Re: [pim] PIM and IPsec experience
Brian Haberman <brian@innovationslab.net> Tue, 10 March 2015 16:31 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1741A2119 for <pim@ietfa.amsl.com>; Tue, 10 Mar 2015 09:31:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oh-ewp3VOegd for <pim@ietfa.amsl.com>; Tue, 10 Mar 2015 09:31:18 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B7441A1F00 for <pim@ietf.org>; Tue, 10 Mar 2015 09:31:18 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 851DE88146 for <pim@ietf.org>; Tue, 10 Mar 2015 09:31:18 -0700 (PDT)
Received: from Brians-MacBook-Pro.local (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 37EA51368278 for <pim@ietf.org>; Tue, 10 Mar 2015 09:31:18 -0700 (PDT)
Message-ID: <54FF1C54.3030106@innovationslab.net>
Date: Tue, 10 Mar 2015 12:31:16 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: pim@ietf.org
References: <54FE3666.4030702@venaas.com> <54FF18A5.9010706@concordia.ca> <BY2PR05MB0794C13F2D9E0F93088E67DD4180@BY2PR05MB079.namprd05.prod.outlook.com>
In-Reply-To: <BY2PR05MB0794C13F2D9E0F93088E67DD4180@BY2PR05MB079.namprd05.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="E8q6B83BtTPkQm2jkvFP8IfIdcJW7nOsm"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pim/2g3YBWS1THQlZn46-B-l0SN2p4I>
Subject: Re: [pim] PIM and IPsec experience
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 16:31:20 -0000
All,
On 3/10/15 12:23 PM, Jeffrey (Zhaohui) Zhang wrote:
> Lab testing can provide data on interoperability, but what about deployment experiences?
Deployment experience is key. RFC 6410 describes the four conditions
for advancing a specification to Internet Standard.
(1) There are at least two independent interoperating implementations
with widespread deployment and successful operational experience.
(2) There are no errata against the specification that would cause a
new implementation to fail to interoperate with deployed ones.
(3) There are no unused features in the specification that greatly
increase implementation complexity.
(4) If the technology required to implement the specification
requires patented or otherwise controlled technology, then the
set of implementations must demonstrate at least two independent,
separate and successful uses of the licensing process.
Point (1) needs to be documented and that includes deployment experience.
Regards,
Brian
>
>> -----Original Message-----
>> From: William Atwood [mailto:william.atwood@concordia.ca]
>> Sent: Tuesday, March 10, 2015 12:16 PM
>> To: pim@ietf.org; draft-ietf-pim-rfc4601bis@ietf.org
>> Subject: Re: [pim] PIM and IPsec experience
>>
>> Stig,
>>
>> At Concordia, as part of the work supporting the development specified
>> in RFC 5796, we did a series of tests.
>>
>> 1) Two and three "soft" routers (Linux boxes running XORP) for the "same
>> key for everyone" and "separate keys for each sender" cases.
>>
>> 2) Two and three Cisco 2811 routers for the same two cases, except that
>> we could not run the "three-router, separate keys case for each sender"
>> case due to a limitation in the Cisco command line interface for manual
>> keying.
>>
>> 3) Inter-operation of a XORP router and a Cisco 2811, for both the
>> "same-key" and the "separate key" cases, with one XORP router and one
>> Cisco router. (The "three-router, separate keys" case was not tried,
>> for the reasons given above.)
>>
>> 4) Inter-operation of a XORP router and a Cisco 2911.
>>
>> AH was used in all the tests.
>>
>> Since the establishment of the IPsec parameters is _completely_
>> independent of the PIM-SM code, I expect that it would not be difficult
>> to demonstrate inter-operation with ESP. I would be willing to provide
>> the manpower to do this.
>>
>> The above establishes the existence of two independent inter-operating
>> implementations. If I can find someone to loan me a suitable router
>> from another company (with IPsec enabled), I expect that it would not be
>> hard to demonstrate inter-operation with a third implementation, for
>> both AH and ESP. (I would be willing to provide the manpower to do this.)
>>
>> Bill
>>
>>
>> On 09/03/2015 8:10 PM, Stig Venaas wrote:
>>> Hi
>>>
>>> As part of making RFC 4601 an Internet Standard we would like to know to
>>> what extent there is experience with AH interoperability. Has anyone
>>> conducted tests or are aware of deployments with multiple
>>> implementations? What about ESP?
>>>
>>> It would also be interesting to know about deployments using IPsec,
>>> even if just a single implementation is involved. No need to name
>>> particular deployments, but it would be nice to get some idea how
>>> common it is.
>>>
>>> Stig
>>>
>>> _______________________________________________
>>> pim mailing list
>>> pim@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pim
>>
>> --
>> Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046
>> Distinguished Professor Emeritus fax: +1 (514) 848-2830
>> Department of Computer Science
>> and Software Engineering
>> Concordia University EV 3.185 email:william.atwood@concordia.ca
>> 1455 de Maisonneuve Blvd. West http://users.encs.concordia.ca/~bill
>> Montreal, Quebec Canada H3G 1M8
>
> _______________________________________________
> pim mailing list
> pim@ietf.org
> https://www.ietf.org/mailman/listinfo/pim
>
- [pim] PIM and IPsec experience Stig Venaas
- Re: [pim] PIM and IPsec experience Alia Atlas
- Re: [pim] PIM and IPsec experience William Atwood
- Re: [pim] PIM and IPsec experience Jeffrey (Zhaohui) Zhang
- Re: [pim] PIM and IPsec experience Brian Haberman
- Re: [pim] PIM and IPsec experience Toerless Eckert
- Re: [pim] PIM and IPsec experience Alia Atlas
- Re: [pim] PIM and IPsec experience Toerless Eckert
- Re: [pim] PIM and IPsec experience Brian Haberman
- Re: [pim] PIM and IPsec experience Toerless Eckert