RE: [Mip4] Re: Request for text proposal for your scenario

["Jayshree Bharatia" <jayshree@nortelnetworks.com>]

Farid,
 
As I have mentioned in my earlier email addressed to Gopal, we can focus on
the scenario where we have IPSec tunnel between the MN and the VPN gateway.
My proposed text was wrt the VPN GW of the VPN domain. My thoughts were that
if we have FA in the picture (roaming scenario), it is always safe to assume
that it is a remote scenario. 
 
We can logically assume one VPN entity (co-existed with the FA) and describe
the scenario which is fine with me as well. I am open to the suggestion. So
let's look at Gopal's proposal and make changes accordingly in the text for
this scenario.
 
Thanks,
Jayshree

-----Original Message-----
From: Adrangi, Farid [mailto:farid.adrangi@intel.com] 
Sent: Thursday, September 11, 2003 3:52 PM
To: mip4@ietf.org
Subject: [Mip4] Re: Request for text proposal for your scenario



 

 

-----Original Message-----
From: Adrangi, Farid 
Sent: Thursday, September 11, 2003 10:38 AM
To: 'Jayshree Bharatia'
Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com
Subject: RE: Request for text proposal for your scenario

 

Thanks Jayshree.  Ok, let me be more specific by putting inline comments in
your text below.  Thanks.

BR,

Farid

 

Jayshree wrote:

"In this scenario, two VPN gateways are involved where the FA is considered
to be the trusted entity. The mipv4 tunnel is running inside the IPSec-ESP
(Farid> established between the two VPN gateways). For end-to-end security
model, the VPN Gateway within the VPN Domain must protect the IP traffic
originating at the MN (Farid> currently your scenario does not provide
end-2-end security as the traffic between the MN and the FA is in clear - so
are you implying that there should be another IPsec tunnel between the MN
and the VPN GW protecting the Intranet?), . Since the point of attachment
changes corresponding to the movement of the MN, it is essential that the
VPN tunnel security association must be refreshed after each IP subnet
handoff (Farid> in your scenario, the MN is not the IPsec tunnel end-point.
So, when the changes its point of attachment, it does not have to worry
about refreshing SAs!). Hence, this scenario is not practical where the
mobility is involved due to performance implications for the real-time
applications."  

 

 

-----Original Message-----
From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com] 
Sent: Thursday, September 11, 2003 8:52 AM
To: Adrangi, Farid
Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com
Subject: RE: Request for text proposal for your scenario

 

Hello Farid, 

I would think that there may or may not be IPSec tunnel between the MN and
the FA/VPN. If there is, than it will have similar issue as discussed in the
proposed text. If there is no IPSec, the traffic will be unprotected between
these two entities.

