-----Original
Message-----
From: Adrangi,
Farid
Sent: Thursday,
September 11, 2003 10:38 AM
To: 'Jayshree Bharatia'
Cc: mccap@lucent.com;
henrik@levkowetz.com; gdommety@cisco.com
Subject: RE: Request for text proposal
for your scenario
Thanks
Jayshree. Ok, let me be more specific by putting inline comments in your
text below. Thanks.
BR,
Farid
Jayshree
wrote:
"In this scenario, two VPN gateways are involved where
the FA is considered to be the trusted entity. The mipv4 tunnel is running
inside the IPSec-ESP (Farid> established between the two VPN
gateways). For end-to-end security model, the VPN Gateway within
the VPN Domain must protect the IP traffic originating at the MN (Farid> currently your scenario
does not provide end-2-end security as the traffic between the MN and the FA
is in clear - so are you implying that there should be another IPsec tunnel
between the MN and the VPN GW protecting the Intranet?), . Since
the point of attachment changes corresponding to the movement of the MN, it is
essential that the VPN tunnel security association must be refreshed after
each IP subnet handoff (Farid> in your scenario, the MN is not the IPsec
tunnel end-point. So, when the changes its point of attachment, it does
not have to worry about refreshing SAs!). Hence, this scenario
is not practical where the mobility is involved due to performance
implications for the real-time applications."
-----Original
Message-----
From: Jayshree
Bharatia [mailto:jayshree@nortelnetworks.com]
Sent: Thursday, September 11, 2003 8:52
AM
To: Adrangi,
Farid
Cc: mccap@lucent.com;
henrik@levkowetz.com; gdommety@cisco.com
Subject: RE: Request for text proposal
for your scenario
Hello Farid,
I would think that there may or may not be IPSec
tunnel between the MN and the FA/VPN. If there is, than it will have similar
issue as discussed in the proposed text. If there is no IPSec, the traffic
will be unprotected between these two entities.
Regards,
Jayshree
> -----Original Message-----
> From: Adrangi, Farid [mailto:farid.adrangi@intel.com]
> Sent:
Wednesday, September 10, 2003 4:32 PM
> To: Bharatia, Jayshree
[RICH1:2H13:EXCH]
> Cc: mccap@lucent.com; henrik@levkowetz.com;
gdommety@cisco.com
> Subject: RE: Request for text proposal for your
scenario
>
>
> Thanks
Jayshree. Couple of clarifications:
>
> From your description, it is my understanding
that there is
> only one IPsec tunnel, and that is between the
FA/VPN in the
> foreign and the VPN GW in the VPN domain.
In other words, No
> IPsec tunnel between the MN and the VPN GW in VPN
domain and
>
hence data traffic between the MN and the FA is not
> protected. Is my understanding
correct? I will have more
> questions/comments based on your answers.
Thanks for the
> text and hopefully we can wrap this up this week.
BR, Farid
>
>
>
-----Original Message-----
> From: Jayshree Bharatia [mailto:jayshree@nortelnetworks.com]
> Sent:
Wednesday, September 10, 2003 12:15 PM
> To: Adrangi, Farid
> Cc: mccap@lucent.com;
henrik@levkowetz.com; gdommety@cisco.com
> Subject: RE: Request for text proposal for your
scenario
>
> Hi
Farid,
>
> The
following is my proposed text for the co-located FA-VPN
> GW
scenario.
>
>
>
Reagrds,
>
Jayshree
>
---------------------
>
> 2.6 Combined VPN Gateway and MIPv4
FA
>
> MIPv4 FA and
the VPN Gateway are running on the same physical machine.
>
>
> ..Foreign
Network...
.....VPN Domain..(Intranet)....
>
.
.
.
.
> .
+----+ +-----+
.
+----+ +-------+ +-------+ .
> . |MNs
| | FA |
. |
VPN| | Router| | HAs |
.
> .
|away| | + | .<=========>| GW
| | 1..n |
| | .
> .
| | | VPN |
.
| | +-------+ +-------+
.
> .
| | | GW |
.
|
|
.
> .
+----+ +-----+
.
+----+ +-------+ +-------+ .
>
.
.
. | CN | |
MNs | .
>
....................
. | 1..n | | home
| .
>
. +-------+ +-------+
.
>
.
.
>
...............................
>
>
> In this scenario, two VPN gateways are involved
where the FA
>
is considered to be the trusted entity. The mipv4 tunnel is
> running
inside the IPSec-ESP. For end-to-end security model,
> the VPN Gateway within the VPN
Domain must protect the IP
> traffic originating at the MN. Since the point of
attachment
>
changes corresponding to the movement of the MN, it is
> essential that the VPN tunnel
security association must be
> refreshed after each IP subnet handoff. Hence,
this scenario
> is not practical where the mobility is involved
due to performance
> implications for the real-time
applications.
>
> > -----Original Message-----
> > From: Adrangi, Farid
[mailto:farid.adrangi@intel.com]
> > Sent: Wednesday,
September 03, 2003 7:54 PM
> > To: Bharatia, Jayshree
[RICH1:2H13:EXCH]
> > Cc: mccap@lucent.com; henrik@levkowetz.com;
gdommety@cisco.com
> > Subject: Request for text proposal for your
scenario
>
>
> >
> >
> > Hello
Jayshree,
>
> Could you please propose a text for the scenario that you
> > want to be added to
the problem-statement draft?
