Hi Joel, thanks to review the draft. Regarding the IPSec, this is just a transport to encrypt the LISP flow. We did not described the multiple possibilities to perform the encryption, but may be we should have. The main idea, is to have a LISP tunnel between PxTR on Enterprise DC and xTR on Cloud that allows IP mobility without any iTR on enterprise remote sites, means no path optimization. LISP is providing here a great advantage as it allows for subnet extension on the cloud without the usage of any L2 technic. . Now, how we do encrypt this tunnel is of multiple ways. 1) As there is no scale requirement, and as the Enterprise may want to also have plain routing to the Cloud, one option, which is the only one we have relied on, is to establish an IPSEC tunnel between the Cloud and the Enterprise DC, enabling a routing protocol over it and letting it allows RLOCs to connect over IPSEC. 2) We can also, instead of creating an IPSEC tunnel, just encrypt the LISP tunnel itself, in transport mode. 3) we can use GDOI to provide the LISP tunnel crypto, but in the case of Cloud where no scale in term of number of sites is required that may be optional.
As it is a use case draft, we tried to descibe one option, if you think we should dig other option, then we will do it for next version. Patrice On 2/12/14 6:12 PM, "Joel M. Halpern" <[email protected]> wrote: >that this describes an existing usage is clearly very important. > >It seems that if the scale of the VPN is small enough that manually >configured IPSec tunnels can be used, then LISP does not provide a lot >of advantage. If it is automated tunnels, there seems to be a need to >coordinate the two systems. What am I missing? > >Thanks, >Joel > >On 2/12/14, 12:04 PM, Fabio Maino wrote: >> Hi Joel, >> This describes how LISP is used today in combination with IPsec >> (typically GDOI is used to simplify key distribution). >> >> I think Dino's work is more forward looking, with two main goals: (1) >> combine encryption with the LISP dataplane, for a more efficient >> encoding on the wire, (2) take advantage of the LISP mapping system (and >> possibly of some of the mechanisms in LISP-SEC) for key >> derivation/distribution >> >> Fabio >> >> >> On 2/12/14, 8:54 AM, Joel M. Halpern wrote: >>> This draft seems to expect that IPSec tunnels will be set up by means >>> outside of LISP. That seems to contravene the premise of LISp that it >>> can operate without needing permanent / pre-established tunnel state. >>> >>> Should this be tied to the work Dino described at the last IETF >>> meeting on using LISP to establish encryption for the LISP tunnel? >>> >>> Yours, >>> Joel >>> >>> On 2/12/14, 6:22 AM, Santiago Freitas (safreita) wrote: >>>> Hi LISP Working Group, >>>> >>>> Today we have submitted a draft that covers using LISP for Secure >>>>Hybrid >>>> Cloud Extension. >>>> >>>> The draft can be found at >>>> >>>>http://www.ietf.org/id/draft-freitas-bellagamba-lisp-hybrid-cloud-useca >>>>se-00.txt >>>> >>>> >>>> We would like to request your comments on it. >>>> >>>> Also, we would like request a small slot on the upcoming IETF 89 >>>>meeting >>>> to present an overview of the use case covered on the draft. >>>> >>>> We look forward to your comments and for your feedback if we can have >>>>a >>>> small slot to present an overview of this draft on IETF 89. >>>> >>>> Sincerely, >>>> >>>> Patrice and Santiago >>>> >> >> _______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
