Architecture for the Use of PE-PE IPsec Tunnels in BGP/MPLS IP VPNs
draft-ietf-l3vpn-ipsec-2547-05
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2015-10-14
|
05 | (System) | Notify list changed from tme@multicasttech.com, danny@arbor.net, rcallon@juniper.net to danny@arbor.net, tme@multicasttech.com |
2008-09-13
|
05 | (System) | Document has expired |
2008-09-12
|
05 | Ross Callon | State Changes to Dead from IESG Evaluation::Revised ID Needed by Ross Callon |
2008-07-28
|
05 | Ross Callon | State Change Notice email list have been change to tme@multicasttech.com, danny@arbor.net, rcallon@juniper.net from <tme@multicasttech.com>, <danny@arbor.net>, <rcallon@juniper.net> |
2008-07-28
|
05 | Ross Callon | State Change Notice email list have been change to <tme@multicasttech.com>, <danny@arbor.net>, <rcallon@juniper.net> from <rick@rhwilder.net>, <rcallon@juniper.net>, … State Change Notice email list have been change to <tme@multicasttech.com>, <danny@arbor.net>, <rcallon@juniper.net> from <rick@rhwilder.net>, <rcallon@juniper.net>, <ronald.p.bonica@mci.com> |
2008-07-25
|
05 | Mark Townsley | Responsible AD has been changed to Ross Callon from Mark Townsley |
2008-07-25
|
05 | Mark Townsley | Note field has been cleared by Mark Townsley |
2007-02-01
|
05 | Mark Townsley | More detail on Russ' Discuss, with emphasis on what is actionable by the authors -------- Original Message -------- Subject: Re: draft-ietf-l3vpn-ipsec-2547-05.txt Date: Tue, 16 Jan … More detail on Russ' Discuss, with emphasis on what is actionable by the authors -------- Original Message -------- Subject: Re: draft-ietf-l3vpn-ipsec-2547-05.txt Date: Tue, 16 Jan 2007 13:17:58 -0500 From: Russ Housley To: Mark Townsley References: <45AD07ED.1070901@cisco.com> = = = = = = = = = > Russ Housley: > Discuss: > [2006-01-19] > Please excuse the length of this DISCUSS position. It summarizes > concerns from reviewers in the Security Directorate and myself. > I have tried to eliminate overlap from the various reviewers. > > The term "privacy" should be replaced with "confidentiality" in the > whole document. See definitions in RFC 2828. This is clearly actionable. I'm willing to move it to a comment, but that cannot be the reason for inactivity. > The title of the document and the Introduction do not seem to agree > on the purpose of the document. The Title says: > > > > Architecture for the Use of PE-PE IPsec Tunnels ... > > > And, the Introduction says: > > > > This document specifies procedures for replacing the backbone > > route label with an IPsec encapsulation > > > I think that the Introduction is more accurate. This seems actionable. Do I need to propose an alternate title? > The introductory text says that IPsec is used to 'encapsulate" MPLS > traffic. It says the "payload" will be an MPLS packet with the label > stack consisting of a single MPLS entry, a route label. This raises > several concerns: > > * I assume ESP encapsulation is intended, but ESP is mentioned > anywhere. If I am correct, then say that IPsec ESP will encapsulate the MPLS traffic, and make RFC 4303 a normative reference. > * Section 2 explains the encapsulation, and that does not match > the description in introductory text. A diagram in Section 2 > would help. I think the action is clear here. I'm willing to be talked out of a diagram, but the stacks that are supported based on the text in section 2 seem to be: - IP/ESP/IP/MPLS (with VPN route label) - IP/ESP/GRE/MPLS (with VPN route label) I would expect that the Introduction to match this level of description, but there is no mention of the MPLS-in-IP or MPLS-in-GRE encapsulation. > * There is no mention of the SPD. Without a discussion of the SPD, > the granularity of access control unclear. Section 2.2 talks > about selecting a security policy, but again there is no mention > of the SPD. What SPD entries that are appropriate for this > application? How are source and destination address used? How > is the next protocol value used? How are the port fields used? This seems very clear to me. I cannot think of anything to add. > * Section 1.2 talks about anti-spoofing protection; however, the > actual protection depends on the way that the previous points are > resolved. Without the discussion, it is not clear that the document is providing a solution that provides anti-spoofing. I included this point so that the authors can think about it when figuring out how to handle the SPD. > Section 2.2 says: > > > > [RFC2547bis] already provides an egress-to-ingress signaling > > capability via BGP, and we specify below how to extend this to > > the signaling of security policy. > > > I assume this is a reference to Section 2.3, which says: > > > > Distribution of labeled VPN-IP routes by BGP is done exactly as > > specified in [RFC2547bis], except that some additional BGP > > attributes are needed for each distributed VPN-IP route. > > > > A given egress PE will be configurable to indicate whether it expects > > to receive all, some, or none of its VPN traffic through an IPsec- > > secured IP or GRE tunnel. In general, an ingress PE will not have to > > know in advance whether any of the egress PEs for its VPNs require > > their VPN traffic to be sent through an IPsec-secured IP tunnel; this > > will be signaled from the egress PE. If an egress PE wants to receive > > traffic for a particular VPN-IP route through an IPsec-secured IP > > tunnel, it adds a new BGP Extended Community attribute to the route. > > This attribute will then get distributed along with the route to the > > ingress PEs. > > > If I understand this correctly, unsecured BGP configures IPsec SPD > entries. Authentication and integrity of this configuration information > is vital to security. Maybe I did not understand the intention here, > but later comments in section 2.4 suggest otherwise. For example, > section 2.4 notes that "no a priori configuration of remote tunnel > endpoints is needed." If my understanding is correct, please tell how > the distribution of security policy will be protected. Maybe I am wrong. Maybe the intent is to set up SAD entries. If so, tell me, and we will figure out the way forward. > Section 2.3 says: > > > > It is conceivable that an egress PE will want some of its IPsec- > > secured IP-tunneled VPN traffic to be encrypted, but will want some > > to be authenticated and not encrypted. > > > And then, Section 2.6 says: > > > > It is conceivable that there might need to be two (or more) SAs > > between a pair of PEs, e.g., one in which data encryption is used > > and one in which authentication but not encryption is used. > > > Multiple SAs are needed to support this vision, but providing > different security services to different packets in a single SA is > not supported by IPsec. Since the purpose for this draft is to > protect PE-PE MPLS-in-IP traffic from being spoofed, why skip the > authentication? Two points here. First, there seems to be a disconnect with RFC 4301 and this document. In RFC 4301, an SA offers a set of services for the traffic, but the same services need to be applied to all of the packets associated with that SA. Second, I cannot understand why one would ever want encryption without authentication. I can understand why one might want authentication without encryption. So, I would like to see Section 2.3 say: "It is conceivable that an egress PE will want some of its IPsec-secured IP-tunneled VPN traffic to be authenticated and encrypted, but will want some to be authenticated and not encrypted." If this is done by selecting the appropriate SA, then there seems to be a way forward that is compatible with RFC 4301. > Section 2.6 suggests that one SA can be used to carry traffic for > multiple VPNs between two routers (a PE-PE pair). This seems > reasonable given the security model proposed; however, this section > also says that the packet delivered for IPsec processing need not be > in the MPLS-in-IP or MPLS-in-GRE format; it might be a raw MPLS packet > Handling raw MPLS assumes an IPsec module design very different than > ones seen today in hosts, security gateways, or even bump-in-the-wire > implementations. The text also says that the module would "apply the > appropriate IPsec procedures," which seem to include generation of > an IP header for the transport mode SA. This sort of processing is > not part of IPsec. It needs to be specified in this document. > (Only a tunnel mode SA can generate an IP header to encapsulate > outbound traffic, but transport mode is used here.) I cannot think of anything to add to this comment. > Section 2.7 describes inbound processing and tries to address the > problem of detecting and rejecting traffic that arrives with an MPLS > label associated with an IPsec-protected VPN, but which has not be > delivered via an appropriate SA. This discussion points out that the > intent is to use MPLS labels as a basis for access control, even > though it does not explicitly say so. The problem is that IPsec is > not prepared to enforce this particular access control model, since > MPLS labels are not selectors. It would be good to see a diagram > showing where the IPsec boundary fits in this proposed use of IPsec, > since the easy interpretation of the access control goal here does > not match IPsec capabilities. This will also help make it clear > how to configure the SPD for this application. The use of virtual > interfaces is mentioned briefly, and that might be a way to address > the access control issues. I am asking for an explanation of the access control decisions that are made by IPsec implementations and the access control decisions that are made by other elements of the architecture. I am also asking about the information needed to make these access control decisions. RFC 4301 provides this for IPsec, and it does not include MPLS labels as selectors. So, this must be in the other part. > The Security Considerations are insufficient. Some points that need > to be included are: > > * Describe any of the concerns arising from security policy > distribution via BGP. RFC 3723 requires that iSNS be secured > when it is used for security policy distribution. If BGP is > used to distribution security policy I would expect similar > considerations to apply. I cannot think of anything to add to this comment. > * Discuss the IPsec Extended Community. Is this community > transitive? The Extended Community attribute is itself > transitive, but each community must be identified as to > whether it is transitive across ASes or not. There are > concerns about the integrity of this way of signaling > security policy: > > -- In the case where all PEs are in one AS, then the VPN-IPv4 > routes can be distributed through IBGP connections (single > hop) or through route reflectors. > > -- RFC 2796 does not mention any restrictions on the types of > modifications a route reflector might do to reflected routes. > General rules of BGP operation would then presume to apply. > > -- draft-ietf-idr-bgp-ext-communities-09.txt says that "A BGP > speaker receiving a route with the Extended Communities > attribute MAY modify this attribute according to the local > policy." So, integrity/authentication protection would be > difficult to provide for this field, in its hop through route > reflectors. > > -- If the ingress and egress routers are in different ASes, then > the draft says there must be an EBGP connection between a pair > of routers in the two ASes (presumably not necessarily the > ingress/router pair). This should be a single hop, so there > should not be a problem with the integrity of the community, > given that it is transitive and understood by both endpoints > (assuming integrity/authentication for the BGP session). But, > the Multi-AS Backbones section talks of using EBGP connections > between ASBR's with the ASBR forwarding IBGP learned routes, > so the ASBR would have the opportunity to affect the IPsec > Extended Community attribute. The Multi-AS Backbones also > speaks of ASes that serve as transit between the source AS > and the destination AS, giving even more routers the chance > to modify the IPsec Extended Community attribute. I cannot think of anything to add to this comment. I'm willing to talk further about any one of these bullets, but they all relate to this specification being used in a bigger system. > * Discuss the consequences of a misconfigured PE router. The > document already says: "The SP must be careful not to incorrectly > create a VPN containing sites that are not supposed to > communicate with each other." This is too easily dismissed in > the body of the document, where it says: "likely as not the PE > has been misconfigured to apply that VPN's authenticator to > packets to/from that site." This presumes that the PE is > legitimately associated with the incorrect VPN, otherwise it > should not know the authenticator. What bad things happen if the configuration is messed up? > Comment: > [2006-01-19] > If this document were on the standards-track, additional concerns > would be raised. Since this document is intended for experimental, > these comments are provided for the authors consideration. Heads up. If this were on standards track, then the DISCUSS comments would have been even longer. I'm not sure there is anything to add. > Section 2.3 refers to "IPsec tunnels" even though earlier text says > that transport mode is to be used. Presumably