On Nov 15, 2011, at 10:52 PM, Michael Richardson wrote:
Mark == Mark Boltz mark.bo...@stonesoft.com writes:
Mark With all due respect to Cisco, the larger problem we're trying
Mark to address, is in part the fact that DMVPN and ACVPN are
Mark vendor specific implementations. And
Couple of clarification here. Juniper implementation of AC-VPN does not do
GRE over IPSec. It is IPSec alone for implementation (Route based VPN).
Yes, AC-VPN uses NHRP to do resolution just like DM-VPN. But in AC-VPN
there are proprietary messages. It uses standard messages, but has many
On 16 Nov 2011, at 01:57, Praveen Sathyanarayan wrote:
Couple of clarification here. Juniper implementation of AC-VPN does not do
GRE over IPSec. It is IPSec alone for implementation (Route based VPN).
Yes, AC-VPN uses NHRP to do resolution just like DM-VPN. But in AC-VPN
there are
@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
There was offline discussion about P2P offered by Juniper Networks (we
believe Cisco has similar approach, called DMVPN) SSG product line. I am
forwarding this email to group.
In nutshell:
Site to site
On Wed, 9 Nov 2011, Michael Ko wrote:
If the end system is behind a NAT, then there is no way for another end system
to address a packet to this end
system.
Not neccessarilly true. If you look at traditional hosts, you are correct. But
if you look at more human driven
systems, then it is
. For more information, please see
my draft at http://tools.ietf.org/html/draft-ko-dsi-problem-statement-00
Mike
- Original Message -
From: Paul Wouters
To: Michael Ko
Cc: Yoav Nir ; ipsec@ietf.org
Sent: Sunday, November 13, 2011 2:54 AM
Subject: Re: [IPsec] New -00 draft: Creating Large
: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
Michael Richardson
Sent: Tuesday, November 08, 2011 3:29 PM
To: Frederic Detienne
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
RFC2332: NBMA Next Hop Resolution Protocol (NHRP
: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
NHRP is a generic protocol that converts overlay addresses in any address
family into transport addresses in any address family. The protocol works over
NBMA meaning that it can work over virtually anything (i.e. no exuberant
-Original Message-
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf
Of Praveen Sathyanarayan
Sent: Monday, November 07, 2011 5:10 PM
To: bill manning; Geoffrey Huang
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs
Problem
Of
Praveen Sathyanarayan
Sent: Monday, November 07, 2011 5:10 PM
To: bill manning; Geoffrey Huang
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
There was offline discussion about P2P offered by Juniper Networks (we
believe Cisco has similar approach, called
@ietf.org; bill manning; Praveen Sathyanarayan
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
There isn't now, but adding stuff to the DNS is all the rage now that DNSSEC,
ummm, exists. Just take a look at DANE.
On 11/8/11 5:18 PM, Geoffrey Huang ghu...@juniper.net
with all spokes run by org B)
Chris
-Original Message-
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
Praveen Sathyanarayan
Sent: Monday, November 07, 2011 5:10 PM
To: bill manning; Geoffrey Huang
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large
PM
To: bill manning; Geoffrey Huang
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
There was offline discussion about P2P offered by Juniper Networks (we
believe Cisco has similar approach, called DMVPN) SSG product line. I am
forwarding this email
Of
Praveen Sathyanarayan
Sent: Monday, November 07, 2011 5:10 PM
To: bill manning; Geoffrey Huang
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
There was offline discussion about P2P offered by Juniper Networks (we
believe Cisco has similar
To: 'Michael Ko' ; ipsec@ietf.org
Sent: Tuesday, November 08, 2011 4:14 PM
Subject: RE: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
In that case, would RFC 4322 solve your problem? It is based on DNS
Geoffrey == Geoffrey Huang ghu...@juniper.net writes:
Geoffrey Is there a mechanism in DNS to communicate this kind of
Geoffrey policy? As I understand the example below, the
Geoffrey communication from hub-gw to spoke32 would be something
Geoffrey like: to get to
On 11/08/2011 11:02 AM, Michael Richardson wrote:
Geoffrey == Geoffrey Huangghu...@juniper.net writes:
Geoffrey Is there a mechanism in DNS to communicate this kind of
Geoffrey policy? As I understand the example below, the
Geoffrey communication from hub-gw to spoke32 would
RFC2332: NBMA Next Hop Resolution Protocol (NHRP)
I think that it is a much better thing to use something like this, than
invent something new.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON
On 11/08/2011 04:18 PM, Galina Pildush wrote:
NHRP is a protocol that is used to discover the shortest path
through an NBMA cloud.It does not, however, speak IPSec ...
I don't believe that Michael was suggesting that there's a
complete solution here, just that there's prior work on
routing,
i don;t think that DNSSEC (writ large) is inapplicable - but thats a
deployment quibble.
I like the idea of ad-hoc, peer based secure channels - but that sort
of requires a trusted introducer. Unfortunately for me, I have to
leave on tuesday. Please keep me posted
on the nature and future of
There was offline discussion about P2P offered by Juniper Networks (we
believe Cisco has similar approach, called DMVPN) SSG product line. I am
forwarding this email to group.
