VPN authentication/verification and WG re-chartering

[Rick Wilder <rick at rhwilder.net>]

L3VPN participants,
 
 
As was mentioned at the Prague meeting and on this email list, Ron, Mark, and I are
currently updating the charter for the L3VPN WG. 
 
When Ron called for work items that need to be undertaken by the WG, Shane Amante
recommended reviving the VPN authentication/verification
work that was started some time back, but not completed. (his email copied below)
 
In order for this to be included in the WG charter, we need to hear some more support for
this work item within the next 10 days. 
If VPN authentication/verification is of importance to you, please weigh in before
re-chartering is completed.
 
Rick
 
 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Ron Bonica wrote:
> Folks,
> 
> We are considering an update to the L3VPN WG charter. In the new
> charter, VPN Multicast will remain high on our list of work items. So
> far, the only request for a new work item has been "MPLS services
> delivered over L3VPN infrastructure". (See
> draft-kumaki-l3vpn-e2e-rsvp-te-reqs).
> 
> Would anyone else like to recommend work items for inclusion in the charter?

I agree VPN multicast should be a high priority for the WG.

In addition, I would also recommend that the WG look at solving for two 
additional things:
1)  iBGP PE-CE
http://www.watersprings.org/pub/id/draft-marques-l3vpn-ibgp-01.txt
At a minimum, we should look at publishing this as an Informational 
Draft -- since, to my knowledge, there is at least 1 major 
implementation that does this today.  Note, I don't think we need to put 
this in the charter if it's just going as Informational, unless it has a 
significant affect on many other drafts & RFC's ... so, perhaps this is 
just a small "todo" item.

2)  "Layer-3 Import/Export Verification".  According to the archives, 
there appears to be at least 3 different WG drafts:
http://tools.ietf.org/html/draft-ietf-l3vpn-auth-00
http://tools.ietf.org/html/draft-ietf-l3vpn-l3vpn-auth-01
http://tools.ietf.org/html/draft-ietf-l3vpn-vpn-verification-00
... although, it appears as if the first two are the same draft, just 
with a title change.  Regardless, all three drafts have expired over the 
course of the last 2-4 years.

I realize there is also work occurring in tcpm, sidr, and, perhaps, 
others to secure various elements of BGP (key rollover, securing path 
update messages, etc.).  However, its not clear what is the time horizon 
to complete that work, and more importantly whether they have adequate 
reqmt's to: a) deliver 'lightweight' solutions for IPVPN's; and, b) will 
be able to adequately accomodate some properties unique to IPVPN's that 
aren't applicable to the general Internet, (e.g.: AS_OVERRIDE).

In summary, I would propose we do two things for this one:
1)  Complete the work on at least one of the outstanding l3vpn vpn 
verification drafts; and,
2)  Look at specifying reqmt's for sidr, or other relevant WG's, to 
accomodate reqmt's unique to L3VPN's to secure the control plane.

-shane