| < draft-ietf-ipsecme-ad-vpn-problem-03.txt | draft-ietf-ipsecme-ad-vpn-problem-04.txt > | |||
|---|---|---|---|---|
| IPsecME Working Group S. Hanna | IPsecME Working Group S. Hanna | |||
| Internet-Draft Juniper | Internet-Draft Juniper | |||
| Intended status: Informational V. Manral | Intended status: Informational V. Manral | |||
| Expires: June 20, 2013 HP | Expires: August 25, 2013 HP | |||
| December 17, 2012 | February 21, 2013 | |||
| Auto Discovery VPN Problem Statement and Requirements | Auto Discovery VPN Problem Statement and Requirements | |||
| draft-ietf-ipsecme-ad-vpn-problem-03 | draft-ietf-ipsecme-ad-vpn-problem-04 | |||
| Abstract | Abstract | |||
| This document describes the problem of enabling a large number of | This document describes the problem of enabling a large number of | |||
| systems to communicate directly using IPsec to protect the traffic | systems to communicate directly using IPsec to protect the traffic | |||
| between them. It then expands on the requirements, for such a | between them. It then expands on the requirements, for such a | |||
| solution. | solution. | |||
| Manual configuration of all possible tunnels is too cumbersome in | Manual configuration of all possible tunnels is too cumbersome in | |||
| many such cases. In other cases the IP address of endpoints change | many such cases. In other cases the IP address of endpoints change | |||
| or the endpoints may be behind NAT gateways, making static | or the endpoints may be behind NAT gateways, making static | |||
| configuration impossible. The Auto Discovery VPN solution is | configuration impossible. The Auto Discovery VPN solution will | |||
| chartered to address these requirements. | address these requirements. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 20, 2013. | This Internet-Draft will expire on August 25, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Conventions Used in This Document . . . . . . . . . . . . 4 | 1.2. Conventions Used in This Document . . . . . . . . . . . . 4 | |||
| 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1. Endpoint-to-Endpoint AD VPN Use Case . . . . . . . . . . . 5 | 2.1. Endpoint-to-Endpoint ADVPN Use Case . . . . . . . . . . . 5 | |||
| 2.2. Gateway-to-Gateway AD VPN Use Case . . . . . . . . . . . . 5 | 2.2. Gateway-to-Gateway ADVPN Use Case . . . . . . . . . . . . 5 | |||
| 2.3. Endpoint-to-Gateway AD VPN Use Case . . . . . . . . . . . 6 | 2.3. Endpoint-to-Gateway ADVPN Use Case . . . . . . . . . . . . 6 | |||
| 3. Inadequacy of Existing Solutions . . . . . . . . . . . . . . . 7 | 3. Inadequacy of Existing Solutions . . . . . . . . . . . . . . . 7 | |||
| 3.1. Exhaustive Configuration . . . . . . . . . . . . . . . . . 7 | 3.1. Exhaustive Configuration . . . . . . . . . . . . . . . . . 7 | |||
| 3.2. Star Topology . . . . . . . . . . . . . . . . . . . . . . 7 | 3.2. Star Topology . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.3. Proprietary Approaches . . . . . . . . . . . . . . . . . . 8 | 3.3. Proprietary Approaches . . . . . . . . . . . . . . . . . . 8 | |||
| 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.1. Gateway and Endpoint Requirements . . . . . . . . . . . . 9 | 4.1. Gateway and Endpoint Requirements . . . . . . . . . . . . 9 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 8. Normative References . . . . . . . . . . . . . . . . . . . . . 15 | 8. Normative References . . . . . . . . . . . . . . . . . . . . . 15 | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 40 ¶ | |||
| contains several use cases that motivate this effort. | contains several use cases that motivate this effort. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| Endpoint - A device that implements IPsec for its own traffic but | Endpoint - A device that implements IPsec for its own traffic but | |||
| does not act as a gateway. | does not act as a gateway. | |||
| Gateway - A network device that implements IPsec to protect traffic | Gateway - A network device that implements IPsec to protect traffic | |||
| flowing through the device. | flowing through the device. | |||
| Point-to-Point - Direct communication between two parties without | Point-to-Point - Communication between two parties without active | |||
| active participation (e.g. encryption or decryption) by any other | participation (e.g. encryption or decryption) by any other parties. | |||
| parties. | ||||
| Hub - The central point in a star topology/ dynamic full mesh | Hub - The central point in a star topology/ dynamic full mesh | |||