the Section 2.3 > ought to refer to a GRE or IP tunnel, not an IPsec tunnel. > > How does diff-serv fit? If there is QoS or TE promised for any VPN, > the proposal for encapsulation in one IPsec tunnel needs to consider > how diff-serv signaling is handled. RFC 4023 makes note of the > similarity of MPLS-in-IP and MPLS-in-GRE tunnels to IP-in-IP tunnels > described in RFC 2893, stating that the same considerations apply. > RFC 2893 says that, depending on the choice of pipe model or uniform > model, the DSCP at the egress of the tunnel might be the inner header > DSCP or the outer header DSCP. RFC 3270 says that the MPLS shim EXP > field may encode PHB behavior, which can be mapped to DSCP behavior > at the egress. So, has any consideration been given to the handling > if a packet with a DSCP is assigned to an MPLS LSP, which is then > encapsulated in IP and then assigned to an IPsec SA? Perhaps the > view is that the other RFCs that cover these considerations of > diff-serv. I'm not sure. > > How is improper VPN joining prevented? There is an opportunity for > a misconfigured router to join a VPN that it should not have joined > by attaching an export RT it should not be using to a route > announcement. The reliance on careful configuration of the SP it > seems to me makes the system fragile to errors. If a VPN crosses SP > boundaries, then a misconfiguration in one SP might result in effects > in the other SP. There is an opportunity to avoid this situation by > attaching authorization to an IPsec SA. If a single SA is established > between two PEs, intended to carry traffic for all VPNs common between > the two, then the credentials communicated in the SA establishment > might negotiate all the VPNs that the SA is intended to carry. An > unauthorized VPN in subsequent traffic could cause the traffic to be > dropped. This might be a security policy setting for the SA. > Unfortunately, this would also mean that the SA's list of allowed > VPNs would have to be updated as PEs joined new VPNs. There is > already discussion of using route refresh to communicate a newly > available RT (as a result of 'a "VPN Join" operation'), so dynamics > like this are possible. If multiple SAs are established between two > PEs, one for each VPN, then the credentials could be affiliated with > authorization to join a particular VPN, and allow the establishment > of the SA. This means that joining or leaving a VPN would not > require changes in the settings of other SAs. |
2007-02-01
|
05 | Mark Townsley | [Note]: 'Waiting on new ID, or possibly an IESG note.' added by Mark Townsley |
2007-01-29
|
05 | Mark Townsley | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation::External Party by Mark Townsley |
2007-01-29
|
05 | Mark Townsley | [Note]: 'Reponse from Russ received, emailed chairs. Waiting on new ID.' added by Mark Townsley |
2006-10-30
|
05 | Mark Townsley | [Note]: 'Email to Russ asking for more actionable discuss.' added by Mark Townsley |
2006-07-13
|
05 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded for Ross Callon by Ross Callon |
2006-05-31
|
05 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded for Magnus Westerlund by Magnus Westerlund |
2006-05-31
|
05 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded for Dan Romascanu by Dan Romascanu |
2006-02-20
|
05 | Mark Townsley | State Changes to IESG Evaluation::External Party from IESG Evaluation::AD Followup by Mark Townsley |
2006-02-20
|
05 | Mark Townsley | [Note]: 'Email to chairs and authors to work on clearing Russ and Sam''s concern.' added by Mark Townsley |
2006-01-20
|
05 | (System) | Removed from agenda for telechat - 2006-01-19 |
2006-01-19
|
05 | Amy Vezza | State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Amy Vezza |
2006-01-19
|
05 | Sam Hartman | [Ballot comment] I agree with Russ's discuss. One way to address the concerns about SPD configuration and IPsec policy may be to include enough information … [Ballot comment] I agree with Russ's discuss. One way to address the concerns about SPD configuration and IPsec policy may be to include enough information in the extended community attribute to configure the PAD and SPD. This would probably include the identity of the peers involved as well as enough information to know what IP addresses would be used so the PAD entries could be created. I do wish the working group the best of luck in addressing these issues; I believe this document is critical to providing customers with an optionn for cryptographically isolated VPNs. |
