Auto-Discovery VPN Problem Statement and Requirements
RFC 7018
Document Type RFC - Informational (September 2013; No errata)
Last updated 2018-12-20
Replaces draft-ietf-ipsecme-p2p-vpn-problem
Stream IETF
Formats plain text pdf htmlized bibtex
Reviews
GENART Last Call Review (of -07): Almost Ready
SECDIR Telechat Review (of -07): Has Nits
Stream WG state Submitted to IESG for Publication
Document shepherd Paul Hoffman
Shepherd write-up Show (last changed 2013-06-25)
IESG IESG state RFC 7018 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Sean Turner
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Email authors Email WG IPR References Referenced by Nits 
Internet Engineering Task Force (IETF)                         V. Manral
Request for Comments: 7018                                            HP
Category: Informational                                         S. Hanna
ISSN: 2070-1721                                                  Juniper
                                                          September 2013

         Auto-Discovery VPN Problem Statement and Requirements

Abstract

   This document describes the problem of enabling a large number of
   systems to communicate directly using IPsec to protect the traffic
   between them.  It then expands on the requirements for such a
   solution.

   Manual configuration of all possible tunnels is too cumbersome in
   many such cases.  In other cases, the IP addresses of endpoints
   change, or the endpoints may be behind NAT gateways, making static
   configuration impossible.  The Auto-Discovery VPN solution will
   address these requirements.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7018.

Manral & Hanna                Informational                     [Page 1]
RFC 7018                   Auto-Discovery VPN             September 2013

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
      1.2. Conventions Used in This Document ..........................4
   2. Use Cases .......................................................4
      2.1. Use Case 1: Endpoint-to-Endpoint VPN .......................4
      2.2. Use Case 2: Gateway-to-Gateway VPN .........................5
      2.3. Use Case 3: Endpoint-to-Gateway VPN ........................6
   3. Inadequacy of Existing Solutions ................................6
      3.1. Exhaustive Configuration ...................................6
      3.2. Star Topology ..............................................6
      3.3. Proprietary Approaches .....................................7
   4. Requirements ....................................................7
      4.1. Gateway and Endpoint Requirements ..........................7
   5. Security Considerations ........................................11
   6. Acknowledgements ...............................................11
   7. Normative References ...........................................12

1.  Introduction

   IPsec [RFC4301] is used in several different cases, including
   tunnel-mode site-to-site VPNs and remote access VPNs.  Both tunneling
   modes for IPsec gateways and host-to-host transport mode are
   supported in this document.

   The subject of this document is the problem presented by large-scale
   deployments of IPsec and the requirements on a solution to address
   the problem.  These may be a large collection of VPN gateways
   connecting various sites, a large number of remote endpoints
   connecting to a number of gateways or to each other, or a mix of the
   two.  The gateways and endpoints may belong to a single
   administrative domain or several domains with a trust relationship.

Manral & Hanna                Informational                     [Page 2]
RFC 7018                   Auto-Discovery VPN             September 2013

   Section 4.4 of RFC 4301 describes the major IPsec databases needed
   for IPsec processing.  It requires extensive configuration for each
   tunnel, so manually configuring a system of many gateways and
   endpoints becomes infeasible and inflexible.

   The difficulty is that a lot of configuration mentioned in RFC 4301
   is required to set up a Security Association.  The Internet Key
   Exchange Protocol (IKE) implementations need to know the identity and
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools