draft-ietf-ipsecme-ad-vpn-problem-02.txt   draft-ietf-ipsecme-ad-vpn-problem-03.txt 
IPsecME Working Group S. Hanna IPsecME Working Group S. Hanna
Internet-Draft Juniper Internet-Draft Juniper
Intended status: Informational V. Manral Intended status: Informational V. Manral
Expires: June 10, 2013 HP Expires: June 20, 2013 HP
December 7, 2012 December 17, 2012
Auto Discovery VPN Problem Statement and Requirements Auto Discovery VPN Problem Statement and Requirements
draft-ietf-ipsecme-ad-vpn-problem-02 draft-ietf-ipsecme-ad-vpn-problem-03
Abstract Abstract
This document describes the problem of enabling a large number of This document describes the problem of enabling a large number of
systems to communicate directly using IPsec to protect the traffic systems to communicate directly using IPsec to protect the traffic
between them. It then expands on the requirements, for such a between them. It then expands on the requirements, for such a
solution. solution.
Manual configuration of all possible tunnels is too cumbersome in Manual configuration of all possible tunnels is too cumbersome in
many such cases. In other cases the IP address of endpoints change many such cases. In other cases the IP address of endpoints change
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 10, 2013. This Internet-Draft will expire on June 20, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 48 skipping to change at page 5, line 48
to impersonation by the other spoke endpoint. to impersonation by the other spoke endpoint.
2.2. Gateway-to-Gateway AD VPN Use Case 2.2. Gateway-to-Gateway AD VPN Use Case
A typical Enterprise traffic model follows a star topology, with the A typical Enterprise traffic model follows a star topology, with the
gateways connecting to each other using IPsec tunnels. gateways connecting to each other using IPsec tunnels.
However for the voice and other rich media traffic that requires a However for the voice and other rich media traffic that requires a
lot of bandwidth or is performance sensitive, the traffic tromboning lot of bandwidth or is performance sensitive, the traffic tromboning
to the hub can create traffic bottlenecks on the hub and can lead to to the hub can create traffic bottlenecks on the hub and can lead to
an increase in cost. A fully meshed solution is would make best use an increase in cost. A fully meshed solution would make best use of
of the available network capacity and performance but the deployment the available network capacity and performance but the deployment of
of a fully meshed solution involves considerable configuration, a fully meshed solution involves considerable configuration,
especially when a large number of nodes are involved. It is for this especially when a large number of nodes are involved. It is for this
purpose spoke-to-spoke tunnels are dynamically created and torn-down. purpose spoke-to-spoke tunnels are dynamically created and torn-down.
For the reasons of cost and manual error reduction, it is desired For the reasons of cost and manual error reduction, it is desired
that there be minimal configuration on each gateway. that there be minimal configuration on each gateway.
The solution should work in cases where the endpoints are The solution should work in cases where the endpoints are
administrated by separate management domains, albeit, ones that have administrated by separate management domains, albeit, ones that have
an existing trust relationship (for example two organisations who are an existing trust relationship (for example two organisations who are
collaborating on a project, they may wish to join their networks, collaborating on a project, they may wish to join their networks,
skipping to change at page 9, line 7 skipping to change at page 9, line 7
Several vendors offer proprietary solutions to these problems. Several vendors offer proprietary solutions to these problems.
However, these solutions offer no interoperability between equipment However, these solutions offer no interoperability between equipment
from one vendor and another. This means that they are generally from one vendor and another. This means that they are generally
restricted to use within one organization, and it is harder to move restricted to use within one organization, and it is harder to move
off such solutions as the features are not standardized. Besides off such solutions as the features are not standardized. Besides
multiple organizations cannot be expected to all choose the same multiple organizations cannot be expected to all choose the same
equipment vendor. equipment vendor.
4. Requirements 4. Requirements
This sectiondefines the requirements, on which the solution will be This section defines the requirements, on which the solution will be
based. based.
