draft-ietf-ipsecme-ad-vpn-problem-06.txt   draft-ietf-ipsecme-ad-vpn-problem-07.txt 
IPsecME Working Group S. Hanna IPsecME Working Group S. Hanna
Internet-Draft Juniper Internet-Draft Juniper
Intended status: Informational V. Manral Intended status: Informational V. Manral
Expires: October 24, 2013 HP Expires: December 05, 2013 HP
April 22, 2013 June 03, 2013
Auto Discovery VPN Problem Statement and Requirements Auto Discovery VPN Problem Statement and Requirements
draft-ietf-ipsecme-ad-vpn-problem-06 draft-ietf-ipsecme-ad-vpn-problem-07
Abstract Abstract
This document describes the problem of enabling a large number of This document describes the problem of enabling a large number of
systems to communicate directly using IPsec to protect the traffic systems to communicate directly using IPsec to protect the traffic
between them. It then expands on the requirements, for such a between them. It then expands on the requirements, for such a
solution. solution.
Manual configuration of all possible tunnels is too cumbersome in Manual configuration of all possible tunnels is too cumbersome in
many such cases. In other cases the IP address of endpoints change many such cases. In other cases the IP address of endpoints change
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 24, 2013. This Internet-Draft will expire on December 05, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Conventions Used in This Document . . . . . . . . . . . . 4 1.2. Conventions Used in This Document . . . . . . . . . . . . 4
2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Endpoint-to-Endpoint ADVPN Use Case . . . . . . . . . . . 4 2.1. Endpoint-to-Endpoint ADVPN Use Case . . . . . . . . . . . 4
2.2. Gateway-to-Gateway ADVPN Use Case . . . . . . . . . . . . 4 2.2. Gateway-to-Gateway ADVPN Use Case . . . . . . . . . . . . 5
2.3. Endpoint-to-Gateway ADVPN Use Case . . . . . . . . . . . 5 2.3. Endpoint-to-Gateway ADVPN Use Case . . . . . . . . . . . 5
3. Inadequacy of Existing Solutions . . . . . . . . . . . . . . 6 3. Inadequacy of Existing Solutions . . . . . . . . . . . . . . 6
3.1. Exhaustive Configuration . . . . . . . . . . . . . . . . 6 3.1. Exhaustive Configuration . . . . . . . . . . . . . . . . 6
3.2. Star Topology . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Star Topology . . . . . . . . . . . . . . . . . . . . . . 6
3.3. Proprietary Approaches . . . . . . . . . . . . . . . . . 7 3.3. Proprietary Approaches . . . . . . . . . . . . . . . . . 7
4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Gateway and Endpoint Requirements . . . . . . . . . . . . 7 4.1. Gateway and Endpoint Requirements . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
8. Normative References . . . . . . . . . . . . . . . . . . . . 11 8. Normative References . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
IPsec [RFC4301] is used in several different cases, including tunnel- IPsec [RFC4301] is used in several different cases, including tunnel-
mode site-to-site VPNs and Remote Access VPNs. Host to host mode site-to-site VPNs and Remote Access VPNs. Host to host
communication employing transport mode also exists, but is far less communication employing transport mode also exists, but is far less
commonly deployed. commonly deployed.
skipping to change at page 3, line 14 skipping to change at page 3, line 14
The difficulty is that all the configuration mentioned in RFC 4301 is The difficulty is that all the configuration mentioned in RFC 4301 is
not superfluous. IKE implementations need to know the identity and not superfluous. IKE implementations need to know the identity and
credentials of all possible peer systems, as well as the addresses of credentials of all possible peer systems, as well as the addresses of
hosts and/or networks behind them. A simplified mechanism for hosts and/or networks behind them. A simplified mechanism for
dynamically establishing point-to-point tunnels is needed. Section 2 dynamically establishing point-to-point tunnels is needed. Section 2
contains several use cases that motivate this effort. contains several use cases that motivate this effort.