2006-01-19
|
05 | Russ Housley | [Ballot comment] If this document were on the standards-track, additional concerns would be raised. Since this document is intended for experimental, these comments … [Ballot comment] If this document were on the standards-track, additional concerns would be raised. Since this document is intended for experimental, these comments are provided for the authors consideration. Section 2.3 refers to "IPsec tunnels" even though earlier text says that transport mode is to be used. Presumably the Section 2.3 ought to refer to a GRE or IP tunnel, not an IPsec tunnel. How does diff-serv fit? If there is QoS or TE promised for any VPN, the proposal for encapsulation in one IPsec tunnel needs to consider how diff-serv signaling is handled. RFC 4023 makes note of the similarity of MPLS-in-IP and MPLS-in-GRE tunnels to IP-in-IP tunnels described in RFC 2893, stating that the same considerations apply. RFC 2893 says that, depending on the choice of pipe model or uniform model, the DSCP at the egress of the tunnel might be the inner header DSCP or the outer header DSCP. RFC 3270 says that the MPLS shim EXP field may encode PHB behavior, which can be mapped to DSCP behavior at the egress. So, has any consideration been given to the handling if a packet with a DSCP is assigned to an MPLS LSP, which is then encapsulated in IP and then assigned to an IPsec SA? Perhaps the view is that the other RFCs that cover these considerations of diff-serv. I'm not sure. How is improper VPN joining prevented? There is an opportunity for a misconfigured router to join a VPN that it should not have joined by attaching an export RT it should not be using to a route announcement. The reliance on careful configuration of the SP it seems to me makes the system fragile to errors. If a VPN crosses SP boundaries, then a misconfiguration in one SP might result in effects in the other SP. There is an opportunity to avoid this situation by attaching authorization to an IPsec SA. If a single SA is established between two PEs, intended to carry traffic for all VPNs common between the two, then the credentials communicated in the SA establishment might negotiate all the VPNs that the SA is intended to carry. An unauthorized VPN in subsequent traffic could cause the traffic to be dropped. This might be a security policy setting for the SA. Unfortunately, this would also mean that the SA's list of allowed VPNs would have to be updated as PEs joined new VPNs. There is already discussion of using route refresh to communicate a newly available RT (as a result of 'a "VPN Join" operation'), so dynamics like this are possible. If multiple SAs are established between two PEs, one for each VPN, then the credentials could be affiliated with authorization to join a particular VPN, and allow the establishment of the SA. This means that joining or leaving a VPN would not require changes in the settings of other SAs. |
2006-01-19
|
05 | Sam Hartman | [Ballot Position Update] New position, No Objection, has been recorded for Sam Hartman by Sam Hartman |
2006-01-19
|
05 | Russ Housley | [Ballot discuss] Please excuse the length of this DISCUSS position. It summarizes concerns from reviewers in the Security Directorate and myself. I have … [Ballot discuss] Please excuse the length of this DISCUSS position. It summarizes concerns from reviewers in the Security Directorate and myself. I have tried to eliminate overlap from the various reviewers. The term "privacy" should be replaced with "confidentiality" in the whole document. See definitions in RFC 2828. The title of the document and the Introduction do not seem to agree on the purpose of the document. The Title says: > > Architecture for the Use of PE-PE IPsec Tunnels ... > And, the Introduction says: > > This document specifies procedures for replacing the backbone > route label with an IPsec encapsulation > I think that the Introduction is more accurate. The introductory text says that IPsec is used to 'encapsulate" MPLS traffic. It says the "payload" will be an MPLS packet with the label stack consisting of a single MPLS entry, a route label. This raises several concerns: * I assume ESP encapsulation is intended, but ESP is mentioned anywhere. * Section 2 explains the encapsulation, and that does not match the description in introductory text. A diagram in Section 2 would help. * There is no mention of the