Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt
RJ Atkinson <rja.lists@gmail.com> Wed, 19 September 2012 19:12 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: renum@ietfa.amsl.com
Delivered-To: renum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 187BA21F85B8 for <renum@ietfa.amsl.com>; Wed, 19 Sep 2012 12:12:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RXxHH2o7StBh for <renum@ietfa.amsl.com>; Wed, 19 Sep 2012 12:12:18 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 616D521F8551 for <renum@ietf.org>; Wed, 19 Sep 2012 12:12:18 -0700 (PDT)
Received: by qcac10 with SMTP id c10so1259067qca.31 for <renum@ietf.org>; Wed, 19 Sep 2012 12:12:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; bh=wVpefZPXS+mxvKLyzwhLLq2qh/rElDKFGSAKaXELM1s=; b=T5oj0VcKbiSn9VImZkuQZB0PsZyqq+ybddulvQo02BIPG3LsDe149hM0qCieKCJAXC ETaBvuuGQ5WWKZXf8ntoXhtw8mNv/tYIjn/YL3gt5xkXYuZ8x5u578af9ACduKfpv4+o lHKLHekUv9E+6+LtXXymgeOMOJuLlxc//YKaDLT6bsfjSwTz/LXbuc1W35hG/dMwness 8LQ638qdjb8gE9+21M3d8vy9XAPLpHfR9d2DWW1Csj5S2r/y4hm/AtenN5ZDgZqcEHg8 Euuk+tPZnSMZFLCnNEOkCSbVsCPDssmIXjMvqogpDNmp18jNhEYx3ufkMM1zIzZmW0Ms RvWQ==
Received: by 10.224.177.15 with SMTP id bg15mr9151470qab.85.1348081937696; Wed, 19 Sep 2012 12:12:17 -0700 (PDT)
Received: from [10.30.20.13] (pool-74-110-100-136.nrflva.fios.verizon.net. [74.110.100.136]) by mx.google.com with ESMTPS id ca8sm4982885qab.20.2012.09.19.12.12.16 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 19 Sep 2012 12:12:17 -0700 (PDT)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 19 Sep 2012 15:12:15 -0400
Message-Id: <07A9B495-21EA-4DFD-84BC-AF5BB6B62BE2@gmail.com>
To: renum@ietf.org
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Subject: Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt
X-BeenThere: renum@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Renumbering discussion mailing list." <renum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/renum>, <mailto:renum-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/renum>
List-Post: <mailto:renum@ietf.org>
List-Help: <mailto:renum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/renum>, <mailto:renum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2012 19:12:19 -0000
Earlier Di Ma wrote: > Yet as a document providing a basis for future works that identify > and develop solutions or to stimulate such development as appropriate, > this draft might make IPSec Security Association (SA) management > included, considering IPSec SA is a kind of IP address oriented > “connection” that cannot function after the change of the involved > IP addresses, which means extra configuration of SA parameters > is inevitable after network renumbering. In general, the above is NOT correct with regard to IPsec. I wrote the IPsec specs (e.g. RFC-1825 et seq) and was, for a time, IPsec WG Co-Chair. I'm also the person who insisted upon having non-IP-address identities defined in the specs, not because of renumbering, but because of the more general issue of different users wanting to use different identity types. IF AND ONLY IF, one configures IKE (either v1 or v2) to use the IP Address based identifiers (e.g. ID_IPV4_ADDR, ID_IPV6_ADDR), then Di Ma's text is correct. HOWEVER, if one configures IKE (either version) to use non-address identifiers (e.g. ID_FQDN, ID_USER_FQDN) [1], then Di Ma's description above is NOT correct. In that case, what happens is that when any IP address changes, the IPsec endpoints recover automatically, thereby making IPsec use resilient in the presence of renumbering. I have personally relied upon this capability for many years, dating back at least to 2001. Circa 2001, the ID_USER_FQDN and ID_FQDN identity types were being used with IKEv1 between a very small Netscreen box connected to the DOCSIS cable modem in my house and a larger VPN box at my (then) employer across the country. The Cable-ISP regularly renumbered the IPv4 address for my CPE, using DHCPv4, which changed the IPv4 address of the public-side of the Netscreen box, yet the IPsec VPN tunnel was resilient, requiring no intervention from me to remain alive/available. > Pre-shared key method cannot be used with mobile systems > or systems that may be renumbered, unless the renumbering > is within the previously determined range of IP addresses. I also have used pre-shared keys with ID_USER_FQDN between a mobile laptop (home, coffee shop, office) and an employer's VPN box. So that also works just fine -- and has done for a decade or longer. One can find a renumbered "employer VPN box" simply by using DNS KX records from RFC-2230. A simplified example of how the DNS records might look is provided below (caveat: I might have mistyped the DNS syntax): example.com IN KX 5 vpn-box.example.com vpn-box.example.com IN A <IP address here> Of course, use of KX records ought to be authenticated via DNS Security, but that (separately) is widely available today (and has rapidly growing deployment). > Also, when pre-shared key is employed, IKEv2 computations > cannot be offloaded to the attached hardware. The above might be true for a particular implementation, but it is not true in general for all implementations. Better quality implementations simply do not have this property. Accordingly, I object to the inclusion of the text that Di Ma has proposed, on grounds that it is not correct. Yours, Ran [1] I've used RFC-4306 terminology above. The same capability exists in IKEv1, but uses slightly different terminology (e.g. ID_USER_FQDN rather than ID_RFC822_ADDR). See RFC-2407, Section 4.6.2.1, which dates back to 1998, and was widely supported in commercially available products by 2000.
- [renum] I-D Action: draft-ietf-6renum-gap-analysi… internet-drafts
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… Sheng Jiang
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… Di Ma
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… Liubing (Leo)
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… Brian E Carpenter
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… Liubing (Leo)
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… Brian E Carpenter
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… RJ Atkinson
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… Liubing (Leo)
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… RJ Atkinson
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… Di Ma
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… RJ Atkinson
- Re: [renum] I-D Action: draft-ietf-6renum-gap-ana… RJ Atkinson