1.1. Terminology 1.1. Terminology
ADVPN - Auto Discovery Virtual Private Network (ADVPN) is VPN
solution that enables a large number of systems to communicate
directly, with minimal configuration and operator intervention using
IPsec to protect communication between them.
Endpoint - A device that implements IPsec for its own traffic but Endpoint - A device that implements IPsec for its own traffic but
does not act as a gateway. does not act as a gateway.
Gateway - A network device that implements IPsec to protect traffic Gateway - A network device that implements IPsec to protect traffic
flowing through the device. flowing through the device.
Point-to-Point - Communication between two parties without active Point-to-Point - Communication between two parties without active
participation (e.g. encryption or decryption) by any other parties. participation (e.g. encryption or decryption) by any other parties.
Hub - The central point in a star topology/ dynamic full mesh Hub - The central point in a star topology/ dynamic full mesh
skipping to change at page 3, line 42 skipping to change at page 3, line 47
to it in clear (i.e. it encrypts data coming from cleartext devices to it in clear (i.e. it encrypts data coming from cleartext devices
and forwards it to the ADVPN). and forwards it to the ADVPN).
ADVPN Peer - any member of an ADVPN including gateways, endpoints, ADVPN Peer - any member of an ADVPN including gateways, endpoints,
hub or spoke. hub or spoke.
Star topology - This is the topology where there is direct Star topology - This is the topology where there is direct
connectivity only between the hub and spoke and communication between connectivity only between the hub and spoke and communication between
the 2 spokes happens through the hub. the 2 spokes happens through the hub.
Allied and Federated Environments - Environments where we have
multiple different organizations that have close association and need
to connect to each other.
Full Mesh topology - This is the topology where there is a direct Full Mesh topology - This is the topology where there is a direct
connectivity between every Spoke to every other Spoke directly, connectivity between every Spoke to every other Spoke directly,
without the traffic between the spokes having to be redirected without the traffic between the spokes having to be redirected
through an intermediate hub device. through an intermediate hub device.
Dynamic Full Mesh topology - This is the topology where direct Dynamic Full Mesh topology - This is the topology where direct
connections exist in a hub and spoke manner, but dynamic connections connections exist in a hub and spoke manner, but dynamic connections
are created/ removed between the spokes on a need basis. are created/ removed between the spokes on a need basis.
Security Association (SA) - Defined in [RFC4301]. Security Association (SA) - Defined in [RFC4301].
skipping to change at page 10, line 19 skipping to change at page 10, line 32
This requirement is driven by demand for all the use cases in This requirement is driven by demand for all the use cases in
federated and allied environments. federated and allied environments.
14. There is also the case when L3VPNs operate over IPsec Tunnels, 14. There is also the case when L3VPNs operate over IPsec Tunnels,
for example Provider Edge (PE) based VPN's. An ADVPN MUST support for example Provider Edge (PE) based VPN's. An ADVPN MUST support
L3VPN as an application protected by the IPsec Tunnels. L3VPN as an application protected by the IPsec Tunnels.
This requirement is driven by demand for all the use cases in This requirement is driven by demand for all the use cases in
federated and allied environments. federated and allied environments.
15. There ADVPN solution SHOULD allow the enforcement of per peer
QoS in both the Star as well as the Full Mesh topology.
This requirement is driven by demand for all the use cases in
federated and allied environments.
5. Security Considerations 5. Security Considerations
This is a Problem statement and requirement document for the ADVPN This is a Problem statement and requirement document for the ADVPN
solution, and in itself does not introduce any new security concerns. solution, and in itself does not introduce any new security concerns.
The solution to the problems presented in this draft may involve The solution to the problems presented in this draft may involve
dynamic updates to databases defined by RFC 4301, such as the dynamic updates to databases defined by RFC 4301, such as the
Security Policy Database (SPD) or the Peer Authorization Database Security Policy Database (SPD) or the Peer Authorization Database
(PAD). (PAD).
RFC 4301 is silent about the way these databases are populated, and RFC 4301 is silent about the way these databases are populated, and
 End of changes. 8 change blocks. 
7 lines changed or deleted 22 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/