| topology, or one of the central points in the full mesh style VPN, | topology, or one of the central points in the full mesh style VPN, | |||
| i.e. gateway where multiple other hubs or spokes connect to. The | i.e. gateway where multiple other hubs or spokes connect to. The | |||
| hubs usually forward traffic coming from encrypted links to other | hubs usually forward traffic coming from encrypted links to other | |||
| encrypted links, i.e. there is no devices connected to it in clear. | encrypted links, i.e. there are no devices connected to it in clear. | |||
| Spoke - The edge devices in the a star topology/ dynamic full mesh | Spoke - The edge devices in a star topology/ dynamic full mesh | |||
| topology, or gateway which forwards traffic from multiple cleartext | topology, or gateway which forwards traffic from multiple cleartext | |||
| devices to other hubs or spokes, and some of those other devices are | devices to other hubs or spokes, and some of those other devices are | |||
| connected to it in clear (i.e. it encrypt data coming from cleartext | connected to it in clear (i.e. it encrypts data coming from cleartext | |||
| device and forwards it to the AD VPN). | devices and forwards it to the ADVPN). | |||
| ADVPN Peer - any member of an ADVPN including gateways, endpoints, | ||||
| hub or spoke. | ||||
| Star topology - This is the topology where there is direct | Star topology - This is the topology where there is direct | |||
| connectivity only between the hub and spoke and communication between | connectivity only between the hub and spoke and communication between | |||
| the 2 spokes happens through the hub. | the 2 spokes happens through the hub. | |||
| Full Mesh topology - This is the topology where there is a direct | Full Mesh topology - This is the topology where there is a direct | |||
| connectivity between every Spoke to every other Spoke directly, | connectivity between every Spoke to every other Spoke directly, | |||
| without the traffic between the spokes having to be redirected | without the traffic between the spokes having to be redirected | |||
| through an intermediate hub device. | through an intermediate hub device. | |||
| skipping to change at page 5, line 11 ¶ | skipping to change at page 5, line 11 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Use Cases | 2. Use Cases | |||
| This section presents the key use cases for large-scale point-to- | This section presents the key use cases for large-scale point-to- | |||
| point VPN. | point VPN. | |||
| In all of these use cases, the participants (endpoints and gateways) | In all of these use cases, the participants (endpoints and gateways) | |||
| may be from a single organization or from multiple organizations with | may be from a single organization (administrative domain) or from | |||
| an established trust relationship. When multiple organizations are | multiple organizations with an established trust relationship. When | |||
| involved, products from multiple vendors are employed so open | multiple organizations are involved, products from multiple vendors | |||
| standards are needed to provide interoperability. Establishing | are employed so open standards are needed to provide | |||
| communications between participants with no established trust | interoperability. Establishing communications between participants | |||
| relationship is out of scope for this effort. | with no established trust relationship is out of scope for this | |||
| effort. | ||||
| 2.1. Endpoint-to-Endpoint AD VPN Use Case | 2.1. Endpoint-to-Endpoint ADVPN Use Case | |||
| Two endpoints wish to communicate securely via a direct, point-to- | Two endpoints wish to communicate securely via a point-to-point | |||
| point Security Association (SA). | Security Association (SA). | |||
| The need for secure endpoint to endpoint communications is often | The need for secure endpoint to endpoint communications is often | |||
| driven by a need to employ high-bandwidth, low latency local | driven by a need to employ high-bandwidth, low latency local | |||
| connectivity instead of using slow, expensive links to remote | connectivity instead of using slow, expensive links to remote | |||
| gateways. For example, two users in close proximity may wish to | gateways. For example, two users in close proximity may wish to | |||
| place a direct, secure video or voice call without needing to send | place a direct, secure video or voice call without needing to send | |||
| the call through remote gateways, which would add latency to the | the call through remote gateways, which would add latency to the | |||
