[Mip4] RE: Request for text proposal for your scenario

["Jayshree Bharatia" <jayshree@nortelnetworks.com>]

Hi Farid,

Please see my response inline.

Regards,
Jayshree

> -----Original Message-----
> From: Adrangi, Farid [mailto:farid.adrangi@intel.com] 
> Sent: Wednesday, September 24, 2003 8:25 AM
> To: Gopal Dommety; Bharatia, Jayshree [RICH1:2H13:EXCH]
> Cc: mccap@lucent.com; henrik@levkowetz.com; mip4@ietf.org
> Subject: RE: Request for text proposal for your scenario
> 
> 
> Thanks Gopal. IMO, the scenario lacks some details.  For example, 
> 
> 1) does this scenario allow MN to work in non-colocated mode? That is,
> 
> MN ---FA---VPN/FA ---Intranet
[JB] If VPN/FA are co-located, that node can have role of Mobile IP FA as
well as VPN. You can configure this node however you like but our interest
here is for the case where both these roles are active.
> 
> 2) What is the role of FA on the VPN gateway?  In other 
> words, what is the difference between 
> 
> MN -----VPN/FA ------Intranet  (your scenario) 
[JB] Functionality of the VPN and the FA are provided through same physical
node.
> And
> MN -------VPN -------Intranet 
[JB} Not sure what this scenario is but looks like you have FA somewhere
else.
> 
> However, if others are okay with the text as it is, then I'll 
> go ahead and add it.
> 
> BR,
> Farid 
> 
> 
> -----Original Message-----
> From: Gopal Dommety [mailto:gdommety@cisco.com] 
> Sent: Tuesday, September 23, 2003 6:01 PM
> To: Adrangi, Farid; Jayshree Bharatia
> Cc: mccap@lucent.com; henrik@levkowetz.com; mip4@ietf.org
> Subject: RE: Request for text proposal for your scenario
> 
> 
> Farid,
> 
> The text Jayshree sent looks good. I just made minor edits. 
> Here is the 
> text below:
> 
> 
> 2.6 Combined VPN Gateway and MIPv4 FA
> 
> MIPv4 FA and the VPN Gateway are running on the same physical machine.
> 
> 
>       ..Foreign Network............VPN Domain..(Intranet).....
>       .                         .                            .
>       .  +----+              +-----+    +-------+  +-------+ .
>       .  |MNs |              | FA  |    | Router|  | HAs   | .
>       .  |away|<============>| +   |    | 1..n  |  |       | .
>       .  |    |              | VPN |    +-------+  +-------+ .
>       .  |    |              | GW  |                         .
>       .  +----+              +-----+   +-------+  +-------+  .
>       .                         .      |  CN   |  | MNs   |  .
>       .                         .      | 1..n  |  | home  |  .
>       .                         .      +-------+  +-------+  .
>       .                         .                            .
>       ........................................................
> 
> In this scenario, the mipv4 tunnel is running inside the 
> IPSec-ESP between the MN and the FA/VPN Gateway.This scenario
>   IPsec being used to protect the data over the wireless network.
> 
> For end-to-end security model, the VPN
> Gateway
> must
> protect the IP traffic originating at the MN. Since the point 
> of attachment changes corresponding to the movement of the 
> MN, it is essential that the VPN tunnel security association 
> must be refreshed after each IP subnet handoff.
> 
> Hence, this scenario is not practical
> where the mobility is involved for
> the
> real-time applications due to the performance implications.
> 
> 
> Thanks
> Gopal
> 
> 
> 
> 
> 
> At 03:22 PM 9/23/2003 -0700, Adrangi, Farid wrote:
> >Any update on this?  What should we do next?
