IETF Logo Mail Archive

Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt

"Di Ma" <madi@cnnic.cn> Thu, 20 September 2012 19:57 UTC

Return-Path: <madi@cnnic.cn>
X-Original-To: renum@ietfa.amsl.com
Delivered-To: renum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F50321E805F for <renum@ietfa.amsl.com>; Thu, 20 Sep 2012 12:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.049
X-Spam-Level:
X-Spam-Status: No, score=0.049 tagged_above=-999 required=5 tests=[AWL=-0.595, BAYES_05=-1.11, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-OWpv37cds4 for <renum@ietfa.amsl.com>; Thu, 20 Sep 2012 12:57:13 -0700 (PDT)
Received: from cnnic.cn (smtp.cnnic.cn [159.226.7.146]) by ietfa.amsl.com (Postfix) with SMTP id 379C421F8682 for <renum@ietf.org>; Thu, 20 Sep 2012 12:57:10 -0700 (PDT)
X-EYOUMAIL-SMTPAUTH: madi@cnnic.cn
Received: from unknown127.0.0.1 (HELO user-think) (127.0.0.1) by 127.0.0.1 with SMTP; Fri, 21 Sep 2012 03:57:00 +0800
Date: Fri, 21 Sep 2012 03:56:58 +0800
From: Di Ma <madi@cnnic.cn>
To: RJ Atkinson <rja.lists@gmail.com>
References: <07A9B495-21EA-4DFD-84BC-AF5BB6B62BE2@gmail.com> <8AE0F17B87264D4CAC7DE0AA6C406F452935720A@szxeml509-mbs>, <E2FEB233-3206-4E6C-B54D-BA832B545009@gmail.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.0.1.90[cn]
Mime-Version: 1.0
Message-ID: <201209210356573495357@cnnic.cn>
Content-Type: multipart/alternative; boundary="----=_001_NextPart487888456634_=----"
Cc: 6renum <renum@ietf.org>
Subject: Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt
X-BeenThere: renum@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: madi <madi@cnnic.cn>
List-Id: "Renumbering discussion mailing list." <renum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/renum>, <mailto:renum-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/renum>
List-Post: <mailto:renum@ietf.org>
List-Help: <mailto:renum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/renum>, <mailto:renum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 19:57:14 -0000

Hi, Ran,
 
Thank you very much indeed for your detailed comments. You have provided plenty of valuable information. Yet in my previous mail, what I was trying to say is that IPSec itself is an address-based connection, which, by the way, has nothing to do with the methods IKE employs to identify the peers negotiating SA parameters. 
 
Conspicuously, non-IP-address identifiers such as FQDN can help IPSec participants to exchange notes, and with IKE IPSec endpoints can recover automatically as you mentioned. The reason why I threw the IPSec issue in the category of network renumbering is that at some specific circumstances IPSec SA parameters, as IP address oriented, can be configured in a better way other than IKE (v2) to go with renumbering events.
 
By the virtue of specific network operations, SA configuration management could be fancied in an optimized way. Customer Premises Network (CPN) offers a scenario where the configuration of SA parameters for specific IPSec participants can be integrated into IP address assignment. As widely observed, some CPN services such as DNS recursive resolution service, SIP proxy service, are expected to have integrity and confidentiality protection. That is, from the point of view of a user host, SA parameters bound to DNS recursive name server or SIP server, can be considered undifferentiated with other network parameters, such as IP address of the user host, default gateway address, that are commonly configured via DHCP.
 
Since the IPSec is address-oriented and the DHCP server is responsible for IP address configuration, we might as well integrate IPSec SA parameters configuration into IP address assignment by extending DHCP where the IP address configuration node (DHCP server) plays like an “administrator” using DHCP to configure IPSec SA parameters in a host, after it, in deputy of the host, has negotiated with a CPN server the very host wants to establish IPSec with.  Consequently, after the renumbering event, the user host can get a new IP address and new SA parameters piggybacked via DHCP messages.
 
To be exact, in this scenario, the user host will be a SA establishment initiator and the DHCP server will serve as the deputy for the user host to negotiate SA parameters with the CPN server such as DNS recursive name server, SIP server, etc. The superiority of granting SA management to DHCP server is that the SA negotiation will be simplified based on the preconfigured trust relationship between the DHCP server and other CPN servers, since in regular CPN scenarios, the DHCP server and CPN servers are usually at the same administration domain, sometimes even integrated in the same device, which makes the IKEv2 authentication exchanges unnecessary.  Secure tunnels, such as HTTPS or other secure protocols with less rounds could be easily applied to protect the communication between the DHCP server and CPN server when needed.  
 
Once the very method is realized, the IPSec SA negotiation is transparent to user hosts especially the handheld devices that are considered as “thin clients”. The user host tells the configuration entity, DHCP server for instance, it wants to know the IP address of DNS recursive name server and it wants to employ IPSec to secure the “DNS last mile”, then via some processes at the side of the access network, it gets the IP address (es) of the DNS server and the SA parameters it needs to configure to establish IPSec with the very DNS server. 
 
Recently we are working on the design and a draft is going to be submitted soon. 

Yours,
Di Ma

China Internet Network Information Center (CNNIC)
Tel: (8610)-58813216
Mobile:(86)-18611718301
Https://www.cnnic.cn
Add: 4, South 4th Street, Zhongguancun
Haidian District, Beijing
P.R.China 100190
POB: Beijing 349, Branch 6
____________________________________________________

From: RJ Atkinson
Date: 2012-09-20 19:30
To: renum
Subject: Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt

On 19  Sep 2012, at 22:22 , Liubing (Leo) wrote:
> But I think what Di and Marc argued is that,
> they might found in their cases, the FQDN ability
> was not easy to enable, which may caused by various deployment/implementation issues.

It really is very easy to enable in products from
multiple vendors (e.g. Netscreen, Cisco, Juniper).

In any case, both "ease of use" and "user interface"
are outside the usual scope of the IETF.

The big issue appears to be that folks don't realise
why using FQDN is better than IP addresses -- which
is why RFC 5887 talked about this.

Yours,

Ran


_______________________________________________
renum mailing list
renum@ietf.org
https://www.ietf.org/mailman/listinfo/renum

v2.23.0 | Report a Bug | By Email