| call, consume precious remote bandwidth, and increase overall costs. | call, consume precious remote bandwidth, and increase overall costs. | |||
| Such a use case also enables connectivity when both endpoints are | Such a use case also enables connectivity when both behind NAT | |||
| behind NAT gateways. Such use case should allow for seamless | gateways. Such a use case ought to allow for seamless connectivity | |||
| connectivity even as endpoints roam, even if they are moving out from | even as endpoints roam, even if they are moving out from behind a NAT | |||
| behind a NAT gateway, from behind one NAT gateway to behind another, | gateway, from behind one NAT gateway to behind another, or from a | |||
| or from a standalone position to behind a NAT gateway. | standalone position to behind a NAT gateway. | |||
| In a hub and spoke topology when two endpoints communicate, they must | In a star topology when two endpoints communicate, they need a | |||
| use a mechanism for authentication, such that they do not expose them | mechanism for authentication, such that they do not expose themselves | |||
| to impersonation by the other spoke endpoint. | to impersonation by the other spoke endpoint. | |||
| 2.2. Gateway-to-Gateway AD VPN Use Case | 2.2. Gateway-to-Gateway ADVPN Use Case | |||
| A typical Enterprise traffic model follows a star topology, with the | A typical Enterprise traffic model follows a star topology, with the | |||
| gateways connecting to each other using IPsec tunnels. | gateways connecting to each other using IPsec tunnels. | |||
| However for the voice and other rich media traffic that requires a | However for voice and other rich media traffic that requires a lot of | |||
| lot of bandwidth or is performance sensitive, the traffic tromboning | bandwidth or is performance sensitive, the traffic tromboning to the | |||
| to the hub can create traffic bottlenecks on the hub and can lead to | hub can create traffic bottlenecks on the hub and can lead to an | |||
| an increase in cost. A fully meshed solution would make best use of | increase in cost. A fully meshed solution would make best use of the | |||
| the available network capacity and performance but the deployment of | available network capacity and performance but the deployment of a | |||
| a fully meshed solution involves considerable configuration, | fully meshed solution involves considerable configuration, especially | |||
| especially when a large number of nodes are involved. It is for this | when a large number of nodes are involved. It is for this purpose | |||
| purpose spoke-to-spoke tunnels are dynamically created and torn-down. | spoke-to-spoke tunnels are dynamically created and torn-down. For | |||
| the reasons of cost and manual error reduction, it is desired that | ||||
| For the reasons of cost and manual error reduction, it is desired | there be minimal configuration on each gateway. | |||
| that there be minimal configuration on each gateway. | ||||
| The solution should work in cases where the endpoints are | The solution ought to work in cases where the endpoints are in | |||
| administrated by separate management domains, albeit, ones that have | different administrative domains, albeit, ones that have an existing | |||
| an existing trust relationship (for example two organisations who are | trust relationship (for example two organisations who are | |||
| collaborating on a project, they may wish to join their networks, | collaborating on a project, they may wish to join their networks, | |||
| whilst retaining independent control over configuration). It is | whilst retaining independent control over configuration). It is | |||
| highly desirable that the solution works for the star, full mesh as | highly desirable that the solution works for the star, full mesh as | |||
| well as dynamic full mesh topology. | well as dynamic full mesh topology. | |||
| The solution should also address the case where gateways use dynamic | The solution ought to also address the case where gateways use | |||
| IP addresses. | dynamic IP addresses. | |||
| Additionally, the routing implications of gateway-to-gateway | Additionally, the routing implications of gateway-to-gateway | |||
| communication must be addressed. In the simple case, selectors | communication need to be addressed. In the simple case, selectors | |||
| provide sufficient information for a gateway to forward traffic | provide sufficient information for a gateway to forward traffic | |||
| appropriately. In other cases, additional tunneling (e.g., GRE) and | appropriately. In other cases, additional tunneling (e.g., Generic | |||
