IETF Logo Mail Archive

Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 14 September 2012 13:09 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: renum@ietfa.amsl.com
Delivered-To: renum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F32621F8503 for <renum@ietfa.amsl.com>; Fri, 14 Sep 2012 06:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8-37c6YKTYr for <renum@ietfa.amsl.com>; Fri, 14 Sep 2012 06:08:59 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7F2A821F84FD for <renum@ietf.org>; Fri, 14 Sep 2012 06:08:59 -0700 (PDT)
Received: by ieak13 with SMTP id k13so7512338iea.31 for <renum@ietf.org>; Fri, 14 Sep 2012 06:08:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=03siIiAXEFGkXAYd4vwdh3U9hKIAZy3I+R8DrFXmHaY=; b=B7P06lJmbU4tU39jbFPELX77STIKdYc2hBg7USvNKIv0RMQIxH4KW2Lvr2oJKB1RVM J097+KkCwWYSpw/TBxZvqe9+h6ZT06nWfZQIUlVVXM3bgvA2HRJOTuCSEkcrlk1LxSaC YEmt+N+DwoS05c5DEh39lAzxqvsaAK1KgCuuL+yziqaiffTRzXcvVG/1BZa8G2UDQHqz cg9aCESXaWL53MatTGc1Aq87UingDrOdxI4Td1kwDPwrMWjZESRzYMpKQXQPMpkj+L5g w/XJyP/OMFQFnlFk8j3l3slgmMqQeWS4IItinwTSsc3bq6Hd56oK/m/7Gv2remI5FwlX +PgA==
Received: by 10.50.95.231 with SMTP id dn7mr3101364igb.37.1347628138839; Fri, 14 Sep 2012 06:08:58 -0700 (PDT)
Received: from [10.255.25.102] (50-76-68-140-static.hfc.comcastbusiness.net. [50.76.68.140]) by mx.google.com with ESMTPS id cu10sm3316545igc.9.2012.09.14.06.08.56 (version=SSLv3 cipher=OTHER); Fri, 14 Sep 2012 06:08:58 -0700 (PDT)
Message-ID: <50532C74.8080803@gmail.com>
Date: Fri, 14 Sep 2012 14:09:08 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Liubing (Leo)" <leo.liubing@huawei.com>
References: <20120904033758.18836.26105.idtracker@ietfa.amsl.com>, <5D36713D8A4E7348A7E10DF7437A4B9239F3A393@szxeml545-mbx.china.huawei.com> <201209141100044525538@cnnic.cn> <8AE0F17B87264D4CAC7DE0AA6C406F452935456B@szxeml509-mbs>
In-Reply-To: <8AE0F17B87264D4CAC7DE0AA6C406F452935456B@szxeml509-mbs>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: 6renum <renum@ietf.org>
Subject: Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt
X-BeenThere: renum@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Renumbering discussion mailing list." <renum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/renum>, <mailto:renum-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/renum>
List-Post: <mailto:renum@ietf.org>
List-Help: <mailto:renum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/renum>, <mailto:renum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2012 13:09:00 -0000

It is a good point to mention. As far as I can tell, there is no solution;
sessions using address-based SAs will need to renegotiate (just like
a TCP or TLS session, in fact).

See RFC 5887, however, which gives the solution for the VPN application
of IPsec (use FQDN-based SA).

I noticed that RFC 4192 doesn't mention IPsec!