SPD. Without a discussion of the SPD, the granularity of access control unclear. Section 2.2 talks about selecting a security policy, but again there is no mention of the SPD. What SPD entries that are appropriate for this application? How are source and destination address used? How is the next protocol value used? How are the port fields used? * Section 1.2 talks about anti-spoofing protection; however, the actual protection depends on the way that the previous points are resolved. Section 2.2 says: > > [RFC2547bis] already provides an egress-to-ingress signaling > capability via BGP, and we specify below how to extend this to > the signaling of security policy. > I assume this is a reference to Section 2.3, which says: > > Distribution of labeled VPN-IP routes by BGP is done exactly as > specified in [RFC2547bis], except that some additional BGP > attributes are needed for each distributed VPN-IP route. > > A given egress PE will be configurable to indicate whether it expects > to receive all, some, or none of its VPN traffic through an IPsec- > secured IP or GRE tunnel. In general, an ingress PE will not have to > know in advance whether any of the egress PEs for its VPNs require > their VPN traffic to be sent through an IPsec-secured IP tunnel; this > will be signaled from the egress PE. If an egress PE wants to receive > traffic for a particular VPN-IP route through an IPsec-secured IP > tunnel, it adds a new BGP Extended Community attribute to the route. > This attribute will then get distributed along with the route to the > ingress PEs. > If I understand this correctly, unsecured BGP configures IPsec SPD entries. Authentication and integrity of this configuration information is vital to security. Maybe I did not understand the intention here, but later comments in section 2.4 suggest otherwise. For example, section 2.4 notes that "no a priori configuration of remote tunnel endpoints is needed." If my understanding is correct, please tell how the distribution of security policy will be protected. Section 2.3 says: > > It is conceivable that an egress PE will want some of its IPsec- > secured IP-tunneled VPN traffic to be encrypted, but will want some > to be authenticated and not encrypted. > And then, Section 2.6 says: > > It is conceivable that there might need to be two (or more) SAs > between a pair of PEs, e.g., one in which data encryption is used > and one in which authentication but not encryption is used. > Multiple SAs are needed to support this vision, but providing different security services to different packets in a single SA is not supported by IPsec. Since the purpose for this draft is to protect PE-PE MPLS-in-IP traffic from being spoofed, why skip the authentication? Section 2.6 suggests that one SA can be used to carry traffic for multiple VPNs between two routers (a PE-PE pair). This seems reasonable given the security model proposed; however, this section also says that the packet delivered for IPsec processing need not be in the MPLS-in-IP or MPLS-in-GRE format; it might be a raw MPLS packet Handling raw MPLS assumes an IPsec module design very different than ones seen today in hosts, security gateways, or even bump-in-the-wire implementations. The text also says that the module would "apply the appropriate IPsec procedures," which seem to include generation of an IP header for the transport mode SA. This sort of processing is not part of IPsec. It needs to be specified in this document. (Only a tunnel mode SA can generate an IP header to encapsulate outbound traffic, but transport mode is used here.) Section 2.7 describes inbound processing and tries to address the problem of detecting and rejecting traffic that arrives with an MPLS label associated with an IPsec-protected VPN, but which has not be delivered via an appropriate SA. This discussion points out that the intent is to use MPLS labels as a basis for access control, even though it does not explicitly say so. The problem is that IPsec is not prepared to enforce this particular access control model, since MPLS labels are not selectors. It would be good to see a diagram showing where the IPsec boundary fits in this proposed use of IPsec, since the easy interpretation of the access control goal here does not match IPsec capabilities. This will also help make it clear how to configure the SPD for this application. The use of virtual interfaces is mentioned briefly, and that might be a way to address the access control