<draft-lefaucheur-rsvp-ipsec-01 <draft-lefaucheur-rsvp-ipsec-01.txt> Generic Aggregate RSVP Reservations Francois Le Faucheur - flefauch@cisco.com F. Le Faucheur, B. Davie Cisco Systems M. Davenport C. Christou Booz Allen Consulting P. Bose Lockheed Martin draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Need for Aggregate Reservations (in Diffserv cloud) for IPsec tunnels Use Case: Nested VPN (draft-baker-tsvwg-vpn-signaled-preemption-03.txt “QoS Signalling in a Nested VPN”) P1 IPsec VPN Routers R1 R2 R4 P2 Intserv/Diffserv Cloud R7 IPsec tunnel Need for Aggregate Reservations (in Diffserv cloud) for IPsec tunnels R3 R5 End-to-end RSVP reservation R6 IPsec VPNs, with need for end-to-end RSVP reservations: e2E reservations must be hidden/aggregated over IPsec tunnels resources must be reserved (by RSVP) in the Diffserv Cloud for traffic carried over a given IPsec tunnel (eg for Voice traffic, for Video traffic) draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Use Case: Parallel Aggregate RSVP Reservations RSVP Aggregators R1 R2 R4 P2 Agg RSVP Resa : Voice/EF + High Preemption Intserv/Diffserv Cloud R7 End-to-end RSVP reservation + High Prempt R3 R5 R6 Agg RSVP Resa : Voice/EF + Low Preemption Need for Parallel Aggregate Reservations End-to-end RSVP reservation + Low Preempt Aggregation as per RFC3175 Need for Multiple Aggregate reservations for a given <Aggregator, Deaggregator, DSCP> tuple draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Proposed Extensions: AGGREGATE/GPI Session +-------------+-------------+-------------+-------------+ | IPv4 Session Address (4 bytes) | +-------------+-------------+-------------+-------------+ | /////////// | Flags | ///////// | DSCP | +-------------+-------------+-------------+-------------+ RFC3175 Aggregate-IPv4 Session RFC2207 IPv4/GPI Session +-------------+-------------+-------------+-------------+ | IPv4 DestAddress (4 bytes) | +-------------+-------------+-------------+-------------+ | Protocol ID | Flags | vDstPort | +-------------+-------------+-------------+-------------+ +-------------+-------------+-------------+-------------+ | IPv4 DestAddress (4 bytes) | +-------------+-------------+-------------+-------------+ | Protocol ID | Flags | vDstPort | DSCP | +-------------+-------------+-------------+-------------+ Proposed Aggregate/GPI Session = Union (RFC3175 Session, RFC2207 Session) draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Changes 0001 Broadening of the applicability of the new type of aggregate reservations beyond use for Aggregate reservations for IPsec tunnels (ie to environments where IPsec is not used – as per 2nd Use Case): document renamed to "Generic Aggregate RSVP Reservations“ added a subsection in Introduction to discuss a case where Generic Aggregate RSVP Reservations are needed in non IPsec environments added text about the fact that the Generic Aggregate Reservations can be used with IP-in-IP and GRE encapsulation (in addition to with IPsec AH and ESP) added example usage under Section 5 for environment where IPsec is not used draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Changes 0001 The other significant changes are: added a subsection describing the changes to the [RSVP-AGG] procedures under Section 4 added explanation about allocation of VDstPort values by Deaggregator, in that same subsection added value of Protocol ID in all example generic aggregate reservations in Section 5 Clarifications on granularity of policing in section 4.1 draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Open Items Aggregator/Deaggregator behavior: Clarifying text needed: Aggregator responsible for deciding/maintaining necessary Security Associations with Deaggregator Deaggregator responsible for requesting establishment of new aggregate reservation and for mapping of end-to-end reservation onto aggregate reservation handling dynamic SPI/Security_Association updates: Text currently in security section need to be moved to main body draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Next Steps Get more feed-back Accept as TSVWG Working Group document draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Backup Slides draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Relationship to existing RFCs? RFC2207: “RSVP Extensions for IPSEC Data Flows”: Allows reservations for individual IPsec flows. BUT does NOT address aggregate reservations between IPsec devices with Diffserv classif/scheduling RFC3175: “Aggregation of RSVP for IPv4 and IPv6 Reservations”: Supports Aggregate reservations with Diffserv classif/scheduling. BUT does NOT support IPsec betw Aggregator and Deaggregator Does not allow multiple reservations with same DSCP This draft: Supports (multiple) Aggregate Reservations based on Diffserv classif/scheduling AND supports IPsec betw Aggregator and Deaggregator draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
What’s missing in RFC3175 ? o IP4 SESSION object: Class = SESSION, C-Type = RSVP-AGGREGATE-IP4 +-------------+-------------+-------------+-------------+ | IPv4 Session Address (4 bytes) | +-------------+-------------+-------------+-------------+ | /////////// | Flags | ///////// | DSCP | +-------------+-------------+-------------+-------------+ o IP4 SENDER_TEMPLATE object: Class = SENDER_TEMPLATE, C-Type = RSVP-AGGREGATE-IP4 +-------------+-------------+-------------+-------------+ | IPv4 Aggregator Address (4 bytes) | +-------------+-------------+-------------+-------------+ Not possible to associate reservation with IPsec tunnel (eg SPI) Not possible to setup multiple reservations for same DSCP (eg for multiple preemptions) draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
What’s missing in RFC2207 ? o IPv4/GPI SESSION object: Class = 1, C-Type = 3 +-------------+-------------+-------------+-------------+ | IPv4 DestAddress (4 bytes) | +-------------+-------------+-------------+-------------+ | Protocol ID | Flags | vDstPort | +-------------+-------------+-------------+-------------+ o IPv4/GPI FILTER_SPEC object: Class = 10, C-Type = 4 +-------------+-------------+-------------+-------------+ | IPv4 SrcAddress (4 bytes) | +-------------+-------------+-------------+-------------+ | Generalized Port Identifier (GPI) | +-------------+-------------+-------------+-------------+ Not possible to associate the reservation with a DSCP (RFC2207 assumes per-flow mode) draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
For completeness: What’s missing in RFC2746 ? RFC2746: “RSVP Operations over IP Tunnels” “Type 2 Tunnel” is similar in the sense that a single reservation is made for the tunnel while many individual flows are carried over the tunnel, BUT Does not address case where flows are encrypted (and does not allow identification of traffic via SPI) Does not address case of Diffserv classification/scheduling (which is why RFC3175 was developed in the first place) draft-lefaucheur-rsvp-ipsec-01.txt IETF 63
Proposed Extensions: AGGREGATION-SESSION Object New-Aggregate-Needed Incl Aggregation-Session R1 R2 R4 P2 IPsec tunnel Intserv/Diffserv Cloud R7 Aggregate reservation For IPsec tunnel R3 R5 End-to-end RSVP reservation R6 Like in RFC3175, Deaggregator can send to Aggregator an 2e2 PathError with “New-Aggregate-Needed” Error, to request Aggregator to establish a new Aggregate reservation New “AGGREGRATION SESSION” object included, which contains the Session Object of required Session (including DSCP, VDstPort,..) Also used in e2e Resv, to communicate to Deaggregator the Aggregate session to map e2e reservation onto draft-lefaucheur-rsvp-ipsec-01.txt IETF 63