> >--Farid
> >
> >-----Original Message-----
> >From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com]
> >Sent: Tuesday, September 16, 2003 11:02 AM
> >To: 'Gopal Dommety'
> >Cc: 'mccap@lucent.com'; 'henrik@levkowetz.com'; Adrangi, Farid
> >Subject: RE: Request for text proposal for your scenario
> >
> >Gopal,
> >
> >Appreciate if you can make appropriate changes to the proposed text:
> >
> >Thanks,
> >Jayshree
> >
> >-------------
> >Proposed text:
> >
> >2.6 Combined VPN Gateway and MIPv4 FA
> >
> >MIPv4 FA and the VPN Gateway are running on the same 
> physical machine.
> >
> >
> >      ..Foreign Network............VPN Domain..(Intranet).....
> >      .                         .                            .
> >      .  +----+              +-----+    +-------+  +-------+ .
> >      .  |MNs |              | FA  |    | Router|  | HAs   | .
> >      .  |away|<============>| +   |    | 1..n  |  |       | .
> >      .  |    |              | VPN |    +-------+  +-------+ .
> >      .  |    |              | GW  |                         .
> >      .  +----+              +-----+   +-------+  +-------+  .
> >      .                         .      |  CN   |  | MNs   |  .
> >      .                         .      | 1..n  |  | home  |  .
> >      .                         .      +-------+  +-------+  .
> >      .                         .                            .
> >      ........................................................
> >
> >In this scenario, the mipv4 tunnel is running inside the IPSec-ESP 
> >between the
> >MN and the FA/VPN Gateway. For end-to-end security model, the VPN
> >Gateway
> >must
> >protect the IP traffic originating at the MN. Since the point of
> >attachment
> >changes corresponding to the movement of the MN, it is essential that
> >the
> >VPN
> >tunnel security association must be refreshed after each IP subnet
> >handoff.
> >Hence, this scenario is not practical where the mobility is involved
> for
> >the
> >real-time applications due to the performance implications.
> >
> >
> > > -----Original Message-----
> > > From: Bharatia, Jayshree [RICH1:2H13:EXCH]
> > > Sent: Monday, September 15, 2003 4:39 PM
> > > To: 'Gopal Dommety'; Adrangi, Farid
> > > Cc: mccap@lucent.com; henrik@levkowetz.com
> > > Subject: RE: Request for text proposal for your scenario
> > >
> > >
> > > Gopal,
> > >
> > > I was in the impression that you will modify the text. Anyway, I 
> > > won't able to do much today but let me try tomorrow and 
> send you the 
> > > text...
> > >
> > > Regards,
> > > Jayshree
> > >
> > > > -----Original Message-----
> > > > From: Gopal Dommety [mailto:gdommety@cisco.com]
> > > > Sent: Monday, September 15, 2003 2:03 PM
> > > > To: Adrangi, Farid; Bharatia, Jayshree [RICH1:2H13:EXCH]
> > > > Cc: mccap@lucent.com; henrik@levkowetz.com
> > > > Subject: RE: Request for text proposal for your scenario
> > > >
> > > >
> > > > Jayshree,
> > > >
> > > > Can you massage the text that you sent to fit what I was
> > > referring to.
> > > >
> > > > -Gopal
> > > >
> > > > At 04:08 PM 9/11/2003 -0700, Adrangi, Farid wrote:
> > > >
> > > > >Hi Gopal,
> > > > >Ok.  I guess my interpretation of your scenario was 
> not accurate! 
> > > > >Maybe the best thing is that you and Jayshree propose 
> a text that
> > > > >*clearly* articulates the scenario and its problems.
> > > Would that be
> > > > >possible? Thanks a bunch. BR,
> > > > >Farid
> > > > >
> > > > >-----Original Message-----
> > > > >From: Gopal Dommety [mailto:gdommety@cisco.com]
> > > > >Sent: Thursday, September 11, 2003 3:43 PM
> > > > >To: Adrangi, Farid; Jayshree Bharatia
> > > > >Cc: mccap@lucent.com; henrik@levkowetz.com
> > > > >Subject: RE: Request for text proposal for your scenario
> > > > >
> > > > >Farid,
> > > > >
> > > > >I am not suggesting a solution. I am confused by your 
> > > > >inferences...comments inline to the best of my confusion.
