Re: [pim] PIM and IPsec experience

Toerless Eckert <eckert@cisco.com> Wed, 11 March 2015 13:37 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F5661A9037; Wed, 11 Mar 2015 06:37:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l_aelv4uK8Vf; Wed, 11 Mar 2015 06:37:32 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74DBC1A9072; Wed, 11 Mar 2015 06:37:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4285; q=dns/txt; s=iport; t=1426081052; x=1427290652; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=zH8Isdc1nPPh7Leb1+b0lz/1WcmeMTRL1G3siCe/br0=; b=bdz2p7bFlm7A5tBf6VCJvAsad6CtOn79WTPdGPZa7H3tRwi8u4+iPjp0 2kMZEKt1luSTFVZcFh5exfz9kk+XLwAyXjorcrUhMRAj8F8PveDkLSOEp RA3jtCLu2/qfiUC2DuaChC+v0vG1ygeuLFJ66rDgQkTz6vGMd+E2JY1nZ s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AsBQB3RABV/51dJa1ZAxaCcFJaw1IKhXACgTdNAQEBAQEBfIQPAQEBBAEBATcsCAsMBAsOAwQBAQEJHgcPBRMfCQ4TiC8NyAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEXixeEDBEBQBAHBguDBoEWBYpyiRGFdAGBGjmLRYZfI4ICHIFwHjEBgQqBOAEBAQ
X-IronPort-AV: E=Sophos;i="5.11,382,1422921600"; d="scan'208";a="130933709"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-1.cisco.com with ESMTP; 11 Mar 2015 13:37:31 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t2BDbVZs014956 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Mar 2015 13:37:31 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id t2BDbUZB001270; Wed, 11 Mar 2015 06:37:30 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id t2BDbU7E001269; Wed, 11 Mar 2015 06:37:30 -0700
Date: Wed, 11 Mar 2015 06:37:30 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Alia Atlas <akatlas@gmail.com>
Message-ID: <20150311133730.GA874@cisco.com>
References: <54FE3666.4030702@venaas.com> <54FF18A5.9010706@concordia.ca> <BY2PR05MB0794C13F2D9E0F93088E67DD4180@BY2PR05MB079.namprd05.prod.outlook.com> <20150310185945.GM16454@cisco.com> <CAG4d1rcZ0viMq1Bp6GjaG-gUWnjzwLSmgVLWZUtQ+17M96EnZQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAG4d1rcZ0viMq1Bp6GjaG-gUWnjzwLSmgVLWZUtQ+17M96EnZQ@mail.gmail.com>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/pim/Tw2Bc5XWtRw7Fd4L6pNQbmaf0OE>
Cc: "draft-ietf-pim-rfc4601bis@ietf.org" <draft-ietf-pim-rfc4601bis@ietf.org>, "pim@ietf.org" <pim@ietf.org>
Subject: Re: [pim] PIM and IPsec experience
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 13:37:35 -0000

Sure, such a list sounds iuseful. But that does not answer my question.


On Tue, Mar 10, 2015 at 03:04:13PM -0400, Alia Atlas wrote:
> On Tue, Mar 10, 2015 at 2:59 PM, Toerless Eckert <eckert@cisco.com> wrote:
> 
> > If we assume very little deployment epxerience... where would that
> > leave us wrt. to AH vs. ESP vs how to move forward on the spec side ?
> >
> 
> We are checking to see how the RFC Editor can handle Updates for 4601bis.
> It would be useful in 4601bis to have Informational references to the
> various RFCs
> that update 4601 and help set them in context for a future reader.
> 
> Alia
> 
> 
> 
> > Cheers
> >     Toerless
> >
> > On Tue, Mar 10, 2015 at 04:23:11PM +0000, Jeffrey (Zhaohui) Zhang wrote:
> > > Lab testing can provide data on interoperability, but what about
> > deployment experiences?
> > >
> > > > -----Original Message-----
> > > > From: William Atwood [mailto:william.atwood@concordia.ca]
> > > > Sent: Tuesday, March 10, 2015 12:16 PM
> > > > To: pim@ietf.org; draft-ietf-pim-rfc4601bis@ietf.org
> > > > Subject: Re: [pim] PIM and IPsec experience
> > > >
> > > > Stig,
> > > >
> > > > At Concordia, as part of the work supporting the development specified
> > > > in RFC 5796, we did a series of tests.
> > > >
> > > > 1) Two and three "soft" routers (Linux boxes running XORP) for the
> > "same
> > > > key for everyone" and "separate keys for each sender" cases.
> > > >
> > > > 2) Two and three Cisco 2811 routers for the same two cases, except that
> > > > we could not run the "three-router, separate keys case for each sender"
> > > > case due to a limitation in the Cisco command line interface for manual
> > > > keying.
> > > >
> > > > 3) Inter-operation of a XORP router and a Cisco 2811, for both the
> > > > "same-key" and the "separate key" cases, with one XORP router and one
> > > > Cisco router.  (The "three-router, separate keys" case was not tried,
> > > > for the reasons given above.)
> > > >
> > > > 4) Inter-operation of a XORP router and a Cisco 2911.
> > > >
> > > > AH was used in all the tests.
> > > >
> > > > Since the establishment of the IPsec parameters is _completely_
> > > > independent of the PIM-SM code, I expect that it would not be difficult
> > > > to demonstrate inter-operation with ESP.  I would be willing to provide
> > > > the manpower to do this.
> > > >
> > > > The above establishes the existence of two independent inter-operating
> > > > implementations.  If I can find someone to loan me a suitable router
> > > > from another company (with IPsec enabled), I expect that it would not
> > be
> > > > hard to demonstrate inter-operation with a third implementation, for
> > > > both AH and ESP.  (I would be willing to provide the manpower to do
> > this.)
> > > >
> > > >   Bill
> > > >
> > > >
> > > > On 09/03/2015 8:10 PM, Stig Venaas wrote:
> > > > > Hi
> > > > >
> > > > > As part of making RFC 4601 an Internet Standard we would like to
> > know to
> > > > > what extent there is experience with AH interoperability. Has anyone
> > > > > conducted tests or are aware of deployments with multiple
> > > > > implementations? What about ESP?
> > > > >
> > > > > It would also be interesting to know about deployments using IPsec,
> > > > > even if just a single implementation is involved. No need to name
> > > > > particular deployments, but it would be nice to get some idea how
> > > > > common it is.
> > > > >
> > > > > Stig
> > > > >
> > > > > _______________________________________________
> > > > > pim mailing list
> > > > > pim@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/pim
> > > >
> > > > --
> > > > Dr. J.W. Atwood, Eng.             tel:   +1 (514) 848-2424 x3046
> > > > Distinguished Professor Emeritus  fax:   +1 (514) 848-2830
> > > > Department of Computer Science
> > > >    and Software Engineering
> > > > Concordia University EV 3.185     email:william.atwood@concordia.ca
> > > > 1455 de Maisonneuve Blvd. West    http://users.encs.concordia.ca/~bill
> > > > Montreal, Quebec Canada H3G 1M8
> > >
> > > _______________________________________________
> > > pim mailing list
> > > pim@ietf.org
> > > https://www.ietf.org/mailman/listinfo/pim