Auto-Discovery VPN Problem Statement and Requirements
RFC 7018
Document | Type | RFC - Informational (September 2013; No errata) | |
---|---|---|---|
Authors | Vishwas Manral , Steve Hanna | ||
Last updated | 2018-12-20 | ||
Replaces | draft-ietf-ipsecme-p2p-vpn-problem | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Paul Hoffman | ||
Shepherd write-up | Show (last changed 2013-06-25) | ||
IESG | IESG state | RFC 7018 (Informational) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Sean Turner | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
Internet Engineering Task Force (IETF) V. Manral Request for Comments: 7018 HP Category: Informational S. Hanna ISSN: 2070-1721 Juniper September 2013 Auto-Discovery VPN Problem Statement and Requirements Abstract This document describes the problem of enabling a large number of systems to communicate directly using IPsec to protect the traffic between them. It then expands on the requirements for such a solution. Manual configuration of all possible tunnels is too cumbersome in many such cases. In other cases, the IP addresses of endpoints change, or the endpoints may be behind NAT gateways, making static configuration impossible. The Auto-Discovery VPN solution will address these requirements. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7018. Manral & Hanna Informational [Page 1] RFC 7018 Auto-Discovery VPN September 2013 Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction ....................................................2 1.1. Terminology ................................................3 1.2. Conventions Used in This Document ..........................4 2. Use Cases .......................................................4 2.1. Use Case 1: Endpoint-to-Endpoint VPN .......................4 2.2. Use Case 2: Gateway-to-Gateway VPN .........................5 2.3. Use Case 3: Endpoint-to-Gateway VPN ........................6 3. Inadequacy of Existing Solutions ................................6 3.1. Exhaustive Configuration ...................................6 3.2. Star Topology ..............................................6 3.3. Proprietary Approaches .....................................7 4. Requirements ....................................................7 4.1. Gateway and Endpoint Requirements ..........................7 5. Security Considerations ........................................11 6. Acknowledgements ...............................................11 7. Normative References ...........................................12 1. Introduction IPsec [RFC4301] is used in several different cases, including tunnel-mode site-to-site VPNs and remote access VPNs. Both tunneling modes for IPsec gateways and host-to-host transport mode are supported in this document. The subject of this document is the problem presented by large-scale deployments of IPsec and the requirements on a solution to address the problem. These may be a large collection of VPN gateways connecting various sites, a large number of remote endpoints connecting to a number of gateways or to each other, or a mix of the two. The gateways and endpoints may belong to a single administrative domain or several domains with a trust relationship. Manral & Hanna Informational [Page 2] RFC 7018 Auto-Discovery VPN September 2013 Section 4.4 of RFC 4301 describes the major IPsec databases needed for IPsec processing. It requires extensive configuration for each tunnel, so manually configuring a system of many gateways and endpoints becomes infeasible and inflexible. The difficulty is that a lot of configuration mentioned in RFC 4301 is required to set up a Security Association. The Internet Key Exchange Protocol (IKE) implementations need to know the identity andShow full document text