Regards, 
Jayshree 
> -----Original Message----- 
> From: Adrangi, Farid [mailto:farid.adrangi@intel.com
<mailto:farid.adrangi@intel.com> ] 
> Sent: Wednesday, September 10, 2003 4:32 PM 
> To: Bharatia, Jayshree [RICH1:2H13:EXCH] 
> Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com 
> Subject: RE: Request for text proposal for your scenario 
> 
> 
> Thanks Jayshree.  Couple of clarifications: 
> 
> From your description, it is my understanding that there is 
> only one IPsec tunnel, and that is between the FA/VPN in the 
> foreign and the VPN GW in the VPN domain.  In other words, No 
> IPsec tunnel between the MN and the VPN GW in VPN domain and 
> hence data traffic between the MN and the FA is not 
> protected.  Is my understanding correct?  I will have more 
> questions/comments based on your answers.  Thanks for the 
> text and hopefully we can wrap this up this week. BR, Farid 
> 
> 
> -----Original Message----- 
> From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com
<mailto:jayshree@nortelnetworks.com> ] 
> Sent: Wednesday, September 10, 2003 12:15 PM 
> To: Adrangi, Farid 
> Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com 
> Subject: RE: Request for text proposal for your scenario 
> 
> Hi Farid, 
> 
> The following is my proposed text for the co-located FA-VPN 
> GW scenario. 
> 
> 
> Reagrds, 
> Jayshree 
> --------------------- 
> 
> 2.6 Combined VPN Gateway and MIPv4 FA 
> 
> MIPv4 FA and the VPN Gateway are running on the same physical machine. 
> 
> 
>      ..Foreign Network...             .....VPN Domain..(Intranet).... 
>      .                  .             .                             . 
>      .  +----+  +-----+ .           +----+     +-------+  +-------+ . 
>      .  |MNs |  | FA  | .           | VPN|     | Router|  | HAs   | . 
>      .  |away|  | +   | .<=========>| GW |     | 1..n  |  |       | . 
>      .  |    |  | VPN | .           |    |     +-------+  +-------+ . 
>      .  |    |  | GW  | .           |    |                          . 
>      .  +----+  +-----+ .           +----+     +-------+  +-------+ . 
>      .                  .             .        |  CN   |  | MNs   | . 
>      ....................             .        | 1..n  |  | home  | . 
>                                       .        +-------+  +-------+ . 
>                                       .                             . 
>                                       ............................... 
> 
> 
> In this scenario, two VPN gateways are involved where the FA 
> is considered to be the trusted entity. The mipv4 tunnel is 
> running inside the IPSec-ESP. For end-to-end security model, 
> the VPN Gateway within the VPN Domain must protect the IP 
> traffic originating at the MN. Since the point of attachment 
> changes corresponding to the movement of the MN, it is 
> essential that the VPN tunnel security association must be 
> refreshed after each IP subnet handoff. Hence, this scenario 
> is not practical where the mobility is involved due to performance 
> implications for the real-time applications. 
> 
> > -----Original Message----- 
> > From: Adrangi, Farid [mailto:farid.adrangi@intel.com
<mailto:farid.adrangi@intel.com> ] 
> > Sent: Wednesday, September 03, 2003 7:54 PM 
> > To: Bharatia, Jayshree [RICH1:2H13:EXCH] 
> > Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com 
> > Subject: Request for text proposal for your scenario 
> > 
> > 
> > 
> > Hello Jayshree, 
> > Could you please propose a text for the scenario that you 
> > want to be added to the problem-statement draft? 
> > BR, 
> > Farid 
> > 
> > -----Original Message----- 
> > From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com
<mailto:jayshree@nortelnetworks.com> ] 
> > Sent: Wednesday, August 06, 2003 12:13 PM 
> > To: Adrangi, Farid 
> > Cc: mip4@ietf.org 
> > Subject: RE: Comments on VPN Problem Statement Draft 
> > 
> > Hello Farid, 
> > 
> > Please see my reply below. 
> > 
> > Thanks, 
> > Jayshree 
> > -----Original Message----- 
> > From: Adrangi, Farid [mailto:farid.adrangi@intel.com
<mailto:farid.adrangi@intel.com> ] 
> > Sent: Sunday, August 03, 2003 11:50 PM 
> > To: Bharatia, Jayshree [RICH1:2H13:EXCH] 
> > Cc: mip4@ietf.org 
> > Subject: RE: Comments on VPN Problem Statement Draft 
> > 
> > 
> > Hello Jayshree, 
> > Thanks for following up on this.  You, Gopal, and I had a 
> > very brief conversation on this during IETF-57 - but I am not 