> > > > >
> > > > >
> > > > > >1) MN may be several hops away from the VPN/FA
> > > > >
> > > > >I was talking about one hop away. the multiple hops is
> > > > interesting. The
> > > > >deployment scenarios of one hop and multiple hop 
> solutions could
> be
> > > > >very
> > > > >
> > > > >different.
> > > > >
> > > > >
> > > > > >2) FA advertisement is done inside the IPsec tunnel 
> established 
> > > > > >between the MN and VPN/FA.
> > > > >
> > > > >It is possible.. but then we are going into solution space.
> > > > >
> > > > > >3) MN roaming in a foreign network cannot be place behind
> > > > a FA.  For
> > > > > >example, the following picture is not possible:
> > > > > >
> > > > > >MN ---FA----one or hops----FA/VPN1
> > > > > >
> > > > > >4) VPN1/FA could also be your remote access VPN.  So, the
> > > > picture can
> > > > >be
> > > > > >simplified as follows
> > > > > >
> > > > > >MN ----one or more hops -----FA/VPN ---Intranet
> > > > > >
> > > > > >Note: I get frighten when I see nested IPsec tunnels, in
> > > > particular
> > > > > >established by different IPsec client software running on
> > > > the client
> > > > > >device!!!
> > > > > >
> > > > > >So, since the scenario does not support #3 above, 
> then the only 
> > > > > >problem that we have is with SA refreshes when the MN
> > > changes its
> > > > > >point of attachment.  Is my understanding correct?
> > > > > >
> > > > > >BR,
> > > > > >FArid
> > > > > >
> > > > > >
> > > > > >
> > > > > >-----Original Message-----
> > > > > >From: Gopal Dommety [mailto:gdommety@cisco.com]
> > > > > >Sent: Thursday, September 11, 2003 10:58 AM
> > > > > >To: Jayshree Bharatia; Adrangi, Farid
> > > > > >Cc: mccap@lucent.com; henrik@levkowetz.com
> > > > > >Subject: RE: Request for text proposal for your scenario
> > > > > >
> > > > > >Hello Farid, Henrick and Jayashree,
> > > > > >
> > > > > >the scenario I was referring to  is as followis:
> > > > > >
> > > > > >MN---------|VPN/FA|-----------------[VPN2]---------HA
> > > > > >
> > > > > >VPN1 Provides Encryption/decryption for the link and
> > > access to the
> > > > > >visiting domain.
> > > > > >VPN 2 is optional for remote access.
> > > > > >
> > > > > >Thanks
> > > > > >Gopal
> > > > > >
> > > > > >At 10:52 AM 9/11/2003 -0500, Jayshree Bharatia wrote:
> > > > > >
> > > > > > >Hello Farid,
> > > > > > >
> > > > > > >I would think that there may or may not be IPSec tunnel
> > > > between the
> > > > >MN
> > > > > >and
> > > > > > >the FA/VPN. If there is, than it will have similar 
> issue as 
> > > > > > >discussed
> > > > > >in
> > > > > > >the proposed text. If there is no IPSec, the 
> traffic will be
> > > > > >unprotected
> > > > > > >between these two entities.
