[Mip4] RE: Request for text proposal for your scenario

To: "Jayshree Bharatia" <jayshree@nortelnetworks.com>, "'Adrangi, Farid'" <farid.adrangi@intel.com>
Subject: [Mip4] RE: Request for text proposal for your scenario
From: Gopal Dommety <gdommety@cisco.com>
Date: Thu, 11 Sep 2003 12:51:09 -0700
Cc: mccap@lucent.com, henrik@levkowetz.com, mip4@ietf.org
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>,<mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>,<mailto:mip4-request@ietf.org?subject=unsubscribe>
Sender: mip4-admin@ietf.org

Hello Farid, Henrick and Jayashree,

the scenario I was referring to is as followis:

MN---------|VPN/FA|-----------------[VPN2]---------HA

VPN1 Provides Encryption/decryption for the link and access to the visiting domain.
VPN 2 is optional for remote access. In fact, I would say let us omit this VPN2.

Thanks
Gopal

At 10:52 AM 9/11/2003 -0500, Jayshree Bharatia wrote:

Hello Farid,

I would think that there may or may not be IPSec tunnel between the MN and the FA/VPN. If there is, than it will have similar issue as discussed in the proposed text. If there is no IPSec, the traffic will be unprotected between these two entities.

Regards,
Jayshree
> -----Original Message-----
> From: Adrangi, Farid [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com]
> Sent: Wednesday, September 10, 2003 4:32 PM
> To: Bharatia, Jayshree [RICH1:2H13:EXCH]
> Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com
> Subject: RE: Request for text proposal for your scenario
>
>
> Thanks Jayshree. Couple of clarifications:
>
> From your description, it is my understanding that there is
> only one IPsec tunnel, and that is between the FA/VPN in the
> foreign and the VPN GW in the VPN domain. In other words, No
> IPsec tunnel between the MN and the VPN GW in VPN domain and
> hence data traffic between the MN and the FA is not
> protected. Is my understanding correct? I will have more
> questions/comments based on your answers. Thanks for the
> text and hopefully we can wrap this up this week. BR, Farid
>
>
> -----Original Message-----
> From: Jayshree Bharatia [<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.com]
> Sent: Wednesday, September 10, 2003 12:15 PM
> To: Adrangi, Farid
> Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com
> Subject: RE: Request for text proposal for your scenario
>
> Hi Farid,
>
> The following is my proposed text for the co-located FA-VPN
> GW scenario.
>
>
> Reagrds,
> Jayshree
> ---------------------
>
> 2.6 Combined VPN Gateway and MIPv4 FA
>
> MIPv4 FA and the VPN Gateway are running on the same physical machine.
>
>
> ..Foreign Network... .....VPN Domain..(Intranet)....
> . . . .
> . +----+ +-----+ . +----+ +-------+ +-------+ .
> . |MNs | | FA | . | VPN| | Router| | HAs | .
> . |away| | + | .<=========>| GW | | 1..n | | | .
> . | | | VPN | . | | +-------+ +-------+ .
> . | | | GW | . | | .
> . +----+ +-----+ . +----+ +-------+ +-------+ .
> . . . | CN | | MNs | .
> .................... . | 1..n | | home | .
> . +-------+ +-------+ .
> . .
> ...............................
>
>
> In this scenario, two VPN gateways are involved where the FA
> is considered to be the trusted entity. The mipv4 tunnel is
> running inside the IPSec-ESP. For end-to-end security model,
> the VPN Gateway within the VPN Domain must protect the IP
> traffic originating at the MN. Since the point of attachment
> changes corresponding to the movement of the MN, it is
> essential that the VPN tunnel security association must be
> refreshed after each IP subnet handoff. Hence, this scenario
> is not practical where the mobility is involved due to performance
> implications for the real-time applications.
>
> > -----Original Message-----
> > From: Adrangi, Farid [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com]
> > Sent: Wednesday, September 03, 2003 7:54 PM
> > To: Bharatia, Jayshree [RICH1:2H13:EXCH]
> > Cc: mccap@lucent.com; henrik@levkowetz.com; gdommety@cisco.com
> > Subject: Request for text proposal for your scenario
> >
> >
> >
> > Hello Jayshree,
> > Could you please propose a text for the scenario that you
> > want to be added to the problem-statement draft?
> > BR,
> > Farid
> >
> > -----Original Message-----
> > From: Jayshree Bharatia [<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.com]
> > Sent: Wednesday, August 06, 2003 12:13 PM
> > To: Adrangi, Farid
> > Cc: mip4@ietf.org
> > Subject: RE: Comments on VPN Problem Statement Draft
> >
> > Hello Farid,
> >
> > Please see my reply below.
> >
> > Thanks,
> > Jayshree
> > -----Original Message-----
> > From: Adrangi, Farid [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com]
> > Sent: Sunday, August 03, 2003 11:50 PM
> > To: Bharatia, Jayshree [RICH1:2H13:EXCH]
> > Cc: mip4@ietf.org
> > Subject: RE: Comments on VPN Problem Statement Draft
> >
> >
> > Hello Jayshree,