issues. The Security Considerations are insufficient. Some points that need to be included are: * Describe any of the concerns arising from security policy distribution via BGP. RFC 3723 requires that iSNS be secured when it is used for security policy distribution. If BGP is used to distribution security policy I would expect similar considerations to apply. * Discuss the IPsec Extended Community. Is this community transitive? The Extended Community attribute is itself transitive, but each community must be identified as to whether it is transitive across ASes or not. There are concerns about the integrity of this way of signaling security policy: -- In the case where all PEs are in one AS, then the VPN-IPv4 routes can be distributed through IBGP connections (single hop) or through route reflectors. -- RFC 2796 does not mention any restrictions on the types of modifications a route reflector might do to reflected routes. General rules of BGP operation would then presume to apply. -- draft-ietf-idr-bgp-ext-communities-09.txt says that "A BGP speaker receiving a route with the Extended Communities attribute MAY modify this attribute according to the local policy." So, integrity/authentication protection would be difficult to provide for this field, in its hop through route reflectors. -- If the ingress and egress routers are in different ASes, then the draft says there must be an EBGP connection between a pair of routers in the two ASes (presumably not necessarily the ingress/router pair). This should be a single hop, so there should not be a problem with the integrity of the community, given that it is transitive and understood by both endpoints (assuming integrity/authentication for the BGP session). But, the Multi-AS Backbones section talks of using EBGP connections between ASBR's with the ASBR forwarding IBGP learned routes, so the ASBR would have the opportunity to affect the IPsec Extended Community attribute. The Multi-AS Backbones also speaks of ASes that serve as transit between the source AS and the destination AS, giving even more routers the chance to modify the IPsec Extended Community attribute. * Discuss the consequences of a misconfigured PE router. The document already says: "The SP must be careful not to incorrectly create a VPN containing sites that are not supposed to communicate with each other." This is too easily dismissed in the body of the document, where it says: "likely as not the PE has been misconfigured to apply that VPN's authenticator to packets to/from that site." This presumes that the PE is legitimately associated with the incorrect VPN, otherwise it should not know the authenticator. |
2006-01-19
|
05 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley |
2006-01-19
|
05 | Bert Wijnen | [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen |
2006-01-19
|
05 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2006-01-18
|
05 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2006-01-18
|
05 | Amy Vezza | State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Amy Vezza |
2006-01-18
|
05 | Ted Hardie | [Ballot Position Update] New position, No Objection, has been recorded for Ted Hardie by Ted Hardie |
2006-01-18
|
05 | Michelle Cotton | IANA Comments: Per the IANA Considerations section, we understand this document to have NO IANA Actions. |
2006-01-09
|
05 | Mark Townsley | Placed on agenda for telechat - 2006-01-19 by Mark Townsley |
2006-01-09
|
05 | Mark Townsley | [Ballot Position Update] New position, Yes, has been recorded for Mark Townsley |
2006-01-09
|
05 | Mark Townsley | Ballot has been issued by Mark Townsley |
2006-01-09
|
05 | Mark Townsley | Created "Approve" ballot |
2005-12-21
|
05 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2005-12-07
|
05 | Amy Vezza | Last call sent |
2005-12-07
|
05 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2005-12-07
|
05 | Mark Townsley | Last Call was requested by Mark Townsley |
2005-12-07
|
05 | Mark Townsley | State Changes to Last Call Requested from AD Evaluation by Mark Townsley |
2005-12-07
|
05 | Mark Townsley | Note field has been cleared by Mark Townsley |
2005-12-07
|
05 | (System) | Ballot writeup text was added |
2005-12-07
|
05 | (System) | Last call text was added |
2005-12-07
|
05 | (System) | Ballot approval text was added |
2005-09-29
|