> > BR,
> > Farid
> >
> > -----Original Message-----
> > From: Jayshree
Bharatia [mailto:jayshree@nortelnetworks.com]
> > Sent: Wednesday,
August 06, 2003 12:13 PM
> > To: Adrangi, Farid
> > Cc: mip4@ietf.org
> > Subject: RE: Comments
on VPN Problem Statement Draft
> >
> > Hello Farid,
> >
> > Please see my reply
below.
> >
> >
Thanks,
> >
Jayshree
>
> -----Original Message-----
> > From: Adrangi, Farid [mailto:farid.adrangi@intel.com]
> > Sent: Sunday, August
03, 2003 11:50 PM
> > To: Bharatia, Jayshree
[RICH1:2H13:EXCH]
> > Cc: mip4@ietf.org
> > Subject: RE: Comments on VPN
Problem Statement Draft
> >
> >
> > Hello Jayshree,
> > Thanks for following up on
this. You, Gopal, and I had a
> > very brief conversation on this during
IETF-57 - but I am not
> > sure if we derived any conclusion on whether
or not we should
> > include this scenario. To be frank, I
don't quite understand
> > the point behind adding this scenario
because,
>
> - It seems to
present a solution to a specific
> > deployment model
> > rather than a deployment
scenario
>
> [JB] My understanding is different from yours so please
> >
elaborate what you mean by deployment model vs deployment
> >
scenario in this particular context.
> >
> >
- I don't quite see the
advantages of a combined
> > VPN+FA if it
> > does
> > not support FA traversal and it
does not avoid IPsec
> > renegotiation when MN moves from one subnet
to another -
>
> perhaps you can elaborate on this? [JB] I think regardless
> > this
scenario has any advantages or not, it is one of the
> > probable scenario which has
potential issues (as you have
> > indicated earlier).
> >
> >
- Furthermore, Scenarios
in section 2 of the problem
> > statement
> > draft represents combinations
of MIPv4 HA and VPN gateway
> > placement - adding this scenario is going to
change semantics
> > of the section 2. [JB] I am not sure what
you mean by
>
> semantics change here. Do you think documenting this in new
> >
subsection (2.6) is a problem?
> >
> > I have no problem adding this scenario to
the draft - I just
> > wanted to make sure that we clearly
understand the reasons
> > for adding this scenario to the problem
statement draft.
> > Design team members and interested
individuals are welcome to
> > express their opinion on this.
> >
> > Best
regards,
>
> Farid
>
>
> >
> >
> >
> >
> >
The following sub-sections
introduce five representative
> > combinations
of MIPv4 HA and VPN gateway placement.
> >
> > -----Original Message-----
> > From: Jayshree
Bharatia [mailto:jayshree@nortelnetworks.com]
> > Sent: Thursday, July
31, 2003 1:44 PM
> > To: Adrangi, Farid
> > Cc:
'mip4@ietf.org'
> > Subject: RE: Comments on VPN Problem
Statement Draft
> >
> > Hello Farid,
> >
> > As per our earlier discussion
during IETF-57, my
> > understanding is that you will include the
scenario of
>
> co-existed FA with the VPN gateway in the VPN Problem
> Statement
draft.
> >
> > I agree
that this particular scenario has problems and it
> > won't work if the MN is behind
an FA in the foreign subnet.
> > But again, this is a problem statement
draft. Hence, I
> > believe that this is the appropriate
document for mentioning
> > this scenario.
> >
> > Thanks,
> > Jayshree
> >
> >
-----Original Message-----
> > From: Adrangi, Farid [mailto:farid.adrangi@intel.com]
> > Sent: Monday, April
07, 2003 2:58 PM
> > To: Bharatia, Jayshree
[RICH1:2H13:EXCH]
> > Cc:
'mobile-ip@sunroof.eng.sun.com'
> > Subject: RE: Comments on VPN Problem
Statement Draft
> > Hello Jayshree
> > This is a good point - I knew
someone was to bring this up!
> > At the time of writing these scenarios, we
(the design team)
> > actually discussed this and concluded this
scenario would
> > fall into a solution space. Maybe we
did not make the right
> > decision and we should rethink this.
But, before we take
> > this discussion further please allow me to
ask you a few
> > questions about the details of the scenario
(VPN+FA) that you
> > have in mind . Are you thinking to
broadcast FA
>
> advertisements through the IPsec tunnel to the MN? If so,
> > how
will this work if MN is already behind an FA in the
> > foreign subnet? Or, If you had
something different in mind,
> > perhaps you can elaborate on that. Best
regards, Farid
> >
> >
> > -----Original Message-----
> > From: Jayshree
Bharatia [mailto:jayshree@nortelnetworks.com],
> > Sent: Friday, April
04, 2003 3:14 PM
> > To: 'farid.adrangi@intel.com'
> > Cc:
'mobile-ip@sunroof.eng.sun.com'
> > Subject: Comments on VPN Problem Statement
Draft
> >
> > Hello
Farid,
> >
This draft (draft-ietf-mobileip-vpn-problem-statement-req-01)
> >
currently misses one scenario were the FA is co-existed with
> > the VPN
Gateway. I would think that there are no technical
> > issues supporting this
scenario. It will be good if you can
> > add this scenario in the draft (perhaps as
section
> >
2.6?)
> >
for completeness.
> > Thanks,
> > Jayshree
> >
> >
>