> > > > > > >
> > > > > > >Regards,
> > > > > > >Jayshree
> > > > > > > > -----Original Message-----
> > > > > > > > From: Adrangi, Farid
> > > > > > >
> > > [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com]
> > > > > > > > Sent: Wednesday, September 10, 2003 4:32 PM
> > > > > > > > To: Bharatia, Jayshree [RICH1:2H13:EXCH]
> > > > > > > > Cc: mccap@lucent.com; henrik@levkowetz.com;
> > > gdommety@cisco.com
> > > > > > > > Subject: RE: Request for text proposal for your scenario
> > > > > > > >
> > > > > > > >
> > > > > > > > Thanks Jayshree.  Couple of clarifications:
> > > > > > > >
> > > > > > > > From your description, it is my understanding that
> > > > there is only
> > > > > > > > one IPsec tunnel, and that is between the FA/VPN in
> > > > the foreign
> > > > > > > > and the VPN GW in the VPN domain.  In other words, No
> IPsec
> > > > > > > > tunnel between the MN and the VPN GW in VPN domain
> > > and hence
> > > > > > > > data traffic between the MN and the FA is not
> > > > protected.  Is my
> > > > > > > > understanding correct?  I will have more
> questions/comments
> > > > > > > > based on your answers.  Thanks for the text and
> > > > hopefully we can
> > > > > > > > wrap this up this week. BR, Farid
> > > > > > > >
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Jayshree Bharatia
> > > > > > >
> > > > >
> > > >
> > >
> >[<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.c
> > > > > >om
> > > > >]
> > > > > > > > Sent: Wednesday, September 10, 2003 12:15 PM
> > > > > > > > To: Adrangi, Farid
> > > > > > > > Cc: mccap@lucent.com; henrik@levkowetz.com;
> > > gdommety@cisco.com
> > > > > > > > Subject: RE: Request for text proposal for your scenario
> > > > > > > >
> > > > > > > > Hi Farid,
> > > > > > > >
> > > > > > > > The following is my proposed text for the co-located
> > > > FA-VPN GW
> > > > > > > > scenario.
> > > > > > > >
> > > > > > > >
> > > > > > > > Reagrds,
> > > > > > > > Jayshree
> > > > > > > > ---------------------
> > > > > > > >
> > > > > > > > 2.6 Combined VPN Gateway and MIPv4 FA
> > > > > > > >
> > > > > > > > MIPv4 FA and the VPN Gateway are running on the
> > > same physical
> > > > > >machine.
> > > > > > > >
> > > > > > > >
> > > > > > > >      ..Foreign Network...             .....VPN
> > > > > >Domain..(Intranet)....
> > > > > > > >      .                  .             .
> > > > > >.
> > > > > > > >      .  +----+  +-----+ .           +----+     +-------+
> > > > >+-------+
> > > > > >.
> > > > > > > >      .  |MNs |  | FA  | .           | VPN|     |
> > > > Router|  | HAs
> > > > >|
> > > > > >.
> > > > > > > >      .  |away|  | +   | .<=========>| GW |     | 1..n  |
> |
> > > > >|
> > > > > >.
> > > > > > > >      .  |    |  | VPN | .           |    |     +-------+
> > > > >+-------+
> > > > > >.
> > > > > > > >      .  |    |  | GW  | .           |    |
> > > > > >.
> > > > > > > >      .  +----+  +-----+ .           +----+     +-------+
> > > > >+-------+
> > > > > >.
> > > > > > > >      .                  .             .        |  CN
> > > >  |  | MNs
> > > > >|
> > > > > >.
> > > > > > > >      ....................             .        | 1..n
> > > >  |  | home
> > > > >|
> > > > > >.
> > > > > > > >                                       .        +-------+
> > > > >+-------+
> > > > > >.
> > > > > > > >                                       .
> > > > > >.
> > > > > > > >
> > > > > >...............................
> > > > > > > >
> > > > > > > >
> > > > > > > > In this scenario, two VPN gateways are involved where
> > > > the FA is
> > > > > > > > considered to be the trusted entity. The mipv4 tunnel
> > > > is running
> > > > > > > > inside the IPSec-ESP. For end-to-end security model, the
> VPN
> > > > > > > > Gateway within the VPN Domain must protect the 
> IP traffic 
> > > > > > > > originating at the MN. Since the point of
> > > attachment changes
> > > > > > > > corresponding to the movement of the MN, it is
> > > essential that
> > > > > > > > the VPN tunnel security association must be refreshed
> > > > after each
> > > > > > > > IP subnet handoff. Hence, this scenario is not
> > > > practical where
> > > > > > > > the mobility is involved due to performance
> > > > implications for the
> > > > > > > > real-time applications.