In nutshell:
Site to site tunnel -
P2P cut thru tunnel *
+
Message -
From: Praveen Sathyanarayan
To: bill manning ; Geoffrey Huang
Cc: ipsec@ietf.org
Sent: Tuesday, November 08, 2011 1:09 AM
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
There was offline discussion about P2P offered by Juniper Networks (we
believe Cisco has
Praveen == Praveen Sathyanarayan pravee...@juniper.net writes:
Praveen In this solution, HUB is the trust entity that all spoke
Praveen establish static IPSec tunnel (either using Site to site
Praveen tunnel or spoke establish dynamic remote access tunnel with
Praveen hub). When
On 11/7/11 9:44 PM, Michael Richardson m...@sandelman.ca wrote:
Praveen == Praveen Sathyanarayan pravee...@juniper.net writes:
Praveen In this solution, HUB is the trust entity that all spoke
Praveen establish static IPSec tunnel (either using Site to site
Praveen tunnel or spoke
Yoav == Yoav Nir y...@checkpoint.com writes:
Yoav I don't see how DNS figures into this. We have three
Yoav gateways: - hub-gw, which knows the protected domains of
Yoav everyone - spoke32, which protects 192.168.32.0/24, knows
Yoav about hub-gw, and sends all 192.168.0.0/16 to
On 11/7/11 10:19 PM, Michael Richardson m...@sandelman.ca wrote:
Yoav == Yoav Nir y...@checkpoint.com writes:
Yoav I don't see how DNS figures into this. We have three
Yoav gateways: - hub-gw, which knows the protected domains of
Yoav everyone - spoke32, which protects
Yoav == Yoav Nir y...@checkpoint.com writes:
Yoav I don't see how DNS figures into this. We have three
Yoav gateways: - hub-gw, which knows the protected domains of
Yoav everyone - spoke32, which protects 192.168.32.0/24, knows
Yoav about hub-gw, and sends all 192.168.0.0/16 to
:
ipsec-boun...@ietf.orgmailto:ipsec-boun...@ietf.org
[mailto:ipsec-boun...@ietf.org] 代表 Yoav Nir
发送时间: 2011年10月14日 13:24
收件人: ipsec@ietf.orgmailto:ipsec@ietf.org
主题: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
Hi all
For years, one of the barriers to the adoption of IPsec
On 11/07/2011 12:46 PM, Michael Richardson wrote:
So, okay, so you want to do new work to replace work that's already been
well defined, that uses DNS as the transport.
Could always use SIP, and relegate DNS to discovery:
http://www.cs.cornell.edu/people/francis/sigcomm07-nutss-final.pdf
[I
To: Michael Ko ; ipsec@ietf.org
Sent: Tuesday, November 08, 2011 6:05 AM
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
Hi Michael
I have only skimmed your draft, and it does seem to have overlap with ours.
However, I think your draft is more about generic hosts
主题: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
Hi all
For years, one of the barriers to the adoption of IPsec was that
configuration didn't scale. With thousands of peers, the PAD and SPD would
become unwieldy, so even where IPsec was deployed it was often built in
hub
Hello,
On Tue, November 1, 2011 1:56 pm, Paul Wouters wrote:
On Tue, 1 Nov 2011, Yoav Nir wrote:
Raw RSA keys work. If there is an introducer that tells both sides about
each other, a shared secret also works. Shared secrets are very secure
if you generate them randomly.
PSK's have
I agree with Paul H. that the term encryption domain is not really fully
correct for this problem set and its scenarios. I also apologize for lurking
for quite some time before chiming in. I'd also rather avoid marketing-related
jargon of any given vendor.
Before I make further comment, let me
On Oct 31, 2011, at 8:09 PM, Michael Richardson wrote:
If the entities are in fact a group who has an internal trust anchor:
They have an entity they trust to make introductions. That's different.
a) if they want to use DNSSEC, it only matters they have DNSSEC
deployed for the part of
On Tue, 1 Nov 2011, Yoav Nir wrote:
On 11/1/11 4:53 PM, Mark Boltz mark.bo...@stonesoft.com wrote:
I agree with Paul H. that the term encryption domain is not really
fully correct for this problem set and its scenarios. I also apologize
for lurking for quite some time before chiming in. I'd
I agree with Paul H. that the term encryption domain is not really
fully correct for this problem set and its scenarios. I also apologize
for lurking for quite some time before chiming in. I'd also rather
avoid
marketing-related jargon of any given vendor.
Having been working for the same
On 11/1/11 7:51 PM, Keith Welter welt...@us.ibm.com wrote:
Having been working for the same vendor for 10 years, I've gotten used to
our marketing jargon. Anyway, I'd like to have some short term for the
set of addresses that are behind a certain gateway, or the set of
addresses that you can
Paul == Paul Hoffman paul.hoff...@vpnc.org writes:
Paul On Oct 31, 2011, at 8:09 PM, Michael Richardson wrote:
If the entities are in fact a group who has an internal trust
anchor:
Paul They have an entity they trust to make introductions. That's
Paul different.