> > Thanks for following up on this. You, Gopal, and I had a
> > very brief conversation on this during IETF-57 - but I am not
> > sure if we derived any conclusion on whether or not we should
> > include this scenario. To be frank, I don't quite understand
> > the point behind adding this scenario because,
> > - It seems to present a solution to a specific
> > deployment model
> > rather than a deployment scenario
> > [JB] My understanding is different from yours so please
> > elaborate what you mean by deployment model vs deployment
> > scenario in this particular context.
> >
> > - I don't quite see the advantages of a combined
> > VPN+FA if it
> > does
> > not support FA traversal and it does not avoid IPsec
> > renegotiation when MN moves from one subnet to another -
> > perhaps you can elaborate on this? [JB] I think regardless
> > this scenario has any advantages or not, it is one of the
> > probable scenario which has potential issues (as you have
> > indicated earlier).
> >
> > - Furthermore, Scenarios in section 2 of the problem
> > statement
> > draft represents combinations of MIPv4 HA and VPN gateway
> > placement - adding this scenario is going to change semantics
> > of the section 2. [JB] I am not sure what you mean by
> > semantics change here. Do you think documenting this in new
> > subsection (2.6) is a problem?
> >
> > I have no problem adding this scenario to the draft - I just
> > wanted to make sure that we clearly understand the reasons
> > for adding this scenario to the problem statement draft.
> > Design team members and interested individuals are welcome to
> > express their opinion on this.
> >
> > Best regards,
> > Farid
> >
> >
> >
> >
> >
> > The following sub-sections introduce five representative
> > combinations of MIPv4 HA and VPN gateway placement.
> >
> > -----Original Message-----
> > From: Jayshree Bharatia [<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.com]
> > Sent: Thursday, July 31, 2003 1:44 PM
> > To: Adrangi, Farid
> > Cc: 'mip4@ietf.org'
> > Subject: RE: Comments on VPN Problem Statement Draft
> >
> > Hello Farid,
> >
> > As per our earlier discussion during IETF-57, my
> > understanding is that you will include the scenario of
> > co-existed FA with the VPN gateway in the VPN Problem
> Statement draft.
> >
> > I agree that this particular scenario has problems and it
> > won't work if the MN is behind an FA in the foreign subnet.
> > But again, this is a problem statement draft. Hence, I
> > believe that this is the appropriate document for mentioning
> > this scenario.
> >
> > Thanks,
> > Jayshree
> >
> > -----Original Message-----
> > From: Adrangi, Farid [<mailto:farid.adrangi@intel.com>mailto:farid.adrangi@intel.com]
> > Sent: Monday, April 07, 2003 2:58 PM
> > To: Bharatia, Jayshree [RICH1:2H13:EXCH]
> > Cc: 'mobile-ip@sunroof.eng.sun.com'
> > Subject: RE: Comments on VPN Problem Statement Draft
> > Hello Jayshree
> > This is a good point - I knew someone was to bring this up!
> > At the time of writing these scenarios, we (the design team)
> > actually discussed this and concluded this scenario would
> > fall into a solution space. Maybe we did not make the right
> > decision and we should rethink this. But, before we take
> > this discussion further please allow me to ask you a few
> > questions about the details of the scenario (VPN+FA) that you
> > have in mind . Are you thinking to broadcast FA
> > advertisements through the IPsec tunnel to the MN? If so,
> > how will this work if MN is already behind an FA in the
> > foreign subnet? Or, If you had something different in mind,
> > perhaps you can elaborate on that. Best regards, Farid
> >
> >
> > -----Original Message-----
> > From: Jayshree Bharatia [<mailto:jayshree@nortelnetworks.com>mailto:jayshree@nortelnetworks.com],
> > Sent: Friday, April 04, 2003 3:14 PM
> > To: 'farid.adrangi@intel.com'
> > Cc: 'mobile-ip@sunroof.eng.sun.com'
> > Subject: Comments on VPN Problem Statement Draft
> >
> > Hello Farid,
> > This draft (draft-ietf-mobileip-vpn-problem-statement-req-01)
> > currently misses one scenario were the FA is co-existed with
> > the VPN Gateway. I would think that there are no technical
> > issues supporting this scenario. It will be good if you can
> > add this scenario in the draft (perhaps as section
> > 2.6?)
> > for completeness.
> > Thanks,
> > Jayshree
> >
> >
>


_______________________________________________
Mip4 mailing list
Mip4@ietf.org
https://www.ietf.org/mailman/listinfo/mip4

Prev by Date: [Mip4] How widely deployed is MIPv4?
Next by Date: [Mip4] Re: Request for text proposal for your scenario
Previous by thread: [Mip4] How widely deployed is MIPv4?
Next by thread: [Mip4] Re: Request for text proposal for your scenario
Index(es):
- Date
- Thread

[Mip4] RE: Request for text proposal for your scenario

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.