4.1. Gateway and Endpoint Requirements 4.1. Gateway and Endpoint Requirements
1. For any network topology (star, full mesh and dynamic full mesh) 1. For any network topology (star, full mesh and dynamic full mesh)
gateways and endpoints MUST minimize configuration changes when a new gateways and endpoints SHOULD minimize configuration changes when a
gateway or endpoint is added, removed or changed. Adding or removing new gateway or endpoint is added, removed or changed. Adding or
a spoke in the topology MUST NOT require configuration changes to the removing a spoke in the topology MUST NOT require configuration
hubs other than where the spoke was connected to and SHOULD NOT changes to the hubs other than where the spoke was connected to and
require configuration changes to the hub the spoke was connected to. SHOULD NOT require configuration changes to the hub the spoke was
The changes also MUST NOT require configuration changes in other connected to. The changes also MUST NOT require configuration
spokes. changes in other spokes.
Specifically, when evaluating potential proposals, we will compare Specifically, when evaluating potential proposals, we will compare
them by looking at how many endpoints or gateways must be them by looking at how many endpoints or gateways must be
reconfigured when a new gateway or endpoint is added, removed, or reconfigured when a new gateway or endpoint is added, removed, or
changed and how substantial this reconfiguration is, besides the changed and how substantial this reconfiguration is, besides the
amount of static configuration required. amount of static configuration required.
This requirement is driven by use cases 2.1 and 2.2 and by the This requirement is driven by use cases 2.1 and 2.2 and by the
scaling limitations pointed out in section 3.1. scaling limitations pointed out in section 3.1.
skipping to change at page 10, line 30 skipping to change at page 10, line 30
This requirement is driven by use case 2.1. Today's endpoints are This requirement is driven by use case 2.1. Today's endpoints are
mobile and transition often between different networks (from 4G to mobile and transition often between different networks (from 4G to
WiFi and among various WiFi networks). WiFi and among various WiFi networks).
7. Gateways SHOULD allow for easy handoff of a session to another 7. Gateways SHOULD allow for easy handoff of a session to another
gateway, to optimize latency, bandwidth, load balancing, gateway, to optimize latency, bandwidth, load balancing,
availability, or other factors, based on policy. availability, or other factors, based on policy.
This requirement is driven by use case 2.3. This requirement is driven by use case 2.3.
8. Gateways and endpoints MUST be able to work when they are behind 8. Gateways and endpoints MUST have the capability to participate in
NAT boxes. It is especially difficult to handle cases where the Hub an AD VPN even when they are located behind NAT boxes. However, in
is behind a NAT box, such a requirement MAY be supported. Where the some cases they may be deployed in such a way that they will not be
two endpoints are both behind separate NATs, communication between fully reachable behind a NAT box. It is especially difficult to
these spokes SHOULD be supported. In the cases, workarounds MAY be handle cases where the Hub is behind a NAT box. Where the two
used such as port forwarding by the NAT or detecting when two spokes endpoints are both behind separate NATs, communication between these
are behind uncooperative NATs and using a hub in that case. spokes SHOULD be supported using workarounds such as port forwarding
by the NAT or detecting when two spokes are behind uncooperative NATs
and using a hub in that case.
This requirement is driven by use cases 2.1 and 2.2. Endpoints are This requirement is driven by use cases 2.1 and 2.2. Endpoints are
often behind NATs and gateways sometimes are. IPsec should continue often behind NATs and gateways sometimes are. IPsec should continue
to work seamlessly regardless, using AD VPN techniques whenever to work seamlessly regardless, using AD VPN techniques whenever
possible and providing graceful fallback to hub and spoke techniques possible and providing graceful fallback to hub and spoke techniques
as needed. as needed.
9. Changes such as establishing a new IPsec SA SHOULD be reportable 9. Changes such as establishing a new IPsec SA SHOULD be reportable
and manageable. However, creating a MIB or other management and manageable. However, creating a MIB or other management
technique is not within scope for this effort. technique is not within scope for this effort.
skipping to change at page 11, line 27 skipping to change at page 11, line 29
This requirement is driven by the use case 2.2, where the amount of This requirement is driven by the use case 2.2, where the amount of
rich media multicast traffic is increasing. rich media multicast traffic is increasing.
