Title: <draft-lefaucheur-rsvp-ipsec-00.txt> Aggregate RSVP Reservations for IPsec Tunnels Francois Le Faucheur - flefauch@cisco.com
1ltdraft-lefaucheur-rsvp-ipsec-00.txtgt Aggregate
RSVP Reservations for IPsec TunnelsFrancois Le
Faucheur - flefauch_at_cisco.com
M. Davenport C. Christou Booz Allen Consulting
F. Le Faucheur, B. Davie Cisco Systems
P. Bose Lockheed Martin
2What is needed ?
P1
IPsec VPN Routers
R1
R2
R4
P2
Intserv/Diffserv Cloud
R7
IPsec tunnel
R3
R5
End-to-end RSVPreservation
R6
- IPsec VPNs, with need for end-to-end RSVP
reservations - ? e2E reservations must be hidden/aggregated over
IPsec tunnels - ? resources must be reserved (by RSVP) in the
Diffserv Cloud for traffic carried over a given
IPsec tunnel (eg for Voice traffic, for Video
traffic) - See draft-baker-tsvwg-vpn-signaled-preemption-02.t
xt QoS Signalling in a Nested VPN
3Relationship to existing RFCs?
- RFC2207 RSVP Extensions for IPSEC Data Flows
- Allows reservations for individual IPsec flows.
- BUT does NOT address aggregate reservations
between IPsec devices with Diffserv
classif/scheduling - RFC3175 Aggregation of RSVP for IPv4 and IPv6
Reservations - Supports Aggregate reservations with Diffserv
classif/scheduling. - BUT does NOT support IPsec betw Aggregator and
Deaggregator - This draft
- Support Aggregate Reservations based on Diffserv
classif/scheduling - AND supports IPsec betw Aggregator and
Deaggregator
4Whats missing in RFC3175 ?
o IP4 SESSION object Class SESSION, C-Type
RSVP-AGGREGATE-IP4 ---------------------
-------------------------------
IPv4 Session Address (4 bytes)
-------------------------------------
--------------- ///////////
Flags ///////// DSCP
----------------------------------------------
------ o IP4 SENDER_TEMPLATE object Class
SENDER_TEMPLATE, C-Type
RSVP-AGGREGATE-IP4 ---------------------
-------------------------------
IPv4 Aggregator Address (4 bytes)
-------------------------------------
---------------
- Not possible to associate reservation with IPsec
tunnel (eg SPI) - Not possible to setup multiple reservations for
same DSCP (eg for multiple preemptions)
5Whats missing in RFC2207 ?
o IPv4/GPI SESSION object Class 1, C-Type
3 -----------------------------------
----------------- IPv4
DestAddress (4 bytes)
----------------------------------------------
------ Protocol ID Flags
vDstPort
----------------------------------------------
------ o IPv4/GPI FILTER_SPEC object Class
10, C-Type 4 -----------------------
-----------------------------
IPv4 SrcAddress (4 bytes)
---------------------------------------
------------- Generalized
Port Identifier (GPI)
----------------------------------------------
------
- Not possible to associate the reservation with a
DSCP - (RFC2207 assumes per-flow mode)
6For completenessWhats missing in RFC2746 ?
- RFC2746 RSVP Operations over IP Tunnels
- Type 2 Tunnel is similar in the sense that a
single reservation is made for the tunnel while
many individual flows are carried over the
tunnel, BUT - Does not address case where flows are encrypted
(and does not allow identification of traffic via
SPI) - Does not address case of Diffserv
classification/scheduling (which is why RFC3175
was developed in the first place)
7Proposed ExtensionsAGGREGATE/GPI Session
---------------------------------------
------------- IPv4
Session Address (4 bytes)
----------------------------------------------
------ /////////// Flags
///////// DSCP
----------------------------------------------
------
RFC3175 Aggregate-IPv4 Session
RFC2207 IPv4/GPI Session
---------------------------------------
------------- IPv4
DestAddress (4 bytes)
----------------------------------------------
------ Protocol ID Flags
vDstPort
----------------------------------------------
------
---------------------------------------
------------- IPv4
DestAddress (4 bytes)
----------------------------------------------
------ Protocol ID Flags
vDstPort DSCP
----------------------------------------------
------
Proposed Aggregate/GPI Session Union (RFC3175
Session, RFC2207 Session)
8Proposed ExtensionsAGGREGATION-SESSION Object
P1
R1
R2
R4
P2
IPsec tunnel
Intserv/Diffserv Cloud
R7
Aggregate reservation For IPsec tunnel
R3
R5
End-to-end RSVPreservation
R6
- Like in RFC3175, Deaggregator can send to
Aggregator an 2e2 PathError with
New-Aggregate-Needed Error, to request
Aggregator to establish a new Aggregate
reservation - New AGGREGRATION SESSION object included, which
contains the Session Object of required Session
(including DSCP, VDstPort,..) - Also used in e2e Resv, to communicate to
Deaggregator the Aggregate session to map e2e
reservation onto
9Open Items
- Aggregator/Deaggregator behavior
- Clarifying text needed
- Aggregator responsible for deciding/maintaining
necessary Security Associations with Deaggregator - Deaggregator responsible for requesting
establishment of new aggregate reservation and
for mapping of end-to-end reservation onto
aggregate reservation - handling dynamic SPI/Security_Association
updates - Text currently in security section need to be
moved to main body
10Next Steps
- Get feed-back
- Progress in TSVWG