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Adrangi, Farid
> > > > > > >
> > > [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com]
> > > > > > > > > Sent: Wednesday, September 03, 2003 7:54 PM
> > > > > > > > > To: Bharatia, Jayshree [RICH1:2H13:EXCH]
> > > > > > > > > Cc: mccap@lucent.com; henrik@levkowetz.com;
> > > > gdommety@cisco.com
> > > > > > > > > Subject: Request for text proposal for your scenario
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Hello Jayshree,
> > > > > > > > > Could you please propose a text for the scenario
> > > > that you want
> > > > > > > > > to be added to the problem-statement draft? BR, Farid
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Jayshree Bharatia
> > > > > > >
> > > > >
> > > >
> > >
> >[<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.c
> > > > > >om
> > > > >]
> > > > > > > > > Sent: Wednesday, August 06, 2003 12:13 PM
> > > > > > > > > To: Adrangi, Farid
> > > > > > > > > Cc: mip4@ietf.org
> > > > > > > > > Subject: RE: Comments on VPN Problem Statement Draft
> > > > > > > > >
> > > > > > > > > Hello Farid,
> > > > > > > > >
> > > > > > > > > Please see my reply below.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Jayshree
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Adrangi, Farid
> > > > > > >
> > > [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com]
> > > > > > > > > Sent: Sunday, August 03, 2003 11:50 PM
> > > > > > > > > To: Bharatia, Jayshree [RICH1:2H13:EXCH]
> > > > > > > > > Cc: mip4@ietf.org
> > > > > > > > > Subject: RE: Comments on VPN Problem Statement Draft
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Hello Jayshree,
> > > > > > > > > Thanks for following up on this.  You, Gopal, and I
> > > > had a very
> > > > > > > > > brief conversation on this during IETF-57 - but I
> > > > am not sure
> > > > > > > > > if we derived any conclusion on whether or 
> not we should 
> > > > > > > > > include this scenario.  To be frank, I don't quite
> > > > understand
> > > > > > > > > the point behind adding this scenario because,
> > > > > > > > > -          It seems to present a solution to 
> a specific
> > > > > > > > > deployment model
> > > > > > > > > rather than a deployment scenario
> > > > > > > > > [JB] My understanding is different from yours 
> so please 
> > > > > > > > > elaborate what you mean by deployment model vs
> deployment
> > > > > > > > > scenario in this particular context.
> > > > > > > > >
> > > > > > > > > -          I don't quite see the advantages of  a
> combined
> > > > > > > > > VPN+FA if it
> > > > > > > > > does
> > > > > > > > > not support FA traversal and it does not avoid IPsec 
> > > > > > > > > renegotiation when MN moves from one subnet 
> to another - 
> > > > > > > > > perhaps you can elaborate on this? [JB] I think
> > > regardless
> > > > > > > > > this scenario has any advantages or not, it is one of
> the
> > > > > > > > > probable scenario which has potential issues (as you
> have
> > > > > > > > > indicated earlier).
> > > > > > > > >
> > > > > > > > > -          Furthermore, Scenarios in section 2 of
> > > > the problem
> > > > > > > > > statement
> > > > > > > > > draft represents combinations of MIPv4 HA and VPN
> gateway
> > > > > > > > > placement - adding this scenario is going to change
> > > > semantics
> > > > > > > > > of the section 2. [JB] I am not sure what you mean by 
> > > > > > > > > semantics change here. Do you think documenting
> > > this in new
> > > > > > > > > subsection (2.6) is a problem?
> > > > > > > > >
> > > > > > > > > I have no problem adding this scenario to the draft
> > > > - I just
> > > > > > > > > wanted to make sure that we clearly understand the
> > > > reasons for
> > > > > > > > > adding this scenario to the problem statement
> > > draft. Design
> > > > > > > > > team members and interested individuals are welcome
> > > > to express
> > > > > > > > > their opinion on this.
> > > > > > > > >
> > > > > > > > > Best regards,
> > > > > > > > > Farid
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >  The   following   sub-sections   introduce   five
> > > > > >representative
> > > > > > > > >    combinations of MIPv4 HA and VPN gateway placement.