> > sure if we derived any conclusion on whether or not we should 
> > include this scenario.  To be frank, I don't quite understand 
> > the point behind adding this scenario because, 
> > -          It seems to present a solution to a specific 
> > deployment model 
> > rather than a deployment scenario 
> > [JB] My understanding is different from yours so please 
> > elaborate what you mean by deployment model vs deployment 
> > scenario in this particular context. 
> > 
> > -          I don't quite see the advantages of  a combined 
> > VPN+FA if it 
> > does 
> > not support FA traversal and it does not avoid IPsec 
> > renegotiation when MN moves from one subnet to another - 
> > perhaps you can elaborate on this? [JB] I think regardless 
> > this scenario has any advantages or not, it is one of the 
> > probable scenario which has potential issues (as you have 
> > indicated earlier). 
> > 
> > -          Furthermore, Scenarios in section 2 of the problem 
> > statement 
> > draft represents combinations of MIPv4 HA and VPN gateway 
> > placement - adding this scenario is going to change semantics 
> > of the section 2. [JB] I am not sure what you mean by 
> > semantics change here. Do you think documenting this in new 
> > subsection (2.6) is a problem? 
> > 
> > I have no problem adding this scenario to the draft - I just 
> > wanted to make sure that we clearly understand the reasons 
> > for adding this scenario to the problem statement draft.  
> > Design team members and interested individuals are welcome to 
> > express their opinion on this.  
> > 
> > Best regards, 
> > Farid 
> > 
> > 
> > 
> >  
> >  
> >  The   following   sub-sections   introduce   five   representative 
> >    combinations of MIPv4 HA and VPN gateway placement. 
> > 
> > -----Original Message----- 
> > From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com
<mailto:jayshree@nortelnetworks.com> ] 
> > Sent: Thursday, July 31, 2003 1:44 PM 
> > To: Adrangi, Farid 
> > Cc: 'mip4@ietf.org' 
> > Subject: RE: Comments on VPN Problem Statement Draft 
> > 
> > Hello Farid, 
> > 
> > As per our earlier discussion during IETF-57, my 
> > understanding is that you will include the scenario of 
> > co-existed FA with the VPN gateway in the VPN Problem 
> Statement draft. 
> > 
> > I agree that this particular scenario has problems and it 
> > won't work if the MN is behind an FA in the foreign subnet. 
> > But again, this is a problem statement draft. Hence, I 
> > believe that this is the appropriate document for mentioning 
> > this scenario. 
> > 
> > Thanks, 
> > Jayshree 
> > 
> > -----Original Message----- 
> > From: Adrangi, Farid [mailto:farid.adrangi@intel.com
<mailto:farid.adrangi@intel.com> ] 
> > Sent: Monday, April 07, 2003 2:58 PM 
> > To: Bharatia, Jayshree [RICH1:2H13:EXCH] 
> > Cc: 'mobile-ip@sunroof.eng.sun.com' 
> > Subject: RE: Comments on VPN Problem Statement Draft 
> > Hello Jayshree 
> > This is a good point - I knew someone was to bring this up!  
> > At the time of writing these scenarios, we (the design team) 
> > actually discussed this and concluded this scenario would 
> > fall into a solution space.  Maybe we did not make the right 
> > decision and we should rethink this.  But, before we take 
> > this discussion further please allow me to ask you a few 
> > questions about the details of the scenario (VPN+FA) that you 
> > have in mind .  Are you thinking to broadcast FA 
> > advertisements through the IPsec tunnel to the MN?  If so, 
> > how will this work if MN is already behind an FA in the 
> > foreign subnet? Or, If you had something different in mind, 
> > perhaps you can elaborate on that. Best regards, Farid 
> > 
> > 
> > -----Original Message----- 
> > From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com
<mailto:jayshree@nortelnetworks.com> ], 
> > Sent: Friday, April 04, 2003 3:14 PM 
> > To: 'farid.adrangi@intel.com' 
> > Cc: 'mobile-ip@sunroof.eng.sun.com' 
> > Subject: Comments on VPN Problem Statement Draft 
> > 
> > Hello Farid, 
> > This draft (draft-ietf-mobileip-vpn-problem-statement-req-01) 
> > currently misses one scenario were the FA is co-existed with 
> > the VPN Gateway. I would think that there are no technical 
> > issues supporting this scenario. It will be good if you can 
> > add this scenario in the draft (perhaps as section 
> > 2.6?) 
> > for completeness. 
> > Thanks, 
> > Jayshree 
> > 
> > 
>