05 | Mark Townsley | Proto Questionairre 1.a) Have the chairs personally reviewed this version of the Internet Draft (ID), and in particular, do they … Proto Questionairre 1.a) Have the chairs personally reviewed this version of the Internet Draft (ID), and in particular, do they believe this ID is ready to forward to the IESG for publication? Yes 1.b) Has the document had adequate review from both key WG members and key non-WG members? Do you have any concerns about the depth or breadth of the reviews that have been performed? The document has passed WG last call. Mark Duffy also reviewed the document. 1.c) Do you have concerns that the document needs more review from a particular (broader) perspective (e.g., security, operational complexity, someone familiar with AAA, etc.)? No 1.d) Do you have any specific concerns/issues with this document that you believe the ADs and/or IESG should be aware of? For example, perhaps you are uncomfortable with certain parts of the document, or have concerns whether there really is a need for it. In any event, if your issues have been discussed in the WG and the WG has indicated it that it still wishes to advance the document, detail those concerns in the write-up. No 1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? All those who were interested approved. None objected. 1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email to the Responsible Area Director. No 1.g) Have the chairs verified that the document adheres to all of the ID nits? (see http://www.ietf.org/ID-Checklist.html). Yes. 1.h) Is the document split into normative and informative references? Are there normative references to IDs, where the IDs are not also ready for advancement or are otherwise in an unclear state? (note here that the RFC editor will not publish an RFC with normative references to IDs, it will delay publication until all such IDs are also ready for publication as RFCs.) There is a normative reference to rfc2547bis. However, the referenced document is in the RFC editors queue and should be published soon. 1.i) For Standards Track and BCP documents, the IESG approval announcement includes a write-up section with the following sections: * Technical Summary * Working Group Summary * Protocol Quality N.A. This document is to be published as EXPERIMENTAL 1.j) Please provide such a write-up. Recent examples can be found in the "protocol action" announcements for approved documents. In BGP/MPLS IP Virtual Private Networks (VPNs), VPN data packets traveling from one Provider Edge (PE) router to another generally carry two MPLS labels, an "inner" label that corresponds to a VPN- specific route, and an "outer" label that corresponds to a Label Switched Path (LSP) between the PE routers. In some circumstances, it is desirable to support the same type of VPN architecture, but using an IPsec Security Association in place of that LSP. The "outer" MPLS label would thus be replaced by an IP/IPsec header. This enables the VPN packets to be carried securely over non-MPLS networks, using standard IPsec authentication and/or encryption functions to protect them. This draft specifies the procedures which are specific to support of BGP/MPLS IP VPNs using the IPsec encapsulation. 1.k) Note: I believe that this technology has been deployed, if not widely. |
2005-09-18
|
05 | Mark Townsley | [Note]: 'Waiting for WG writeup' added by Mark Townsley |
2005-09-18
|
05 | Mark Townsley | State Changes to AD Evaluation from Publication Requested by Mark Townsley |
2005-08-15
|
05 | Dinara Suleymanova | State Changes to Publication Requested from Dead by Dinara Suleymanova |
2005-08-15
|
05 | Dinara Suleymanova | Shepherding AD has been changed to Mark Townsley from Alex Zinin |
2005-08-15
|
05 | Dinara Suleymanova | Intended Status has been changed to Experimental from None |
2005-08-08
|
05 | (System) | New version available: draft-ietf-l3vpn-ipsec-2547-05.txt |
2005-06-24
|
04 | (System) | New version available: draft-ietf-l3vpn-ipsec-2547-04.txt |
2005-05-26
|
05 | (System) | State Changes to Dead from AD is watching by IESG Secretary |
2004-09-30
|
03 | (System) | New version available: draft-ietf-l3vpn-ipsec-2547-03.txt |
2004-03-09
|
02 | (System) | New version available: draft-ietf-l3vpn-ipsec-2547-02.txt |
2003-08-15
|
01 | (System) | New version available: draft-ietf-l3vpn-ipsec-2547-01.txt |
2003-07-23
|
00 | (System) | New version available: draft-ietf-l3vpn-ipsec-2547-00.txt |
2003-05-01
|
05 | Alex Zinin | Shepherding AD has been changed to Zinin, Alex from Bradner, Scott |
2002-04-27
|
05 | Scott Bradner | Draft Added by Scott Bradner |