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Jayshree Bharatia
> > > > > > >
> > > > >
> > > >
> > >
> >[<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.c
> > > > > >om
> > > > >]
> > > > > > > > > Sent: Thursday, July 31, 2003 1:44 PM
> > > > > > > > > To: Adrangi, Farid
> > > > > > > > > Cc: 'mip4@ietf.org'
> > > > > > > > > Subject: RE: Comments on VPN Problem Statement Draft
> > > > > > > > >
> > > > > > > > > Hello Farid,
> > > > > > > > >
> > > > > > > > > As per our earlier discussion during IETF-57, my
> > > > understanding
> > > > > > > > > is that you will include the scenario of
> > > co-existed FA with
> > > > > > > > > the VPN gateway in the VPN Problem
> > > > > > > > Statement draft.
> > > > > > > > >
> > > > > > > > > I agree that this particular scenario has problems and
> it
> > > > > > > > > won't work if the MN is behind an FA in the
> > > foreign subnet.
> > > > > > > > > But again, this is a problem statement draft.
> > > > Hence, I believe
> > > > > > > > > that this is the appropriate document for mentioning
> this
> > > > > > > > > scenario.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Jayshree
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Adrangi, Farid
> > > > > > >
> > > [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com]
> > > > > > > > > Sent: Monday, April 07, 2003 2:58 PM
> > > > > > > > > To: Bharatia, Jayshree [RICH1:2H13:EXCH]
> > > > > > > > > Cc: 'mobile-ip@sunroof.eng.sun.com'
> > > > > > > > > Subject: RE: Comments on VPN Problem Statement Draft
> Hello
> > > > > > > > > Jayshree This is a good point - I knew someone
> > > was to bring
> > > > > > > > > this up! At the time of writing these 
> scenarios, we (the 
> > > > > > > > > design team) actually discussed this and 
> concluded this 
> > > > > > > > > scenario would fall into a solution space.  Maybe
> > > > we did not
> > > > > > > > > make the right decision and we should rethink this.
> But,
> > > > > > > > > before we take this discussion further please allow
> > > > me to ask
> > > > > > > > > you a few questions about the details of the
> > > > scenario (VPN+FA)
> > > > > > > > > that you have in mind .  Are you thinking to broadcast
> FA
> > > > > > > > > advertisements through the IPsec tunnel to the
> > > MN?  If so,
> > > > > > > > > how will this work if MN is already behind an 
> FA in the 
> > > > > > > > > foreign subnet? Or, If you had something
> > > different in mind,
> > > > > > > > > perhaps you can elaborate on that. Best regards, Farid
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Jayshree Bharatia
> > > > > > >
> > > > >
> > > > >[<mailto:jayshree@nortelnetworks.com>>
> > > > >mailto:jayshree@nortelnetworks.c
> > > > > >om
> > > > >]
> > > > > >,
> > > > > > > > > Sent: Friday, April 04, 2003 3:14 PM
> > > > > > > > > To: 'farid.adrangi@intel.com'
> > > > > > > > > Cc: 'mobile-ip@sunroof.eng.sun.com'
> > > > > > > > > Subject: Comments on VPN Problem Statement Draft
> > > > > > > > >
> > > > > > > > > Hello Farid,
> > > > > > > > > This draft
> > > > (draft-ietf-mobileip-vpn-problem-statement-req-01)
> > > > > > > > > currently misses one scenario were the FA is
> > > > co-existed with
> > > > > > > > > the VPN Gateway. I would think that there are no
> technical
> > > > > > > > > issues supporting this scenario. It will be good
> > > if you can
> > > > > > > > > add this scenario in the draft (perhaps as section
> > > > > > > > > 2.6?)
> > > > > > > > > for completeness.
> > > > > > > > > Thanks,
> > > > > > > > > Jayshree
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > >
> > > >
> > >
> 
> 

_______________________________________________
Mip4 mailing list
Mip4@ietf.org
https://www.ietf.org/mailman/listinfo/mip4