario that you > > > want to be added to the problem-statement draft? > > > BR, > > > Farid > > > > > > -----Original Message----- > > > From: Jayshree Bharatia > [<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.com] > > > Sent: Wednesday, August 06, 2003 12:13 PM > > > To: Adrangi, Farid > > > Cc: mip4@ietf.org > > > Subject: RE: Comments on VPN Problem Statement Draft > > > > > > Hello Farid, > > > > > > Please see my reply below. > > > > > > Thanks, > > > Jayshree > > > -----Original Message----- > > > From: Adrangi, Farid > [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com] > > > Sent: Sunday, August 03, 2003 11:50 PM > > > To: Bharatia, Jayshree [RICH1:2H13:EXCH] > > > Cc: mip4@ietf.org > > > Subject: RE: Comments on VPN Problem Statement Draft > > > > > > > > > Hello Jayshree, > > > Thanks for following up on this. You, Gopal, and I had a > > > very brief conversation on this during IETF-57 - but I am not > > > sure if we derived any conclusion on whether or not we should > > > include this scenario. To be frank, I don't quite understand > > > the point behind adding this scenario because, > > > - It seems to present a solution to a specific > > > deployment model > > > rather than a deployment scenario > > > [JB] My understanding is different from yours so please > > > elaborate what you mean by deployment model vs deployment > > > scenario in this particular context. > > > > > > - I don't quite see the advantages of a combined > > > VPN+FA if it > > > does > > > not support FA traversal and it does not avoid IPsec > > > renegotiation when MN moves from one subnet to another - > > > perhaps you can elaborate on this? [JB] I think regardless > > > this scenario has any advantages or not, it is one of the > > > probable scenario which has potential issues (as you have > > > indicated earlier). > > > > > > - Furthermore, Scenarios in section 2 of the problem > > > statement > > > draft represents combinations of MIPv4 HA and VPN gateway > > > placement - adding this scenario is going to change semantics > > > of the section 2. [JB] I am not sure what you mean by > > > semantics change here. Do you think documenting this in new > > > subsection (2.6) is a problem? > > > > > > I have no problem adding this scenario to the draft - I just > > > wanted to make sure that we clearly understand the reasons > > > for adding this scenario to the problem statement draft. > > > Design team members and interested individuals are welcome to > > > express their opinion on this. > > > > > > Best regards, > > > Farid > > > > > > > > > > > > > > > > > > The following sub-sections introduce five representative > > > combinations of MIPv4 HA and VPN gateway placement. > > > > > > -----Original Message----- > > > From: Jayshree Bharatia > [<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.com] > > > Sent: Thursday, July 31, 2003 1:44 PM > > > To: Adrangi, Farid > > > Cc: 'mip4@ietf.org' > > > Subject: RE: Comments on VPN Problem Statement Draft > > > > > > Hello Farid, > > > > > > As per our earlier discussion during IETF-57, my > > > understanding is that you will include the scenario of > > > co-existed FA with the VPN gateway in the VPN Problem > > Statement draft. > > > > > > I agree that this particular scenario has problems and it > > > won't work if the MN is behind an FA in the foreign subnet. > > > But again, this is a problem statement draft. Hence, I > > > believe that this is the appropriate document for mentioning > > > this scenario. > > > > > > Thanks, > > > Jayshree > > > > > > -----Original Message----- > > > From: Adrangi, Farid > [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com] > > > Sent: Monday, April 07, 2003 2:58 PM > > > To: Bharatia, Jayshree [RICH1:2H13:EXCH] > > > Cc: 'mobile-ip@sunroof.eng.sun.com' > > > Subject: RE: Comments on VPN Problem Statement Draft > > > Hello Jayshree > > > This is a good point - I knew someone was to bring this up! > > > At the time of writing these scenarios, we (the design team) > > > actually discussed this and concluded this scenario would > > > fall into a solution space. Maybe we did not make the right > > > decision and we should rethink this. But, before we take > > > this discussion further please allow me to ask you a few > > > questions about the details of the scenario (VPN+FA) that you > > > have in mind . Are you thinking to broadcast FA > > > advertisements through the IPsec tunnel to the MN? If so, > > > how will this work if MN is already behind an FA in the > > > foreign subnet? Or, If you had something different in mind, > > > perhaps you can elaborate on that. Best regards, Farid > > > > > > > > > -----Original Message----- > > > From: Jayshree Bharatia > [<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.com] , > > > Sent: Friday, April 04, 2003 3:14 PM > > > To: 'farid.adrangi@intel.com' > > > Cc: 'mobile-ip@sunroof.eng.sun.com' > > > Subject: Comments on VPN Problem Statement Draft > > > > > > Hello Farid, > > > This draft (draft-ietf-mobileip-vpn-problem-statement-req-01) > > > currently misses one scenario were the FA is co-existed with > > > the VPN Gateway. I would think that there are no technical > > > issues supporting this scenario. It will be good if you can > > > add this scenario in the draft (perhaps as section > > > 2.6?) > > > for completeness. > > > Thanks, > > > Jayshree > > > > > > > > _______________________________________________ Mip4 mailing list Mip4@ietf.org https://www.ietf.org/mailman/listinfo/mip4
- [Mip4] RE: Request for text proposal for your sce… Gopal Dommety
- [Mip4] Re: Request for text proposal for your sce… Adrangi, Farid
- [Mip4] Re: Request for text proposal for your sce… Adrangi, Farid
- RE: [Mip4] Re: Request for text proposal for your… Jayshree Bharatia
- [Mip4] RE: Request for text proposal for your sce… Gopal Dommety
- [Mip4] RE: Request for text proposal for your sce… Adrangi, Farid
- [Mip4] Re: Request for text proposal for your sce… Henrik Levkowetz
- [Mip4] RE: Request for text proposal for your sce… Jayshree Bharatia
- Re: [Mip4] Re: Request for text proposal for your… Gopal Dommety
- Re: [Mip4] RE: Request for text proposal for your… Gopal Dommety
- Re: [Mip4] Re: Request for text proposal for your… Henrik Levkowetz
- Re: [Mip4] RE: Request for text proposal for your… Henrik Levkowetz
- Re: [Mip4] RE: Request for text proposal for your… Gopal Dommety
- Re: [Mip4] Re: Request for text proposal for your… Gopal Dommety
- Re: [Mip4] Re: Request for text proposal for your… Henrik Levkowetz
- RE: [Mip4] RE: Request for text proposal for your… Adrangi, Farid