13. The ADVPN solution SHOULD allow for easy monitoring, logging and 13. The ADVPN solution SHOULD allow for easy monitoring, logging and
reporting of the dynamic changes, to help for trouble shooting such reporting of the dynamic changes, to help for trouble shooting such
environments. environments.
This requirement is driven by demand for all the use cases in This requirement is driven by demand for all the use cases in
federated and allied environments. federated and allied environments.
14. The ADVPN solution MUST support Provider Edge (PE) based VPN's. 14. There is also the case when L3VPNs operate over IPsec Tunnels,
for example Provider Edge (PE) based VPN's. An ADVPN MUST support
L3VPN as an application protected by the IPsec Tunnels.
This requirement is driven by demand for all the use cases in This requirement is driven by demand for all the use cases in
federated and allied environments. federated and allied environments.
5. Security Considerations 5. Security Considerations
This is a Problem state and requirement document for the ADVPN
solution, and in itself does not introduce any new security concerns.
The solution to the problems presented in this draft may involve The solution to the problems presented in this draft may involve
dynamic updates to databases defined by RFC 4301, such as the dynamic updates to databases defined by RFC 4301, such as the
Security Policy Database (SPD) or the Peer Authorization Database Security Policy Database (SPD) or the Peer Authorization Database
(PAD). (PAD).
RFC 4301 is silent about the way these databases are populated, and RFC 4301 is silent about the way these databases are populated, and
it is implied that these databases are static and pre-configured by a it is implied that these databases are static and pre-configured by a
human. Allowing dynamic updates to these databases must be thought human. Allowing dynamic updates to these databases must be thought
out carefully, because it allows the protocol to alter the security out carefully, because it allows the protocol to alter the security
policy that the IPsec endpoints implement. policy that the IPsec endpoints implement.
One obvious attack to watch out for is stealing traffic to a One obvious attack to watch out for is stealing traffic to a
particular site. The IP address for www.example.com is 192.0.2.10. particular site. The IP address for www.example.com is 192.0.2.10.
If we add an entry to an IPsec endpoint's SPD that says that traffic If we add an entry to an IPsec endpoint's SPD that says that traffic
to 192.0.2.10 is protected through peer Gw-Mallory, then this allows to 192.0.2.10 is protected through peer Gw-Mallory, then this allows
Gw-Mallory to either pretend to be www.example.com or to proxy and Gw-Mallory to either pretend to be www.example.com or to proxy and
read all traffic to that site. Updates to this database requires a read all traffic to that site. Updates to this database requires a
clear trust model. clear trust model.
More to be added.
6. IANA Considerations 6. IANA Considerations
No actions are required from IANA for this informational document. No actions are required from IANA for this informational document.
7. Acknowledgements 7. Acknowledgements
Many people have contributed to the development of this problem Many people have contributed to the development of this problem
statement and many more will probably do so before we are done with statement and many more will probably do so before we are done with
it. While we cannot thank all contributors, some have played an it. While we cannot thank all contributors, some have played an
especially prominent role. Yoav Nir, Yaron Scheffer, Jorge Coronel especially prominent role. Yoav Nir, Yaron Sheffer, Jorge Coronel
Mendoza, Chris Ulliott, and John Veizades wrote the document upon Mendoza, Chris Ulliott, and John Veizades wrote the document upon
which this draft was based. Geoffrey Huang, Suresh Melam, Praveen which this draft was based. Geoffrey Huang, Suresh Melam, Praveen
Sathyanarayan, Andreas Steffen, Brian Weis, and Lou Berger provided Sathyanarayan, Andreas Steffen, Brian Weis, and Lou Berger provided
essential input. essential input.
8. Normative References 8. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
 End of changes. 11 change blocks. 
26 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/