On Nov 15, 2011, at 12:12 PM, Frederic Detienne wrote:

> 
> On 15 Nov 2011, at 12:05, Yoav Nir wrote:
> 
>> Hi Frederic
>> 
>> Inline...
>> 
>> On Nov 15, 2011, at 11:42 AM, Frederic Detienne wrote:
>> 
>>> Hi Yoav,
>>> 
>>> We will be there (following offline with you for the details).
>>> 
>>> I do not think there is a need to spend 20 minutes on the draft which 
>>> everyone should have read. There are three vague points in it and 10 min 
>>> seem largely sufficient.
>> 
>> 20 minutes includes time spent on hellos, introductions, asking if everyone 
>> has read the draft, jabber scribe, testing the audio, and all other kinds of 
>> administrivia. You've been to IETF sessions before, and you know how that 
>> goes.
> 
> absolutely. Then we agree on the 20 min.
> 
>>> At this stage several vendors think they have a fair understanding of the 
>>> requirements and a gap analysis is much more productive and constructive. I 
>>> have just asked Chris Ulliott to provide his feedback in case audio fails 
>>> on us. We can factor his reply in the discussions.
>> 
>> To me the biggest gap in existing solutions is that they require kludges 
>> like GRE tunnels and route-based VPN, and also that they don't cover the 
>> provisioning of credentials. GRE tunnels and route-based VPNs I consider a 
>> kludge because you are then required to treat VPN tunnels as interfaces. 
>> Interfaces are much more resource intensive when compared to simple SAs, and 
>> most operating systems are very limited in the number of interfaces that 
>> they support.
> 
> These are all very vague but generally misinformed statements.

I'm sorry if they have offended you or your company. 

My point remains, that IPsec does define a mechanism for tunneling packets. 
It's called "tunnel mode IPsec". That Cisco and perhaps other vendors choose to 
use other tunneling mechanisms such as GRE when they need some fancy features 
such as peer discovery or dynamic protected domain discovery, tells me that 
something is lacking in IPsec tunnels. That is what I meant by "kludge".

It may be that the problem with IPsec tunnels is not in the tunnels themselves, 
but that there are no configuration protocols associated with them, such as the 
routing protocols or such as NHRP that can be used with GRE tunnels. 

I will take your word that using GRE+NHRP can scale as far as anyone would 
like. However, in evaluating solutions, we should not automatically go with the 
analogy that IPsec VPNs are like overlay networks on top of the Internet, and 
that tunnels are analogous to links. GRE is an overhead that is added to every 
packet. NHRP is yet another protocol that needs to be implemented and carried 
over the IPsec SA. All that should be compared with cost and complexity of 
potential extensions to IKE and IPsec that would carry the same information.

We will have plenty of opportunity to discuss these things at the meeting on 
Wednesday, but just to make things clear, I am not advocating any solution, and 
I have no unsubmitted draft with some extension to IKE. The purpose of the 
meeting is to review the use cases and the solutions that currently exist. If 
anyone intends to pull out a new never-before-published solution that's fine as 
well, but I have no such intentions.

Yoav

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to