On Thu, 6 Feb 2014 09:20:08 +0100 Daniel Migault <[email protected]> wrote:
> Thanks for the feed back. > > We are happy you provide requirements over "dynamically routing > subnets" as a MUST. ADVPN responds to the requirements listed in > RFC7018. If there is a requirement that does not match you opinion, > can you please point it out? > > Just to make it clear this 1 day time has never been mentioned in the > draft and is your assumption. The use of TTL does not impose a 1 day > and ADVPN can take advantage of the Redirect Mechanism or MOBIKE for > multihoming. As you can see the ADVPN solution can take advantage of > all previous and future featured designed for IKEv2. As you point out > the key characteristic of our design is its flexibility. It was Praveen's suggestion in the email I replied. My point was that having that sort of default TTL does not sound good. And to me it sounds like having very low TTL (in level of seconds or minutes) is too heavy to be used in practice. So the TTL mechanism does not really sound feasible to me. > RFC5685 is not limited to client-gateway, the second line of the > section 10 you pointed out says: [...] the mechanism can also be used > between any two IKEv2 peers. " So no additional specification are > required. You missed the next sentance: "However, the mechanism can also be used between any two IKEv2 peers. But this protocol is asymmetric, meaning that only the original responder can redirect the original initiator to another server." Spoke A established tunnel to spoke B. A is thus original initiator. But the routing change is on spoke B subnet. B cannot send Redirect according to the above. You'd need to specify additional mechanism for that, or re-specify the original one. I believe this restriction is due to security considerations for client-gateway type connectivity. > You mention load balancing may be an issue. Can you please specify the > issue you see? Could you specify how in practice I could implement one subnet to be load-balanced to spoke nodes? > One last point to clarify. it seems that you are trying to say ADVPN > misses some features provided by routing protocols. In fact ADVPN can > take advanatge of ALL of these features as ANY routing protocol can > run on the top of ADVPN. This was a MUST requirement of RFC5685. If > you see a scenrio that you think does not fit ADVPN, please document > it so we can address your specific issue. I thought the advantage was to _not_ run routing protocol. If running routing protocol is supported, can you please specify how a routing protocol is to be integrated with the IKE traffic exchange? Yes, it is possible, but non-trivial, thus I would like to see some specification mapping how to do that mapping. And like someone else asked, how is MPLS routed? Thanks, Timo _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