| routing (e.g., OSPF) protocols are run over IPsec tunnels, and the | Routing Encapsulation - GRE) and routing (e.g., Open Shortest Path | |||
| configuration impact on those protocols must be considered. There is | First - OSPF) protocols are run over IPsec tunnels, and the | |||
| also the case when L3VPNs operate over IPsec Tunnels. | configuration impact on those protocols needs to be considered. | |||
| There is also the case when Layer-3 Virtual Private Networks (L3VPNs) | ||||
| operate over IPsec Tunnels. | ||||
| When two gateways communicate, they must use a mechanism for | When two gateways communicate, they need to use a mechanism for | |||
| authentication, such that they do not expose themselves to the risk | authentication, such that they do not expose themselves to the risk | |||
| of impersonation by the other entities. | of impersonation by the other entities. | |||
| 2.3. Endpoint-to-Gateway AD VPN Use Case | 2.3. Endpoint-to-Gateway ADVPN Use Case | |||
| An endpoint should be able to use the most efficient gateway as it | An endpoint ought to be able to use the most efficient gateway as it | |||
| roams in the internet. | roams in the internet. | |||
| A mobile user roaming on the Internet may connect to a gateway, which | A mobile user roaming on the Internet may connect to a gateway, which | |||
| because of roaming is no longer the most efficient gateway to use | because of roaming is no longer the most efficient gateway to use | |||
| (reasons could be cost/ efficiency/ latency or some other factor). | (reasons could be cost/ efficiency/ latency or some other factor). | |||
| The mobile user should be able to discover and then connect to the | The mobile user ought to be able to discover and then connect to the | |||
| current most efficient gateway without having to reinitiate the | current most efficient gateway without having to reinitiate the | |||
| connection. | connection. | |||
| 3. Inadequacy of Existing Solutions | 3. Inadequacy of Existing Solutions | |||
| Several solutions exist for the problems described above. However, | Several solutions exist for the problems described above. However, | |||
| none of these solutions is adequate, as described here. | none of these solutions is adequate, as described here. | |||
| 3.1. Exhaustive Configuration | 3.1. Exhaustive Configuration | |||
| One simple solution is to configure all gateways and endpoints in | One simple solution is to configure all gateways and endpoints in | |||
| advance with all the information needed to determine which gateway or | advance with all the information needed to determine which gateway or | |||
| endpoint is optimal and to establish an SA with that gateway or | endpoint is optimal and to establish an SA with that gateway or | |||
| endpoint. However, this solution does not scale in a large network | endpoint. However, this solution does not scale in a large network | |||
| with hundreds of thousands of gateways and endpoints, especially when | with hundreds of thousands of gateways and endpoints, especially when | |||
| multiple organizations are involved and things are rapidly changing | multiple administrative domains are involved and things are rapidly | |||
| (e.g. mobile endpoints). Such a solution is also limited by the | changing (e.g. mobile endpoints). Such a solution is also limited by | |||
| smallest endpoint/ gateway, as the same exhaustive configuration is | the smallest endpoint/ gateway, as the same exhaustive configuration | |||
| to be applied on all endpoints/ gateways. A more dynamic, secure and | is to be applied on all endpoints/ gateways. A more dynamic, secure | |||
| scalable system for establishing SAs between gateways is needed. | and scalable system for establishing SAs between gateways is needed. | |||
| 3.2. Star Topology | 3.2. Star Topology | |||
| The most common way to address a part of this this problem today is | The most common way to address a part of this this problem today is | |||
| to use what has been termed a "star topology". In this case one or a | to use what has been termed a "star topology". In this case one or a | |||
| few gateways are defined as "hub gateways", while the rest of the | few gateways are defined as "hub gateways", while the rest of the | |||
| systems (whether endpoints or gateways) are defined as "spokes". The | systems (whether endpoints or gateways) are defined as "spokes". The | |||
| spokes never connect to other spokes. They only open tunnels with | spokes never connect to other spokes. They only open tunnels with | |||
