Virtual blue sheet Brian Weis Chris Ulliott Daniel Migault David Black Frederic Detienne Manish Kumar Michael Richardson Mike Sullenberger Paul Hoffman Paul Wouters Praveen Sathyanarayan Scott McKinnon Tero Kivinen Tiffany (last name missed) Toby Mao Valery Smyslov Yaron Sheffer Yoav Nir ================================================== IPsecME WG Virtual Interim meeting 2013-10-09 Minutes Taken by Paul Hoffman Text from slides not reproduced here Recording is available at http://www.vpnc.org/ipsecme-virtual-interim-2013-10-09.mp3 Flexible Dynamic Mesh VPN draft-detienne-dmvpn [[ Started WG meeting recording at slide 4 of the DMVPN slides]] Uses GRE to do tunneling, uses IPsec just for encryption Hubs don't do auto-discovery of other hubs; spokes are configured for all their hubs Hubs don't need to know all the domain administrators Spokes can be pre-loaded with authentication for all domains When building the shortcut tunnel, the routing table is modified on the fly Not using IPsec policies: where can people affect firewall policy? In the routing Can put ACLs and rules on the tunnel interfaces Shortcut policy: on the end-points, and on the hub Tunnel private address isn't in the packets; only used for traffic routing What is expected from the routing protocol? What is expected from the system? Hub starts without NHRP configure for the nodes, and only encryption is used, and auth certs Routing protocol is used to distribute the subnets in the DMVPN EIRGP and BPG seem to be the best for scaling Subnets are usually statically defined, but you can run DHCP over the network All nodes do not need to be in the same subnet, but it is useful for design What does the protocol need in a multi-vendor model? Hubs can be crossover points, but maybe not be able to do shortcut tunnels They don't have to be running same routing protocol; can do static routing with a summary Shortcut tunnel doesn't care what traffic goes over it: would use policy-based routing Hub has to have superset of all routing protocols that each spoke that is connected to it NHRP checks the source information during registration, particularly for NAT traversal How are the IKE authentications tied to the resolution replies? They aren't. Once B has a resolution request, he has the mapping to A's outside address. If you're in the network, you're partially trusted With 500 domains, you wouldn't put the cert chain for every domain Auto Discovery VPN Protocol draft-mao-ipsecme-ad-vpn-protocol Presenter had communication issues, could not present AH and ESP Crypto Requirements draft-ietf-ipsecme-esp-ah-reqts Paul Hoffman added as new author Probably getting close to WG Last Call There was a request to also update IKEv2 requirements (RFC 4307) at the same time Will be on the list Agreement that if 3DES is only a MAY in IKEv2, could drop it from some implementations Question about whether certain sized DH groups should be listed