[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: first comments on draft-ietf-ipsec-mib-02.txt (no ifIndex/ifEntry)

To: "'John Shriver'" <jas@shiva.com>, ipsec@tis.com
Subject: RE: first comments on draft-ietf-ipsec-mib-02.txt (no ifIndex/ifEntry)
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Fri, 13 Nov 1998 09:47:49 -0800
Sender: owner-ipsec@ex.tis.com

Howdy ()
	So the point John Shriver was making was related to MIBS and
management. Are tunnels virtual interfaces or not? But the comments I make
in reply could lead down a very different discussion path... that of how
routing protocols treat tunnels.


> 
> I certainly expect that we expect to run OSPF or RIPv2 over "VPN"
> tunnel interfaces.  From the point of view of those protocols, and the
> IP forwarder, the tunnels are very much interfaces.  (Yes, they are
> recursively on top of IP.  But they are still virtual interfaces.)
> 

True, BUT... 

	So has anyone out there actually succeeded in getting OSPF or RIP to
recognize and communicate with neighbors across a tunnel? I fear not. This
is a subtle but horrible complexity of IP in IP  tunnels, that the two
endpoint are NOT in the same subnet. (They must not be so that the 'cloud'
can route to the two separate end points.) Neither RIP nor OSPF will
recognize neighbors outside of their subnets. Ultimately this will force a
cooperation who is interested in deploying VPN to either static route or BGP
route to a bunch of satellite sub-Autonomous-Systems. 

	Has anyone gotten any IGP to 'neghborize' and communicate across an
IP in IP tunnel? What would it take to make that happen [protocol extensions
to RIP, HELLO, IS-IS, and OSPF, or specialized route protocol recognition
and proxying in IPSec]? Is it worth going down that path?


	My apologies to John Shriver for the diversion of attention. In
fairness to his point and questions I also make this point... IPSec tunnels
(SAs) are transitory in nature, they are 'up' only so long as there is
traffic and re-key timers haven't popped. I don't think that O&M groups want
to see 'interfaces' which come up and down with traffic load. Especially the
'interface down' trap should be something which justified an O&M worker
getting a beep on the pager in the wee AM hours.

###################################
#  Ricky Charlet
#   rcharlet@RedCreek.com
#  (510) 795-6903
###################################
end Howdy;

Ricky

Follow-Ups:

Re: first comments on draft-ietf-ipsec-mib-02.txt (no ifIndex/ifE ntry)

From: Daniel Harkins <dharkins@cisco.com>

RE: first comments on draft-ietf-ipsec-mib-02.txt (no ifIndex/ifEntry)

From: Paul Koning <pkoning@xedia.com>

Re: first comments on draft-ietf-ipsec-mib-02.txt (no ifIndex/ifEntry)

From: John Shriver <jas@shiva.com>

Prev by Date: Re: IKE questions.
Next by Date: RE: first comments on draft-ietf-ipsec-mib-02.txt (no ifIndex/ifE ntry)
Prev by thread: first comments on draft-ietf-ipsec-mib-02.txt (no ifIndex/ifEntry)
Next by thread: Re: first comments on draft-ietf-ipsec-mib-02.txt (no ifIndex/ifE ntry)
Index(es):
- Main
- Thread