IETF Logo Mail Archive

Re: [pim] PIM and IPsec experience

Brian Haberman <brian@innovationslab.net> Wed, 11 March 2015 14:11 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13B441ACD4B for <pim@ietfa.amsl.com>; Wed, 11 Mar 2015 07:11:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hb-Ms3ivwZ-O for <pim@ietfa.amsl.com>; Wed, 11 Mar 2015 07:11:02 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DE5C1ACDA1 for <pim@ietf.org>; Wed, 11 Mar 2015 07:11:02 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 42406880E7 for <pim@ietf.org>; Wed, 11 Mar 2015 07:11:02 -0700 (PDT)
Received: from Brians-MacBook-Pro.local (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id EA0321368278 for <pim@ietf.org>; Wed, 11 Mar 2015 07:11:01 -0700 (PDT)
Message-ID: <55004CEF.80502@innovationslab.net>
Date: Wed, 11 Mar 2015 10:10:55 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: pim@ietf.org
References: <54FE3666.4030702@venaas.com> <54FF18A5.9010706@concordia.ca> <BY2PR05MB0794C13F2D9E0F93088E67DD4180@BY2PR05MB079.namprd05.prod.outlook.com> <20150310185945.GM16454@cisco.com> <CAG4d1rcZ0viMq1Bp6GjaG-gUWnjzwLSmgVLWZUtQ+17M96EnZQ@mail.gmail.com> <20150311133730.GA874@cisco.com>
In-Reply-To: <20150311133730.GA874@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="G5fX7G6L7lScAwnW9NrVfrjjQ188aQgAC"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pim/kiw0Xkkf_HspIHj1AxUScQjCvqQ>
Subject: Re: [pim] PIM and IPsec experience
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 14:11:04 -0000

Hi Toerless,

On 3/11/15 9:37 AM, Toerless Eckert wrote:
> Sure, such a list sounds iuseful. But that does not answer my question.
> 

Let me take a crack at it.

> 
> On Tue, Mar 10, 2015 at 03:04:13PM -0400, Alia Atlas wrote:
>> On Tue, Mar 10, 2015 at 2:59 PM, Toerless Eckert <eckert@cisco.com> wrote:
>>
>>> If we assume very little deployment epxerience... where would that
>>> leave us wrt. to AH vs. ESP vs how to move forward on the spec side ?
>>>

The rules on advancing a specification to IS are rather clear on this.
If a feature does not have wide implementation and deployment
experience, it is pulled out of the specification.

In the case of 4601bis, I would suspect that section 6.3 would be taken
out.  If so, it could be replaced with an informative reference to RFC 5796.

The other RFCs that update 4601 would need to be examined to see how
they impact the spec as well.

Regards,
Brian

>>
>> We are checking to see how the RFC Editor can handle Updates for 4601bis.
>> It would be useful in 4601bis to have Informational references to the
>> various RFCs
>> that update 4601 and help set them in context for a future reader.
>>
>> Alia
>>
>>
>>
>>> Cheers
>>>     Toerless
>>>
>>> On Tue, Mar 10, 2015 at 04:23:11PM +0000, Jeffrey (Zhaohui) Zhang wrote:
>>>> Lab testing can provide data on interoperability, but what about
>>> deployment experiences?
>>>>
>>>>> -----Original Message-----
>>>>> From: William Atwood [mailto:william.atwood@concordia.ca]
>>>>> Sent: Tuesday, March 10, 2015 12:16 PM
>>>>> To: pim@ietf.org; draft-ietf-pim-rfc4601bis@ietf.org
>>>>> Subject: Re: [pim] PIM and IPsec experience
>>>>>
>>>>> Stig,
>>>>>
>>>>> At Concordia, as part of the work supporting the development specified
>>>>> in RFC 5796, we did a series of tests.
>>>>>
>>>>> 1) Two and three "soft" routers (Linux boxes running XORP) for the
>>> "same
>>>>> key for everyone" and "separate keys for each sender" cases.
>>>>>
>>>>> 2) Two and three Cisco 2811 routers for the same two cases, except that
>>>>> we could not run the "three-router, separate keys case for each sender"
>>>>> case due to a limitation in the Cisco command line interface for manual
>>>>> keying.
>>>>>
>>>>> 3) Inter-operation of a XORP router and a Cisco 2811, for both the
>>>>> "same-key" and the "separate key" cases, with one XORP router and one
>>>>> Cisco router.  (The "three-router, separate keys" case was not tried,
>>>>> for the reasons given above.)
>>>>>
>>>>> 4) Inter-operation of a XORP router and a Cisco 2911.
>>>>>
>>>>> AH was used in all the tests.
>>>>>
>>>>> Since the establishment of the IPsec parameters is _completely_
>>>>> independent of the PIM-SM code, I expect that it would not be difficult
>>>>> to demonstrate inter-operation with ESP.  I would be willing to provide
>>>>> the manpower to do this.
>>>>>
>>>>> The above establishes the existence of two independent inter-operating
>>>>> implementations.  If I can find someone to loan me a suitable router
>>>>> from another company (with IPsec enabled), I expect that it would not
>>> be
>>>>> hard to demonstrate inter-operation with a third implementation, for
>>>>> both AH and ESP.  (I would be willing to provide the manpower to do
>>> this.)
>>>>>
>>>>>   Bill
>>>>>
>>>>>
>>>>> On 09/03/2015 8:10 PM, Stig Venaas wrote:
>>>>>> Hi
>>>>>>
>>>>>> As part of making RFC 4601 an Internet Standard we would like to
>>> know to
>>>>>> what extent there is experience with AH interoperability. Has anyone
>>>>>> conducted tests or are aware of deployments with multiple
>>>>>> implementations? What about ESP?
>>>>>>
>>>>>> It would also be interesting to know about deployments using IPsec,
>>>>>> even if just a single implementation is involved. No need to name
>>>>>> particular deployments, but it would be nice to get some idea how
>>>>>> common it is.
>>>>>>
>>>>>> Stig
>>>>>>
>>>>>> _______________________________________________
>>>>>> pim mailing list
>>>>>> pim@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/pim
>>>>>
>>>>> --
>>>>> Dr. J.W. Atwood, Eng.             tel:   +1 (514) 848-2424 x3046
>>>>> Distinguished Professor Emeritus  fax:   +1 (514) 848-2830
>>>>> Department of Computer Science
>>>>>    and Software Engineering
>>>>> Concordia University EV 3.185     email:william.atwood@concordia.ca
>>>>> 1455 de Maisonneuve Blvd. West    http://users.encs.concordia.ca/~bill
>>>>> Montreal, Quebec Canada H3G 1M8
>>>>
>>>> _______________________________________________
>>>> pim mailing list
>>>> pim@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/pim
> 
> _______________________________________________
> pim mailing list
> pim@ietf.org
> https://www.ietf.org/mailman/listinfo/pim
>

v2.23.0 | Report a Bug | By Email