| the hub gateways. Also for a large number of gateways in one | the hub gateways. Also for a large number of gateways in one | |||
| administrative domain, one gateway may be defined as the hub, and the | administrative domain, one gateway may be defined as the hub, and the | |||
| rest of the gateways and remote access clients connect only to that | rest of the gateways and remote access clients connect only to that | |||
| gateway. | gateway. | |||
| This solution however is complicated by the case when the spokes use | This solution however is complicated by the case when the spokes use | |||
| dynamic IP addresses and DNS with dynamic updates must be used. It | dynamic IP addresses and DNS with dynamic updates needs to be used. | |||
| is also desired that there is minimal to no configuration on the hub | It is also desired that there is minimal to no configuration on the | |||
| as the number of spokes increases and new spokes are added and | hub as the number of spokes increases and new spokes are added and | |||
| deleted randomly. | deleted randomly. | |||
| Another problem with the star topology is that it creates a high load | Another problem with the star topology is that it creates a high load | |||
| on the hub gateways as well as on the connection between the spokes | on the hub gateways as well as on the connection between the spokes | |||
| and the hub. This load is both in processing power and in network | and the hub. This load is both in processing power and in network | |||
| bandwidth. A single packet in the hub-and-spoke scenario can be | bandwidth. A single packet in the hub-and-spoke scenario can be | |||
| encrypted and decrypted multiple times. It would be much preferable | encrypted and decrypted multiple times. It would be much preferable | |||
| if these gateways and clients could initiate tunnels between them, | if these gateways and clients could initiate tunnels between them, | |||
| bypassing the hub gateways. Additionally, the path bandwidth to | bypassing the hub gateways. Additionally, the path bandwidth to | |||
| these hub gateways may be lower than that of the path between the | these hub gateways may be lower than that of the path between the | |||
| skipping to change at page 9, line 30 ¶ | skipping to change at page 9, line 30 ¶ | |||
| Specifically, when evaluating potential proposals, we will compare | Specifically, when evaluating potential proposals, we will compare | |||
| them by looking at how many endpoints or gateways must be | them by looking at how many endpoints or gateways must be | |||
| reconfigured when a new gateway or endpoint is added, removed, or | reconfigured when a new gateway or endpoint is added, removed, or | |||
| changed and how substantial this reconfiguration is, besides the | changed and how substantial this reconfiguration is, besides the | |||
| amount of static configuration required. | amount of static configuration required. | |||
| This requirement is driven by use cases 2.1 and 2.2 and by the | This requirement is driven by use cases 2.1 and 2.2 and by the | |||
| scaling limitations pointed out in section 3.1. | scaling limitations pointed out in section 3.1. | |||
| 2. Gateways and endpoints MUST allow IPsec Tunnels to be setup | 2. ADVPN peers MUST allow IPsec Tunnels to be setup with other | |||
| without any configuration changes, even when peer addresses get | members of the ADVPN without any configuration changes, even when | |||
| updated every time the device comes up. This implies that SPD | peer addresses get updated every time the device comes up. This | |||
| entries or other configuration based on peer IP address will need to | implies that SPD entries or other configuration based on peer IP | |||
| be automatically updated, avoided, or handled in some manner to avoid | address will need to be automatically updated, avoided, or handled in | |||
| a need to manually update policy whenever an address changes. | some manner to avoid a need to manually update policy whenever an | |||
| address changes. | ||||
| This requirement is driven by use cases 2.1 and 2.2 and by the | ||||
| scaling limitations pointed out in section 3.1. | ||||
| 3. In many cases additional tunneling protocols (e.g. GRE) or | 3. In many cases additional tunneling protocols (e.g. GRE) or | |||
| Routing protocols (e.g. OSPF) are run over the IPsec tunnels. | Routing protocols (e.g. OSPF) are run over the IPsec tunnels. | |||
| Gateways MUST allow for the operation of tunneling and Routing | Gateways MUST allow for the operation of tunneling and Routing | |||
