RE: VPN authentication/verification and WG re-chartering

["Schliesser, Benson" <bensons at savvis.net>]

I agree that a) VPN authentication should be included in the new
charter. In my experience as a SP, concern over "security" is one of the
most common reasons that users choose against L3VPN services. ("Control"
being the other common reason.) To whatever extent authentication
mechanisms can provide validation of the VPN membership and routes, I
think it will be a valuable component of a L3VPN service. I would like
to see discussion of the requirements first, so that candidate solutions
have a point of reference.

I also agree with Shane's message that b) multicast in L3VPN and c) iBGP
as PE-CE protocol should also be driven to completion, possibly in the
charter.

And finally, I also think that more discussion is needed around d)
inter-provider L3VPN interconnection. I understand that discussion
around this topic is happening in other forums, and I believe it would
be useful if some of that discussion "came home" to influence this WG.
Specifically, most providers with whom I speak are confounded by their
desire to run "option B" for scale and management reasons versus their
need to run "option A" due to implementation issues and complexity,
feature constraints, etc. Perhaps the charter should reflect this topic,
or perhaps this should be relocated to another WG?

Cheers,
-Benson




> -----Original Message-----
> From: Rick Wilder [mailto:rick at rhwilder.net] 
> Sent: Tuesday, June 05, 2007 10:06 AM
> To: l3vpn at ietf.org
> Cc: Shane Amante
> Subject: VPN authentication/verification and WG re-chartering
> 
>  
> L3VPN participants,
>  
>  
> As was mentioned at the Prague meeting and on this email 
> list, Ron, Mark, and I are
> currently updating the charter for the L3VPN WG. 
>  
> When Ron called for work items that need to be undertaken by 
> the WG, Shane Amante
> recommended reviving the VPN authentication/verification
> work that was started some time back, but not completed. (his 
> email copied below)
>  
> In order for this to be included in the WG charter, we need 
> to hear some more support for
> this work item within the next 10 days. 
> If VPN authentication/verification is of importance to you, 
> please weigh in before
> re-chartering is completed.
>  
> Rick
>  
>  
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------------------------------------------------
> -------------------
> 
> 
> Ron Bonica wrote:
> > Folks,
> > 
> > We are considering an update to the L3VPN WG charter. In the new
> > charter, VPN Multicast will remain high on our list of work 
> items. So
> > far, the only request for a new work item has been "MPLS services
> > delivered over L3VPN infrastructure". (See
> > draft-kumaki-l3vpn-e2e-rsvp-te-reqs).
> > 
> > Would anyone else like to recommend work items for 
> inclusion in the charter?
> 
> I agree VPN multicast should be a high priority for the WG.
> 
> In addition, I would also recommend that the WG look at 
> solving for two 
> additional things:
> 1)  iBGP PE-CE
> http://www.watersprings.org/pub/id/draft-marques-l3vpn-ibgp-01.txt
> At a minimum, we should look at publishing this as an Informational 
> Draft -- since, to my knowledge, there is at least 1 major 
> implementation that does this today.  Note, I don't think we 
> need to put 
> this in the charter if it's just going as Informational, 
> unless it has a 
> significant affect on many other drafts & RFC's ... so, 
> perhaps this is 
> just a small "todo" item.
> 
> 2)  "Layer-3 Import/Export Verification".  According to the archives, 
> there appears to be at least 3 different WG drafts:
> http://tools.ietf.org/html/draft-ietf-l3vpn-auth-00
> http://tools.ietf.org/html/draft-ietf-l3vpn-l3vpn-auth-01
> http://tools.ietf.org/html/draft-ietf-l3vpn-vpn-verification-00
> ... although, it appears as if the first two are the same draft, just 
> with a title change.  Regardless, all three drafts have 
> expired over the 
> course of the last 2-4 years.
> 
> I realize there is also work occurring in tcpm, sidr, and, perhaps, 
> others to secure various elements of BGP (key rollover, securing path 
> update messages, etc.).  However, its not clear what is the 
> time horizon 
> to complete that work, and more importantly whether they have 
> adequate 
> reqmt's to: a) deliver 'lightweight' solutions for IPVPN's; 
> and, b) will 
> be able to adequately accomodate some properties unique to 
> IPVPN's that 
> aren't applicable to the general Internet, (e.g.: AS_OVERRIDE).
> 
> In summary, I would propose we do two things for this one:
> 1)  Complete the work on at least one of the outstanding l3vpn vpn 
> verification drafts; and,
> 2)  Look at specifying reqmt's for sidr, or other relevant WG's, to 
> accomodate reqmt's unique to L3VPN's to secure the control plane.
> 
> -shane
> 
> 
>