[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]

To: "Narayanan, Vidya" <vidyan@xxxxxxxxxxxx>
Subject: Re: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
From: "Jean-Michel Combes" <jeanmichel.combes@xxxxxxxxx>
Date: Wed, 7 Mar 2007 14:17:19 +0100
Cc: "Paul Hoffman" <paul.hoffman@xxxxxxxx>, ietf-ipsec-failover@xxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qvgYR+KAOP9of5zSE1E8wcq35UCmcke9oZ8brZe5NFTUgPFzNodSzJFe+kiysQC60Q9862exg5r1w1LoFIq9Eclu7/qVo7HZ75BX6CASRpCjPhwXYbxQTI8yKiJ+q2pJBhWVseBaV/Dc9UnS7oUJyWbgIXnv2i51vrbVjD24gG8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hyS/AdLRNOzUG9W+YIHRZwT0dBVgDQrngm9WaPYeZNu9Czu1Ytppxa8zRTfycGEa8HYg+Q9eKSVHGOoU8VvL576Hs0/TaucZ1R2uWD/vtgeqTE7Xe2hG7H4WOtif3vERxZGdbtRzS3ufcS2mmhXilVi3kb+bHfy6GKkyGNDR2LQ=
In-reply-to: <C24CB51D5AA800449982D9BCB90325134F228D@xxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-ipsec-failover/mail-archive/>
List-id: <ietf-ipsec-failover.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsec-failover-request@vpnc.org?body=unsubscribe>
References: <729b68be0703020612i7ee2e43fh5f99cf85615daec4@xxxxxxxxxxxxxx> <p06240804c20e27b2ca4d@xxxxxxxxxxxx> <729b68be0703050211q4f70ec11xa368a05979cf198b@xxxxxxxxxxxxxx> <C24CB51D5AA800449982D9BCB90325134F2240@xxxxxxxxxxxxxxxxxxxxxx> <20070306202810.GK28150@xxxxxxxxxxxx> <p06240876c21391fcacd0@xxxxxxxxxxxx> <C24CB51D5AA800449982D9BCB90325134F228D@xxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-ipsec-failover@xxxxxxxxxxxxx


2007/3/7, Narayanan, Vidya <vidyan@xxxxxxxxxxxx>:


In addition to what Paul has said, there is one more point. In the case
of solutions that are transparent to the client,  there may be one
gateway that is actively serving as a "primary" gateway and one or more
gateways acting as "backup" gateways; one of the backup gateways takes
over for the primary (i.e., assumes the IP address of the primary and
acquires all the clients that were being served by the primary) when the
primary gateway fails. This essentially leads to the situation where all
these gateways are capable of serving the same set of subnets (i.e.,
have associations with the same DHCP servers) and hence, more or less
restricts the geographic distribution of these gateways.


I don't agree with this conclusion: if I take again my example of
solution based on MIPv6, the "real" IP addresses of the SGs are the
CoA and the SGs may be distributed in a large scale.


The other problem space is one where the gateways are all active and
distributed and serving clients of their own - upon failure of one
gateway, the clients being served by that gateway may connect to a
different gateway within the same secure domain


By the way, I think it would be useful to have a clear definition of a
secure domain. IIRC, there is no definition of it in the PS draft.

. In this case, it is not
feasible for these gateways to have the same IP address or serve the
same set of subnets and hence, transparency to the client is not
feasible.


Again, I don't agree on your conclusion.
And again based on my example of solution based on MIPv6, all the SGs
has a same and common IP address, the HoA.
Now, maybe, there are others solutions that I don't know allowing the
same features :)

Best regards.

JMC.

This scenario allows for having functional gateways that may
be serving various sites also be "backup" gateways for other gateways in
the domain. In situations like massive network failures that take down
an entire site or various Mobile IP home agents (that use IPsec) that
the clients may attach to within the secure domain, there is a need for
a quick failover that doesn't involve re-establishment of the entire SA,
including client authentication and DH exchange, etc.

Hope that helps.

Regards,
Vidya

> -----Original Message-----
> From: owner-ietf-ipsec-failover@xxxxxxxxxxxxx
> [mailto:owner-ietf-ipsec-failover@xxxxxxxxxxxxx] On Behalf Of
> Paul Hoffman
> Sent: Tuesday, March 06, 2007 1:53 PM
> To: ietf-ipsec-failover@xxxxxxxx
> Subject: Re: Comments/questions about the assumptions [Was:
> Re: Revised proposed BOF charter, problem statement, and agenda]
>
>
> At 3:28 PM -0500 3/6/07, Wesley Eddy wrote:
> >I know of environments that need client-transparent solutions.  Are
> >there really cases where a client-based solution is favorable to a
> >client-transparent solution?
>
>  From our pre-list discussions, it seems that the answer is
> "yes" *if* the only thing the client needs to do is update
> its address but not re-authenticate. A fully-transparent
> solution requires that all gateways communicate about which
> addresses are already handed out (and possibly to whom they
> were handed), which puts a significant burden on the
> intra-gateway communication system.
>
> >  It sure seems like most admins would like to have their servers
> >figure out how to do any failover, load-balancing, etc. and hide all
> >that from the clients, but maybe the perspective from my niche is
> >skewed.
>
> Of course that would be nice, but it also has to be
> completely reliable. The last thing you want is for the
> client to connect to the failed-to gateway and have the
> gateway say "go away, someone else is using the address you
> think is yours". It is much better for the gateway to be able
> to, in a DHCP-like fashion, say "hi there, here's your new
> address" or, even better, "hi there, your current address looks fine".
>
> --Paul Hoffman, Director
> --VPN Consortium
>
>

Follow-Ups:
- RE: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
  - From: Tao Wan

References:
- Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
  - From: Jean-Michel Combes
- Re: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
  - From: Jean-Michel Combes
- RE: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
  - From: Narayanan, Vidya
- Re: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
  - From: Wesley Eddy
- RE: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
  - From: Narayanan, Vidya

Prev by Date: Re: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
Next by Date: RE: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
Previous by thread: RE: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
Next by thread: RE: Comments/questions about the assumptions [Was: Re: Revised proposed BOF charter, problem statement, and agenda]
Index(es):
- Date
- Thread