Re: [pim] PIM and IPsec experience
Toerless Eckert <eckert@cisco.com> Tue, 10 March 2015 18:59 UTC
Return-Path: <eckert@cisco.com>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C0391A1AB9; Tue, 10 Mar 2015 11:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i8IejxF0Ingi; Tue, 10 Mar 2015 11:59:48 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00FE51A001A; Tue, 10 Mar 2015 11:59:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3504; q=dns/txt; s=iport; t=1426013988; x=1427223588; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=uDxHyVvp/d6aTUqpczH+aId9ZXkG1qM+RWUx83FrKIQ=; b=VDVszokq+Y5hojLzKR2OiC1vAhVEq0gVapzKFvz4LCroBYNILwjTtsOg rWfvlTZq+SCWT/zFrbUN2TS46VS+fiwZUKU1iAEcJs77/RWF0DqPuv1s0 OjdjJfa98UhAFesqLw8kO5CFCQZUcTtY5hlR9Jv1fN3qz/8TPxNFKhYK+ E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AOBQCePv9U/5hdJa1ZAxaCcFJawyEKhXACgTdNAQEBAQEBfIQPAQEBBAEBATcsCAsMBAsRBAEBAQkeBw8FEx8JDhOILw3FIgEBAQEBAQEBAQEBAQEBAQEBAQEBAReLF4QMEQFAEAcGC4QcBYppiQqFbgGBU5IhI4ICHIFwHjEBgQqBOAEBAQ
X-IronPort-AV: E=Sophos;i="5.11,376,1422921600"; d="scan'208";a="399345958"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-1.cisco.com with ESMTP; 10 Mar 2015 18:59:47 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id t2AIxk6T021901 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Mar 2015 18:59:46 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id t2AIxkIT014678; Tue, 10 Mar 2015 11:59:46 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id t2AIxjO0014676; Tue, 10 Mar 2015 11:59:45 -0700
Date: Tue, 10 Mar 2015 11:59:45 -0700
From: Toerless Eckert <eckert@cisco.com>
To: "Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net>
Message-ID: <20150310185945.GM16454@cisco.com>
References: <54FE3666.4030702@venaas.com> <54FF18A5.9010706@concordia.ca> <BY2PR05MB0794C13F2D9E0F93088E67DD4180@BY2PR05MB079.namprd05.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BY2PR05MB0794C13F2D9E0F93088E67DD4180@BY2PR05MB079.namprd05.prod.outlook.com>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/pim/Y4am09sumGKN0Ng3xOSQ5kTKX_8>
Cc: "draft-ietf-pim-rfc4601bis@ietf.org" <draft-ietf-pim-rfc4601bis@ietf.org>, "pim@ietf.org" <pim@ietf.org>
Subject: Re: [pim] PIM and IPsec experience
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 18:59:53 -0000
If we assume very little deployment epxerience... where would that
leave us wrt. to AH vs. ESP vs how to move forward on the spec side ?
Cheers
Toerless
On Tue, Mar 10, 2015 at 04:23:11PM +0000, Jeffrey (Zhaohui) Zhang wrote:
> Lab testing can provide data on interoperability, but what about deployment experiences?
>
> > -----Original Message-----
> > From: William Atwood [mailto:william.atwood@concordia.ca]
> > Sent: Tuesday, March 10, 2015 12:16 PM
> > To: pim@ietf.org; draft-ietf-pim-rfc4601bis@ietf.org
> > Subject: Re: [pim] PIM and IPsec experience
> >
> > Stig,
> >
> > At Concordia, as part of the work supporting the development specified
> > in RFC 5796, we did a series of tests.
> >
> > 1) Two and three "soft" routers (Linux boxes running XORP) for the "same
> > key for everyone" and "separate keys for each sender" cases.
> >
> > 2) Two and three Cisco 2811 routers for the same two cases, except that
> > we could not run the "three-router, separate keys case for each sender"
> > case due to a limitation in the Cisco command line interface for manual
> > keying.
> >
> > 3) Inter-operation of a XORP router and a Cisco 2811, for both the
> > "same-key" and the "separate key" cases, with one XORP router and one
> > Cisco router. (The "three-router, separate keys" case was not tried,
> > for the reasons given above.)
> >
> > 4) Inter-operation of a XORP router and a Cisco 2911.
> >
> > AH was used in all the tests.
> >
> > Since the establishment of the IPsec parameters is _completely_
> > independent of the PIM-SM code, I expect that it would not be difficult
> > to demonstrate inter-operation with ESP. I would be willing to provide
> > the manpower to do this.
> >
> > The above establishes the existence of two independent inter-operating
> > implementations. If I can find someone to loan me a suitable router
> > from another company (with IPsec enabled), I expect that it would not be
> > hard to demonstrate inter-operation with a third implementation, for
> > both AH and ESP. (I would be willing to provide the manpower to do this.)
> >
> > Bill
> >
> >
> > On 09/03/2015 8:10 PM, Stig Venaas wrote:
> > > Hi
> > >
> > > As part of making RFC 4601 an Internet Standard we would like to know to
> > > what extent there is experience with AH interoperability. Has anyone
> > > conducted tests or are aware of deployments with multiple
> > > implementations? What about ESP?
> > >
> > > It would also be interesting to know about deployments using IPsec,
> > > even if just a single implementation is involved. No need to name
> > > particular deployments, but it would be nice to get some idea how
> > > common it is.
> > >
> > > Stig
> > >
> > > _______________________________________________
> > > pim mailing list
> > > pim@ietf.org
> > > https://www.ietf.org/mailman/listinfo/pim
> >
> > --
> > Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046
> > Distinguished Professor Emeritus fax: +1 (514) 848-2830
> > Department of Computer Science
> > and Software Engineering
> > Concordia University EV 3.185 email:william.atwood@concordia.ca
> > 1455 de Maisonneuve Blvd. West http://users.encs.concordia.ca/~bill
> > Montreal, Quebec Canada H3G 1M8
>
> _______________________________________________
> pim mailing list
> pim@ietf.org
> https://www.ietf.org/mailman/listinfo/pim
--
---
Toerless Eckert, eckert@cisco.com
- [pim] PIM and IPsec experience Stig Venaas
- Re: [pim] PIM and IPsec experience Alia Atlas
- Re: [pim] PIM and IPsec experience William Atwood
- Re: [pim] PIM and IPsec experience Jeffrey (Zhaohui) Zhang
- Re: [pim] PIM and IPsec experience Brian Haberman
- Re: [pim] PIM and IPsec experience Toerless Eckert
- Re: [pim] PIM and IPsec experience Alia Atlas
- Re: [pim] PIM and IPsec experience Toerless Eckert
- Re: [pim] PIM and IPsec experience Brian Haberman
- Re: [pim] PIM and IPsec experience Toerless Eckert