| protocols operating over spoke-to-spoke IPsec Tunnels with minimal or | protocols operating over spoke-to-spoke IPsec Tunnels with minimal or | |||
| no, configuration impact. The ADVPN solution SHOULD NOT increase the | no, configuration impact. The ADVPN solution SHOULD NOT increase the | |||
| amount of information required to configure protocols running over | amount of information required to configure protocols running over | |||
| IPsec tunnels. | IPsec tunnels. | |||
| 4. In the full mesh and dynamic full mesh topology, Spokes MUST | 4. In the full mesh and dynamic full mesh topology, Spokes MUST | |||
| allow for direct communication with other spoke gateways and | allow for direct communication with other spoke gateways and | |||
| endpoints. In the star topology mode, direct communication between | endpoints. In the star topology mode, direct communication between | |||
| spokes MUST be disallowed. | spokes MUST be disallowed. | |||
| This requirement is driven by use cases 2.1 and 2.2 and by the | This requirement is driven by use cases 2.1 and 2.2 and by the | |||
| limitations of a star topology pointed out in section 3.2. | limitations of a star topology pointed out in section 3.2. | |||
| 5. One spoke MUST NOT be able to impersonate another spoke. | 5. One ADVPN peer MUST NOT be able to impersonate another ADVPN | |||
| peer. | ||||
| This requirement is driven by use case 2.1. Spokes become | This requirement is driven by use case 2.1. ADVPN peers (especially | |||
| compromised fairly often. The compromise of one Spoke should not | spokes) become compromised fairly often. The compromise of one ADVPN | |||
| affect the security of other endpoints. | peer SHOULD NOT affect the security of other peers. | |||
| 6. Gateways SHOULD allow for seamless handoff of sessions in case | 6. Gateways SHOULD allow for seamless handoff of sessions in case | |||
| endpoints are roaming, even if they cross policy boundaries. This | endpoints are roaming, even if they cross policy boundaries. This | |||
| would mean the data traffic is minimally affected even as the handoff | would mean the data traffic is minimally affected even as the handoff | |||
| happens. External factors like firewall, NAT box will not be | happens. External factors like firewall, NAT boxes will not be | |||
| considered part of this solution. | considered part of this solution. | |||
| This requirement is driven by use case 2.1. Today's endpoints are | This requirement is driven by use case 2.1. Today's endpoints are | |||
| mobile and transition often between different networks (from 4G to | mobile and transition often between different networks (from 4G to | |||
| WiFi and among various WiFi networks). | WiFi and among various WiFi networks). | |||
| 7. Gateways SHOULD allow for easy handoff of a session to another | 7. Gateways SHOULD allow for easy handoff of a session to another | |||
| gateway, to optimize latency, bandwidth, load balancing, | gateway, to optimize latency, bandwidth, load balancing, | |||
| availability, or other factors, based on policy. | availability, or other factors, based on policy. | |||
| This requirement is driven by use case 2.3. | This requirement is driven by use case 2.3. | |||
| 8. Gateways and endpoints MUST have the capability to participate in | 8. Gateways and endpoints MUST have the capability to participate in | |||
| an AD VPN even when they are located behind NAT boxes. However, in | an ADVPN even when they are located behind NAT boxes. However, in | |||
| some cases they may be deployed in such a way that they will not be | some cases they may be deployed in such a way that they will not be | |||
| fully reachable behind a NAT box. It is especially difficult to | fully reachable behind a NAT box. It is especially difficult to | |||
| handle cases where the Hub is behind a NAT box. Where the two | handle cases where the Hub is behind a NAT box. Where the two | |||
| endpoints are both behind separate NATs, communication between these | endpoints are both behind separate NATs, communication between these | |||
| spokes SHOULD be supported using workarounds such as port forwarding | spokes SHOULD be supported using workarounds such as port forwarding | |||
| by the NAT or detecting when two spokes are behind uncooperative NATs | by the NAT or detecting when two spokes are behind uncooperative NATs | |||
| and using a hub in that case. | and using a hub in that case. | |||
| This requirement is driven by use cases 2.1 and 2.2. Endpoints are | This requirement is driven by use cases 2.1 and 2.2. Endpoints are | |||