Please
On 10/31/11 3:30 PM, Michael Richardson m...@sandelman.ca wrote:
Jorge == Jorge Coronel jcoro...@live.com writes:
Jorge +1
Jorge I agree DNSSEC cannot be assumed, its deployments have been
Jorge marginal.
DNSSEC is *one* *public* trusted third party. It's not the only way to
Yoav == Yoav Nir y...@checkpoint.com writes:
Jorge I agree DNSSEC cannot be assumed, its deployments have been
Jorge marginal.
DNSSEC is *one* *public* trusted third party. It's not the only
way to use DNS securely, it's just the easiest one to arrange
between total
@ietf.org
Sent: Fri Oct 28 23:09:27 2011
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
I agree. Wednesday night would be best.
Who else is interested in getting together to discuss this? Clearly, there are
plenty of interesting issues to discuss.
Steve
From: ipsec-boun
: Wednesday, October 26, 2011 6:04 PM
To: 'Galina Pildush'; Paul Hoffman; IPsecme WG
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
This goes back to my previous question.
What is this information that is known to hub and all spokes ?
If the spoke knows what
-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] *On
Behalf Of *Yoav Nir
*Sent:* Friday, October 28, 2011 10:00 AM
*To:* Geoffrey Huang; Stephen Hanna
*Cc:* ipsec@ietf.org
*Subject:* Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs
Problem
Well, there is a free room between 1300-1500
-Original Message-
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf
Of Yoav Nir
Sent: Tuesday, October 25, 2011 4:40 AM
To: 'Michael Richardson'; ipsec@ietf.org
Cc: Ulliott, Chris
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs
Problem Statement
Chris
On Oct 26, 2011, at 7:00 AM, Stephen Hanna wrote:
I'm concerned about using DNS as the introducer here. Doing this
securely requires DNS records to be updated, signed, and distributed
whenever a new satellite gateway or host arrives or departs.
That's cumbersome, expensive, and complex since
painlessly and seamlessly.
Galina Pildush
-Original Message-
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Paul
Hoffman
Sent: Wednesday, October 26, 2011 10:41 AM
To: IPsecme WG
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
On Oct 26, 2011, at 12:39 PM, Yaron Sheffer wrote:
There is a common use case where we don't worry about malicious spokes, i.e.
where they are all trusted.
Exactly right. The fact that the hub trusts a spoke is all that a different
spoke needs to know for many (most?) common cases.
Having
I have to agree with the recent comments about the inapplicability of RFC 4322.
I don't think that a DNNSEC infrastructure can be assumed, particularly not in
the deployments I have seen.
I agree with Steve Hanna's comments about the need for ad-hoc peer-to-peer
VPNs, bypassing a centralized
[mailto:ipsec-boun...@ietf.org] On Behalf Of
Michael Richardson
Sent: 24 October 2011 16:01
To: ipsec@ietf.org
Cc: Ulliott, Chris
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
I was not intending to be, (I have no ticket as yet), but plans might change
To: Ulliott, Chris; Michael Richardson; ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
Hi Chris
As I've asked you off-list, I'm still trying to understand the initial
condition.
It's one thing if Za believes that host 2 is behind *some* gateway
decisions based on the results
combined with a policy.
I hope that helps!
Chris
-Original Message-
From: Yoav Nir [mailto:y...@checkpoint.com]
Sent: Sunday, October 23, 2011 10:37 PM
To: Ulliott, Chris; Michael Richardson; ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale
, October 23, 2011 10:37 PM
To: Ulliott, Chris; Michael Richardson; ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs
Problem Statement
Hi Chris
As I've asked you off-list, I'm still trying to understand the initial
condition
Hi Chris
As I've asked you off-list, I'm still trying to understand the initial
condition.
It's one thing if Za believes that host 2 is behind *some* gateway, and
it's only a matter of finding out which gateway that is.
It's a different thing if host 2 might also be not behind any gateway at
-
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav
Nir
Sent: Sunday, October 16, 2011 8:03 PM
To: Michael Richardson; ipsec@ietf.org
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
Statement
I definitely think that the authors of this draft (I'm
A little. Also like GET-VPN and AC-VPN and Provider-1 (apologies to all
the vendors I've missed)
Those are some of the incompatible solutions by individual vendors.
Yoav
On 10/14/11 8:18 AM, Dan Harkins dhark...@lounge.org wrote:
Sounds like TED:
Yoav == Yoav Nir y...@checkpoint.com writes:
Yoav A little. Also like GET-VPN and AC-VPN and Provider-1
Yoav (apologies to all the vendors I've missed)
Yoav Those are some of the incompatible solutions by individual
Yoav vendors.
And RFC4322.
FreeSWAN has a number of local
Hi all
For years, one of the barriers to the adoption of IPsec was that
configuration didn't scale. With thousands of peers, the PAD and SPD would
become unwieldy, so even where IPsec was deployed it was often built in
hub-and-spoke configurations, not because policy demanded this, but
because it
57 matches
Mail list logo