Re: [pim] PIM and IPsec experience
Toerless Eckert <eckert@cisco.com> Wed, 11 March 2015 13:37 UTC
Return-Path: <eckert@cisco.com>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F5661A9037; Wed, 11 Mar 2015 06:37:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l_aelv4uK8Vf; Wed, 11 Mar 2015 06:37:32 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74DBC1A9072; Wed, 11 Mar 2015 06:37:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4285; q=dns/txt; s=iport; t=1426081052; x=1427290652; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=zH8Isdc1nPPh7Leb1+b0lz/1WcmeMTRL1G3siCe/br0=; b=bdz2p7bFlm7A5tBf6VCJvAsad6CtOn79WTPdGPZa7H3tRwi8u4+iPjp0 2kMZEKt1luSTFVZcFh5exfz9kk+XLwAyXjorcrUhMRAj8F8PveDkLSOEp RA3jtCLu2/qfiUC2DuaChC+v0vG1ygeuLFJ66rDgQkTz6vGMd+E2JY1nZ s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AsBQB3RABV/51dJa1ZAxaCcFJaw1IKhXACgTdNAQEBAQEBfIQPAQEBBAEBATcsCAsMBAsOAwQBAQEJHgcPBRMfCQ4TiC8NyAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEXixeEDBEBQBAHBguDBoEWBYpyiRGFdAGBGjmLRYZfI4ICHIFwHjEBgQqBOAEBAQ
X-IronPort-AV: E=Sophos;i="5.11,382,1422921600"; d="scan'208";a="130933709"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-1.cisco.com with ESMTP; 11 Mar 2015 13:37:31 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t2BDbVZs014956 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Mar 2015 13:37:31 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id t2BDbUZB001270; Wed, 11 Mar 2015 06:37:30 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id t2BDbU7E001269; Wed, 11 Mar 2015 06:37:30 -0700
Date: Wed, 11 Mar 2015 06:37:30 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Alia Atlas <akatlas@gmail.com>
Message-ID: <20150311133730.GA874@cisco.com>
References: <54FE3666.4030702@venaas.com> <54FF18A5.9010706@concordia.ca> <BY2PR05MB0794C13F2D9E0F93088E67DD4180@BY2PR05MB079.namprd05.prod.outlook.com> <20150310185945.GM16454@cisco.com> <CAG4d1rcZ0viMq1Bp6GjaG-gUWnjzwLSmgVLWZUtQ+17M96EnZQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAG4d1rcZ0viMq1Bp6GjaG-gUWnjzwLSmgVLWZUtQ+17M96EnZQ@mail.gmail.com>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/pim/Tw2Bc5XWtRw7Fd4L6pNQbmaf0OE>
Cc: "draft-ietf-pim-rfc4601bis@ietf.org" <draft-ietf-pim-rfc4601bis@ietf.org>, "pim@ietf.org" <pim@ietf.org>
Subject: Re: [pim] PIM and IPsec experience
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 13:37:35 -0000
Sure, such a list sounds iuseful. But that does not answer my question. On Tue, Mar 10, 2015 at 03:04:13PM -0400, Alia Atlas wrote: > On Tue, Mar 10, 2015 at 2:59 PM, Toerless Eckert <eckert@cisco.com> wrote: > > > If we assume very little deployment epxerience... where would that > > leave us wrt. to AH vs. ESP vs how to move forward on the spec side ? > > > > We are checking to see how the RFC Editor can handle Updates for 4601bis. > It would be useful in 4601bis to have Informational references to the > various RFCs > that update 4601 and help set them in context for a future reader. > > Alia > > > > > Cheers > > Toerless > > > > On Tue, Mar 10, 2015 at 04:23:11PM +0000, Jeffrey (Zhaohui) Zhang wrote: > > > Lab testing can provide data on interoperability, but what about > > deployment experiences? > > > > > > > -----Original Message----- > > > > From: William Atwood [mailto:william.atwood@concordia.ca] > > > > Sent: Tuesday, March 10, 2015 12:16 PM > > > > To: pim@ietf.org; draft-ietf-pim-rfc4601bis@ietf.org > > > > Subject: Re: [pim] PIM and IPsec experience > > > > > > > > Stig, > > > > > > > > At Concordia, as part of the work supporting the development specified > > > > in RFC 5796, we did a series of tests. > > > > > > > > 1) Two and three "soft" routers (Linux boxes running XORP) for the > > "same > > > > key for everyone" and "separate keys for each sender" cases. > > > > > > > > 2) Two and three Cisco 2811 routers for the same two cases, except that > > > > we could not run the "three-router, separate keys case for each sender" > > > > case due to a limitation in the Cisco command line interface for manual > > > > keying. > > > > > > > > 3) Inter-operation of a XORP router and a Cisco 2811, for both the > > > > "same-key" and the "separate key" cases, with one XORP router and one > > > > Cisco router. (The "three-router, separate keys" case was not tried, > > > > for the reasons given above.) > > > > > > > > 4) Inter-operation of a XORP router and a Cisco 2911. > > > > > > > > AH was used in all the tests. > > > > > > > > Since the establishment of the IPsec parameters is _completely_ > > > > independent of the PIM-SM code, I expect that it would not be difficult > > > > to demonstrate inter-operation with ESP. I would be willing to provide > > > > the manpower to do this. > > > > > > > > The above establishes the existence of two independent inter-operating > > > > implementations. If I can find someone to loan me a suitable router > > > > from another company (with IPsec enabled), I expect that it would not > > be > > > > hard to demonstrate inter-operation with a third implementation, for > > > > both AH and ESP. (I would be willing to provide the manpower to do > > this.) > > > > > > > > Bill > > > > > > > > > > > > On 09/03/2015 8:10 PM, Stig Venaas wrote: > > > > > Hi > > > > > > > > > > As part of making RFC 4601 an Internet Standard we would like to > > know to > > > > > what extent there is experience with AH interoperability. Has anyone > > > > > conducted tests or are aware of deployments with multiple > > > > > implementations? What about ESP? > > > > > > > > > > It would also be interesting to know about deployments using IPsec, > > > > > even if just a single implementation is involved. No need to name > > > > > particular deployments, but it would be nice to get some idea how > > > > > common it is. > > > > > > > > > > Stig > > > > > > > > > > _______________________________________________ > > > > > pim mailing list > > > > > pim@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/pim > > > > > > > > -- > > > > Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046 > > > > Distinguished Professor Emeritus fax: +1 (514) 848-2830 > > > > Department of Computer Science > > > > and Software Engineering > > > > Concordia University EV 3.185 email:william.atwood@concordia.ca > > > > 1455 de Maisonneuve Blvd. West http://users.encs.concordia.ca/~bill > > > > Montreal, Quebec Canada H3G 1M8 > > > > > > _______________________________________________ > > > pim mailing list > > > pim@ietf.org > > > https://www.ietf.org/mailman/listinfo/pim
- [pim] PIM and IPsec experience Stig Venaas
- Re: [pim] PIM and IPsec experience Alia Atlas
- Re: [pim] PIM and IPsec experience William Atwood
- Re: [pim] PIM and IPsec experience Jeffrey (Zhaohui) Zhang
- Re: [pim] PIM and IPsec experience Brian Haberman
- Re: [pim] PIM and IPsec experience Toerless Eckert
- Re: [pim] PIM and IPsec experience Alia Atlas
- Re: [pim] PIM and IPsec experience Toerless Eckert
- Re: [pim] PIM and IPsec experience Brian Haberman
- Re: [pim] PIM and IPsec experience Toerless Eckert