| often behind NATs and gateways sometimes are. IPsec should continue | often behind NATs and gateways sometimes are. IPsec SHOULD continue | |||
| to work seamlessly regardless, using AD VPN techniques whenever | to work seamlessly regardless, using ADVPN techniques whenever | |||
| possible and providing graceful fallback to hub and spoke techniques | possible and providing graceful fallback to hub and spoke techniques | |||
| as needed. | as needed. | |||
| 9. Changes such as establishing a new IPsec SA SHOULD be reportable | 9. Changes such as establishing a new IPsec SA SHOULD be reportable | |||
| and manageable. However, creating a MIB or other management | and manageable. However, creating a MIB or other management | |||
| technique is not within scope for this effort. | technique is not within scope for this effort. | |||
| This requirement is driven by manageability concerns for all the use | This requirement is driven by manageability concerns for all the use | |||
| cases, especially use case 2.2. As IPsec networks become more | cases, especially use case 2.2. As IPsec networks become more | |||
| dynamic, management tools become more essential. | dynamic, management tools become more essential. | |||
| 10. To support allied and federated environments, endpoints and | 10. To support allied and federated environments, endpoints and | |||
| gateways from different organizations SHOULD be able to connect to | gateways from different organizations SHOULD be able to connect to | |||
| each other. | each other. | |||
| This requirement is driven by demand for all the use cases in | ||||
| federated and allied environments. | ||||
| 11. The administrator of the ADVPN SHOULD allow for the | 11. The administrator of the ADVPN SHOULD allow for the | |||
| configuration of a Star, Full mesh or a partial full mesh topology, | configuration of a Star, Full mesh or a partial full mesh topology, | |||
| based on which tunnels are allowed to be setup. | based on which tunnels are allowed to be setup. | |||
| This requirement is driven by demand for all the use cases in | This requirement is driven by demand for all the use cases in | |||
| federated and allied environments. | federated and allied environments. | |||
| 12. The ADVPN solution SHOULD be able to scale for multicast | 12. The ADVPN solution SHOULD be able to scale for multicast | |||
| traffic. | traffic. | |||
| skipping to change at page 12, line 7 ¶ | skipping to change at page 12, line 7 ¶ | |||
| 14. There is also the case when L3VPNs operate over IPsec Tunnels, | 14. There is also the case when L3VPNs operate over IPsec Tunnels, | |||
| for example Provider Edge (PE) based VPN's. An ADVPN MUST support | for example Provider Edge (PE) based VPN's. An ADVPN MUST support | |||
| L3VPN as an application protected by the IPsec Tunnels. | L3VPN as an application protected by the IPsec Tunnels. | |||
| This requirement is driven by demand for all the use cases in | This requirement is driven by demand for all the use cases in | |||
| federated and allied environments. | federated and allied environments. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| This is a Problem state and requirement document for the ADVPN | This is a Problem statement and requirement document for the ADVPN | |||
| solution, and in itself does not introduce any new security concerns. | solution, and in itself does not introduce any new security concerns. | |||
| The solution to the problems presented in this draft may involve | The solution to the problems presented in this draft may involve | |||
| dynamic updates to databases defined by RFC 4301, such as the | dynamic updates to databases defined by RFC 4301, such as the | |||
| Security Policy Database (SPD) or the Peer Authorization Database | Security Policy Database (SPD) or the Peer Authorization Database | |||
| (PAD). | (PAD). | |||
| RFC 4301 is silent about the way these databases are populated, and | RFC 4301 is silent about the way these databases are populated, and | |||
| it is implied that these databases are static and pre-configured by a | it is implied that these databases are static and pre-configured by a | |||
| human. Allowing dynamic updates to these databases must be thought | human. Allowing dynamic updates to these databases must be thought | |||
| out carefully, because it allows the protocol to alter the security | out carefully, because it allows the protocol to alter the security | |||
| End of changes. 35 change blocks. | ||||
| 85 lines changed or deleted | 91 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||