-----Original Message-----
From: Adrangi, Farid
Sent: Thursday, September 11, 2003
10:38 AM
To: 'Jayshree Bharatia'
Cc: mccap@lucent.com; henrik@levkowetz.com;
gdommety@cisco.com
Subject: RE: Request for text
proposal for your scenario
Thanks Jayshree. Ok, let me be more
specific by putting inline comments in your text below. Thanks.
BR,
Farid
Jayshree wrote:
“In this scenario, two VPN gateways are involved where the FA is
considered to be the trusted entity. The mipv4 tunnel is running inside the
IPSec-ESP (Farid>
established between the two VPN gateways). For end-to-end
security model, the VPN Gateway within the VPN Domain must protect the IP
traffic originating at the MN (Farid>
currently your scenario does not provide end-2-end security as the traffic
between the MN and the FA is in clear – so are you implying that there
should be another IPsec tunnel between the MN and the VPN GW protecting the
Intranet?), . Since the point of attachment changes corresponding
to the movement of the MN, it is essential that the VPN tunnel security
association must be refreshed after each IP subnet handoff (Farid> in your scenario, the MN is not the IPsec
tunnel end-point. So, when the changes its point of attachment, it does
not have to worry about refreshing SAs!). Hence, this scenario is
not practical where the mobility is involved due to performance implications
for the real-time applications.”
-----Original Message-----
From: Jayshree Bharatia
[mailto:jayshree@nortelnetworks.com]
Sent: Thursday, September 11, 2003
8:52 AM
To: Adrangi, Farid
Cc: mccap@lucent.com;
henrik@levkowetz.com; gdommety@cisco.com
Subject: RE: Request for text
proposal for your scenario
Hello Farid,
I would think that there may or may not be IPSec
tunnel between the MN and the FA/VPN. If there is, than it will have similar
issue as discussed in the proposed text. If there is no IPSec, the traffic will
be unprotected between these two entities.
Regards,
Jayshree
> -----Original Message-----
> From: Adrangi, Farid [mailto:farid.adrangi@intel.com]
> Sent: Wednesday, September 10,
2003 4:32 PM
> To: Bharatia, Jayshree
[RICH1:2H13:EXCH]
> Cc: mccap@lucent.com;
henrik@levkowetz.com; gdommety@cisco.com
> Subject: RE: Request for text
proposal for your scenario
>
>
> Thanks Jayshree. Couple
of clarifications:
>
> From your description, it is
my understanding that there is
> only one IPsec tunnel, and that
is between the FA/VPN in the
> foreign and the VPN GW in the
VPN domain. In other words, No
> IPsec tunnel between the MN
and the VPN GW in VPN domain and
> hence data traffic between the
MN and the FA is not
> protected. Is my
understanding correct? I will have more
> questions/comments based on
your answers. Thanks for the
> text and hopefully we can wrap
this up this week. BR, Farid
>
>
> -----Original Message-----
> From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com]
> Sent: Wednesday, September 10,
2003 12:15 PM
> To: Adrangi, Farid
> Cc: mccap@lucent.com;
henrik@levkowetz.com; gdommety@cisco.com
> Subject: RE: Request for text proposal
for your scenario
>
> Hi Farid,
>
> The following is my proposed
text for the co-located FA-VPN
> GW scenario.
>
>
> Reagrds,
> Jayshree
> ---------------------
>
> 2.6 Combined VPN Gateway and
MIPv4 FA
>
> MIPv4 FA and the VPN Gateway
are running on the same physical machine.
>
>
>
..Foreign
Network...
.....VPN Domain..(Intranet)....
>
.
.
.
.
>
. +----+ +-----+
.
+----+ +-------+ +-------+ .
>
. |MNs | | FA |
. |
VPN| | Router| | HAs | .
>
. |away| | + | .<=========>| GW
| | 1..n |
| | .
>
. | | | VPN |
.
| | +-------+ +-------+ .
>
. | | | GW |
.
|
|
.
>
. +----+ +-----+
.
+----+ +-------+ +-------+ .
>
.
.
. | CN | |
MNs | .
>
....................
. | 1..n | | home |
.
>
. +-------+ +-------+ .
>
.
.
>
...............................
>
>
> In this scenario, two VPN
gateways are involved where the FA
> is considered to be the
trusted entity. The mipv4 tunnel is
> running inside the IPSec-ESP.
For end-to-end security model,
> the VPN Gateway within the VPN
Domain must protect the IP
> traffic originating at the MN.
Since the point of attachment
> changes corresponding to the
movement of the MN, it is
> essential that the VPN tunnel
security association must be
> refreshed after each IP subnet
handoff. Hence, this scenario
> is not practical where the mobility
is involved due to performance
> implications for the real-time
applications.
>
> > -----Original
Message-----
> > From: Adrangi, Farid [mailto:farid.adrangi@intel.com]
> > Sent: Wednesday, September
03, 2003 7:54 PM
> > To: Bharatia, Jayshree
[RICH1:2H13:EXCH]
> > Cc: mccap@lucent.com;
henrik@levkowetz.com; gdommety@cisco.com
> > Subject: Request for text
proposal for your scenario
> >
> >
> >
> > Hello Jayshree,
> > Could you please propose
a text for the scenario that you
> > want to be added to the
problem-statement draft?