Regards
   Brian


On 14/09/2012 10:19, Liubing (Leo) wrote:
> Hi, Di
> Thanks for your review and the new contribution.
> Personally, I think the issue you pointed out is worth to be documented. If the IP addresses are renumbered, the SA would be definitely broken. But I would like to hear the  co-authors' and the WG's opinions about it, since it is been under WGLC.
> For the texts, I think it may need to be simplified, especially the IKEv2 relevant details may confuse people that it is talking about a IKEv2 gap, but in fact it is about SA.
> 
> B.R.
> Bing
> 
> From: renum-bounces@ietf.org [mailto:renum-bounces@ietf.org] On Behalf Of Di Ma
> Sent: Friday, September 14, 2012 11:00 AM
> To: Sheng Jiang
> Cc: 6renum
> Subject: Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt
> 
> I am in favor of moving forward this work.
> 
> Yet as a document providing a basis for future works that identify and develop solutions or to stimulate such development as appropriate, this draft might make IPSec Security Association (SA) management included, considering IPSec SA is a kind of IP address oriented "connection" that cannot function after the change of the involved IP addresses, which means extra configuration of SA parameters is inevitable after network renumbering.
> 
> So, I propose adding some words into this draft as Section 8.3 (IPSec SA Management), a sector of Section 8 (Miscellaneous), which is described as follows:
> 
> Network renumbering events get networking mechanisms that are bound to IP addresses, or applications using specific IP addresses, involved. As defined in [RFC4301], IPSec Security Association (SA), as a kind of IP address oriented "connection", cannot function after the change of the involved IP addresses, which means extra configuration of SA parameters is inevitable after network renumbering.
> 
> SA is a "connection" that provides security services to the traffic carried by it and details the key and algorithm that the IPSec connection relies on. SA can be established with manual configuration by the administrator. IKEv2 [RFC5996] eliminates manual reconfiguration. It employs two rounds of message exchanges. The first exchange of messages establishes a trust relationship between the two IKEv2 participants. This exchange uses two authentication methods, digital signature and pre-shared key. The digital signature method needs certificate management. If the participants are not configured with the same trust anchor, certificate-based IKEv2 cannot be realized. While the pre-shared key method is the simpler of the authentication methods for IKEv2 and pre-shared keys are tied to particular IP addresses, unlike public key certificates used by digital signature method. Pre-shared key method cannot be used with mobile systems or systems that may be renumbered, unless the re
numbering is within the previously determined range of IP addresses. Also, when pre-shared key is employed, IKEv2 computations cannot be offloaded to the attached hardware. Therefore, pre-shared key method fails to be a pure automatic one and does not go well with network renumbering. A mechanism that is able to integrate SA management into IP address assignment in an automatic and an adaptive manner is desired to go with network renumbering.
> 
> 
> ________________________________
> Di Ma
> CNNIC Advanced Research Department
> ___________________________________________________
> China Internet Network Information Center
> Tel: (8610)-58813216
> Https://www.cnnic.cn
> Add: 4, South 4th Street, Zhongguancun
> Haidian District, Beijing
> P.R.China 100190
> POB: Beijing 349, Branch 6
> ____________________________________________________
> 
> From: Sheng Jiang<mailto:jiangsheng@huawei.com>
> Date: 2012-09-04 11:44
> To: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>; i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>
> CC: renum@ietf.org<mailto:renum@ietf.org>
> Subject: Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt
> A new version with minor editorial modifications are submitted. Your review and comments are appreciated.
> 
> Best regards,
> 
> Sheng
> 
>> -----Original Message-----
>> From: renum-bounces@ietf.org [mailto:renum-bounces@ietf.org] On Behalf
>> Of internet-drafts@ietf.org
>> Sent: Tuesday, September 04, 2012 11:38 AM
>> To: i-d-announce@ietf.org
>> Cc: renum@ietf.org
>> Subject: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the IPv6 Site Renumbering Working Group of the
>> IETF.
>>
>> Title           : IPv6 Site Renumbering Gap Analysis
>> Author(s)       : Bing Liu
>>                          Sheng Jiang
>>                          Brian Carpenter
>>                          Stig Venaas
>> Filename        : draft-ietf-6renum-gap-analysis-03.txt
>> Pages           : 20
>> Date            : 2012-09-03
>>
>> Abstract:
>>   This document briefly introduces the existing mechanisms could be
>>   utilized by IPv6 site renumbering and tries to cover most of the
>>   explicit issues and requirements of IPv6 renumbering. Through the gap
>>   analysis, the document provides a basis for future works that
>>   identify and develop solutions or to stimulate such development as
>>   appropriate. The gap analysis is presented following a renumbering
>>   event procedure clue.
>>
>>
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-6renum-gap-analysis
>>
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-ietf-6renum-gap-analysis-03
>>
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-ietf-6renum-gap-analysis-03
>>
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> renum mailing list
>> renum@ietf.org
>> https://www.ietf.org/mailman/listinfo/renum
> _______________________________________________
> renum mailing list
> renum@ietf.org
> https://www.ietf.org/mailman/listinfo/renum
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> renum mailing list
> renum@ietf.org
> https://www.ietf.org/mailman/listinfo/renum

v2.23.0 | Report a Bug | By Email