[vpn4dc] Question on the problem

Fred Baker <fred@cisco.com> Mon, 31 October 2011 12:59 UTC

Return-Path: <fred@cisco.com>
X-Original-To: vpn4dc@ietfa.amsl.com
Delivered-To: vpn4dc@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D25E321F8D7E for <vpn4dc@ietfa.amsl.com>; Mon, 31 Oct 2011 05:59:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.277
X-Spam-Status: No, score=-104.277 tagged_above=-999 required=5 tests=[AWL=1.722, BAYES_00=-2.599, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id h4mlYZgYaBYM for <vpn4dc@ietfa.amsl.com>; Mon, 31 Oct 2011 05:59:04 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2027D21F8DB0 for <vpn4dc@ietf.org>; Mon, 31 Oct 2011 05:59:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=fred@cisco.com; l=2224; q=dns/txt; s=iport; t=1320065944; x=1321275544; h=from:subject:date:message-id:to:mime-version: content-transfer-encoding; bh=G2guliZa+vspNC9mA6k5Hv0Gpc+mOClLpClIcysrzy4=; b=Dcm8JJ3eeOzK6cFeFNOyor/KyWsYfcmV+l3pQMUDYA/2lfcPbanb9OIG bt9Kaok3CSyqE6ScSCY6iB/w+3scZggcCLZOfreoozw9N67waBW2XYt5D bQJjHSnZmWt1WXfylAlhn/emXwSr4fS6ZE+VXQx7iuu9yGT/cosKiu7Ne w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArsGAGCbrk6tJXHA/2dsb2JhbABDmiCPEoEFggsBJ4IkBwebUIEmAZ4EiCFhBIgEjAqFLYw/
X-IronPort-AV: E=Sophos;i="4.69,432,1315180800"; d="scan'208";a="32180439"
Received: from rcdn-core2-5.cisco.com ([]) by rcdn-iport-7.cisco.com with ESMTP; 31 Oct 2011 12:59:00 +0000
Received: from localhost (tky-vpn-client-230-223.cisco.com []) by rcdn-core2-5.cisco.com (8.14.3/8.14.3) with ESMTP id p9VCwu07024938 for <vpn4dc@ietf.org>; Mon, 31 Oct 2011 12:58:58 GMT
Received: from [] by localhost (PGP Universal service); Mon, 31 Oct 2011 20:58:58 +0900
X-PGP-Universal: processed; by localhost on Mon, 31 Oct 2011 20:58:58 +0900
From: Fred Baker <fred@cisco.com>
Date: Mon, 31 Oct 2011 20:58:07 +0800
Message-Id: <6527FECE-3B49-4D67-BEA1-AD4ECEE420F5@cisco.com>
To: vpn4dc@ietf.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: [vpn4dc] Question on the problem
X-BeenThere: vpn4dc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <vpn4dc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vpn4dc>, <mailto:vpn4dc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vpn4dc>
List-Post: <mailto:vpn4dc@ietf.org>
List-Help: <mailto:vpn4dc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vpn4dc>, <mailto:vpn4dc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 12:59:04 -0000

I have started reading the vpn4dc drafts, and especially the problem statements, and find myself scratching my head. Starting with the title "VPN for Data Center", I really wonder if the topic is starting from a proposed solution before settling on a problem.

Let me ramble a bit, and then tell me I'm wrong.

It seems to me that your primary issue is that you have a set of hosts that want to communicate with each other securely. These hosts might be physical or virtual, and might be in the same data center or in different data centers. The important thing is that they be able to authenticate communications with each other, and then do things that they are authorized to do based on those communications. The things that they do might differ. Within one community, the hosts might all be peers accomplishing the job of the cloud, whatever that is - order processing, content delivery, take your pick. Within another community, the issue might be the management of virtual machines, and you might have a relatively small number of control systems that talk with a large number of client machines.

The term "VPN" implies to me that you have chosen a solution. It might be an MPLS VPN, which is to say that you have transport but depend on higher layer services for encryption, authentication, and authorization. In IPsec, "VPN" the term "VPN" generally refers to the tunnel mode, and is a way of overlaying one network on another. In the case, that doesn't make a lot of sense to me in this context - You don't appear to be overlaying networks per se, merely making sure that messages you receive and process are from trusted peers.

If the primary issue is one of trust, we could discuss TLS, https (if the only application protocol is a web protocol), or IPsec's transport mode. In any of those, the issue is largely one of key distribution, and the use of those keys for encryption and authentication to manage communications among a set of communicating entities. 

What am I missing? What makes this specifically a Virtual Private Network? Why is this not a key distribution problem based on existing technologies?