> > BR,
> > Farid
> >
> > -----Original
Message-----
> > From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com]
> > Sent: Wednesday, August
06, 2003 12:13 PM
> > To: Adrangi, Farid
> > Cc: mip4@ietf.org
> > Subject: RE: Comments on
VPN Problem Statement Draft
> >
> > Hello Farid,
> >
> > Please see my reply
below.
> >
> > Thanks,
> > Jayshree
> > -----Original
Message-----
> > From: Adrangi, Farid [mailto:farid.adrangi@intel.com]
> > Sent: Sunday, August 03,
2003 11:50 PM
> > To: Bharatia, Jayshree
[RICH1:2H13:EXCH]
> > Cc: mip4@ietf.org
> > Subject: RE: Comments on
VPN Problem Statement Draft
> >
> >
> > Hello Jayshree,
> > Thanks for following up
on this. You, Gopal, and I had a
> > very brief conversation
on this during IETF-57 - but I am not
> > sure if we derived any conclusion
on whether or not we should
> > include this
scenario. To be frank, I don't quite understand
> > the point behind adding
this scenario because,
> >
- It seems to present a
solution to a specific
> > deployment model
> > rather than a deployment
scenario
> > [JB] My understanding is
different from yours so please
> > elaborate what you mean
by deployment model vs deployment
> > scenario in this
particular context.
> >
> >
- I don't quite see the
advantages of a combined
> > VPN+FA if it
> > does
> > not support FA traversal
and it does not avoid IPsec
> > renegotiation when MN
moves from one subnet to another -
> > perhaps you can elaborate
on this? [JB] I think regardless
> > this scenario has any
advantages or not, it is one of the
> > probable scenario which
has potential issues (as you have
> > indicated earlier).
> >
> >
- Furthermore, Scenarios
in section 2 of the problem
> > statement
> > draft represents
combinations of MIPv4 HA and VPN gateway
> > placement - adding this
scenario is going to change semantics
> > of the section 2. [JB] I
am not sure what you mean by
> > semantics change here. Do
you think documenting this in new
> > subsection (2.6) is a
problem?
> >
> > I have no problem adding
this scenario to the draft - I just
> > wanted to make sure that
we clearly understand the reasons
> > for adding this scenario
to the problem statement draft.
> > Design team members and
interested individuals are welcome to
> > express their opinion on
this.
> >
> > Best regards,
> > Farid
> >
> >
> >
> >
> >
> > The
following sub-sections introduce
five representative
> >
combinations of MIPv4 HA and VPN gateway placement.
> >
> > -----Original
Message-----
> > From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com]
> > Sent: Thursday, July 31,
2003 1:44 PM
> > To: Adrangi, Farid
> > Cc: 'mip4@ietf.org'
> > Subject: RE: Comments on VPN
Problem Statement Draft
> >
> > Hello Farid,
> >
> > As per our earlier
discussion during IETF-57, my
> > understanding is that you
will include the scenario of
> > co-existed FA with the
VPN gateway in the VPN Problem
> Statement draft.
> >
> > I agree that this
particular scenario has problems and it
> > won't work if the MN is
behind an FA in the foreign subnet.
> > But again, this is a
problem statement draft. Hence, I
> > believe that this is the
appropriate document for mentioning
> > this scenario.
> >
> > Thanks,
> > Jayshree
> >
> > -----Original
Message-----
> > From: Adrangi, Farid [mailto:farid.adrangi@intel.com]
> > Sent: Monday, April 07,
2003 2:58 PM
> > To: Bharatia, Jayshree
[RICH1:2H13:EXCH]
> > Cc:
'mobile-ip@sunroof.eng.sun.com'
> > Subject: RE: Comments on
VPN Problem Statement Draft
> > Hello Jayshree
> > This is a good point - I
knew someone was to bring this up!
> > At the time of writing
these scenarios, we (the design team)
> > actually discussed this
and concluded this scenario would
> > fall into a solution
space. Maybe we did not make the right
> > decision and we should
rethink this. But, before we take
> > this discussion further
please allow me to ask you a few
> > questions about the
details of the scenario (VPN+FA) that you
> > have in mind . Are
you thinking to broadcast FA
> > advertisements through
the IPsec tunnel to the MN? If so,
> > how will this work if MN
is already behind an FA in the
> > foreign subnet? Or, If
you had something different in mind,
> > perhaps you can elaborate
on that. Best regards, Farid
> >
> >
> > -----Original
Message-----
> > From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com],
> > Sent: Friday, April 04,
2003 3:14 PM
> > To:
'farid.adrangi@intel.com'
> > Cc:
'mobile-ip@sunroof.eng.sun.com'
> > Subject: Comments on VPN
Problem Statement Draft
> >
> > Hello Farid,
> > This draft (draft-ietf-mobileip-vpn-problem-statement-req-01)
> > currently misses one
scenario were the FA is co-existed with
> > the VPN Gateway. I would
think that there are no technical
> > issues supporting this
scenario. It will be good if you can
> > add this scenario in the
draft (perhaps as section
> > 2.6?)
> > for completeness.
> > Thanks,
> > Jayshree
> >
> >
>
�
