F. Le Faucheur, B. Davie Cisco Systems

1. <draft-lefaucheur-rsvp-ipsec-00.txt>Aggregate RSVP Reservations for IPsec TunnelsFrancois Le Faucheur - flefauch@cisco.com M. Davenport C. Christou Booz Allen Consulting F. Le Faucheur, B. Davie Cisco Systems P. Bose Lockheed Martin draft-lefaucheur-rsvp-ipsec-00.txt

2. Need for Aggregate Reservations (in Diffserv cloud) for IPsec tunnels What is needed ? P1 IPsec VPN Routers • IPsec VPNs, with need for end-to-end RSVP reservations:  e2E reservations must be hidden/aggregated over IPsec tunnels  resources must be reserved (by RSVP) in the Diffserv Cloud for traffic carried over a given IPsec tunnel (eg for Voice traffic, for Video traffic) • See draft-baker-tsvwg-vpn-signaled-preemption-02.txt “QoS Signalling in a Nested VPN” R1 R2 R4 P2 Intserv/Diffserv Cloud R7 IPsec tunnel R3 R5 End-to-end RSVPreservation R6 draft-lefaucheur-rsvp-ipsec-00.txt

3. Relationship to existing RFCs? • RFC2207: “RSVP Extensions for IPSEC Data Flows”: • Allows reservations for individual IPsec flows. • BUT does NOT address aggregate reservations between IPsec devices with Diffserv classif/scheduling • RFC3175: “Aggregation of RSVP for IPv4 and IPv6 Reservations”: • Supports Aggregate reservations with Diffserv classif/scheduling. • BUT does NOT support IPsec betw Aggregator and Deaggregator • This draft: • Support Aggregate Reservations based on Diffserv classif/scheduling • AND supports IPsec betw Aggregator and Deaggregator draft-lefaucheur-rsvp-ipsec-00.txt

4. What’s missing in RFC3175 ? o IP4 SESSION object: Class = SESSION, C-Type = RSVP-AGGREGATE-IP4+-------------+-------------+-------------+-------------+ | IPv4 Session Address (4 bytes) | +-------------+-------------+-------------+-------------+ | /////////// | Flags | ///////// | DSCP | +-------------+-------------+-------------+-------------+ o IP4 SENDER_TEMPLATE object: Class = SENDER_TEMPLATE, C-Type = RSVP-AGGREGATE-IP4 +-------------+-------------+-------------+-------------+ | IPv4 Aggregator Address (4 bytes) | +-------------+-------------+-------------+-------------+ • Not possible to associate reservation with IPsec tunnel (eg SPI) • Not possible to setup multiple reservations for same DSCP (eg for multiple preemptions) draft-lefaucheur-rsvp-ipsec-00.txt

5. What’s missing in RFC2207 ? o IPv4/GPI SESSION object: Class = 1, C-Type = 3 +-------------+-------------+-------------+-------------+ | IPv4 DestAddress (4 bytes) | +-------------+-------------+-------------+-------------+ | Protocol ID | Flags | vDstPort | +-------------+-------------+-------------+-------------+ o IPv4/GPI FILTER_SPEC object: Class = 10, C-Type = 4 +-------------+-------------+-------------+-------------+ | IPv4 SrcAddress (4 bytes) | +-------------+-------------+-------------+-------------+ | Generalized Port Identifier (GPI) | +-------------+-------------+-------------+-------------+ • Not possible to associate the reservation with a DSCP (RFC2207 assumes per-flow mode) draft-lefaucheur-rsvp-ipsec-00.txt

6. For completeness:What’s missing in RFC2746 ? • RFC2746: “RSVP Operations over IP Tunnels” • “Type 2 Tunnel” is similar in the sense that a single reservation is made for the tunnel while many individual flows are carried over the tunnel, BUT • Does not address case where flows are encrypted (and does not allow identification of traffic via SPI) • Does not address case of Diffserv classification/scheduling (which is why RFC3175 was developed in the first place) draft-lefaucheur-rsvp-ipsec-00.txt

7. Proposed Extensions:AGGREGATE/GPI Session +-------------+-------------+-------------+-------------+ | IPv4 Session Address (4 bytes) | +-------------+-------------+-------------+-------------+ | /////////// | Flags | ///////// | DSCP | +-------------+-------------+-------------+-------------+ RFC3175 Aggregate-IPv4 Session RFC2207 IPv4/GPI Session +-------------+-------------+-------------+-------------+ | IPv4 DestAddress (4 bytes) | +-------------+-------------+-------------+-------------+ | Protocol ID | Flags | vDstPort | +-------------+-------------+-------------+-------------+ +-------------+-------------+-------------+-------------+ | IPv4 DestAddress (4 bytes) | +-------------+-------------+-------------+-------------+ | Protocol ID | Flags | vDstPort | DSCP | +-------------+-------------+-------------+-------------+ Proposed Aggregate/GPI Session = Union (RFC3175 Session, RFC2207 Session) draft-lefaucheur-rsvp-ipsec-00.txt

8. New-Aggregate-Needed Incl Aggregation-Session Proposed Extensions:AGGREGATION-SESSION Object P1 • Like in RFC3175, Deaggregator can send to Aggregator an 2e2 PathError with “New-Aggregate-Needed” Error, to request Aggregator to establish a new Aggregate reservation • New “AGGREGRATION SESSION” object included, which contains the Session Object of required Session (including DSCP, VDstPort,..) • Also used in e2e Resv, to communicate to Deaggregator the Aggregate session to map e2e reservation onto R1 R2 R4 P2 IPsec tunnel Intserv/Diffserv Cloud R7 Aggregate reservation For IPsec tunnel R3 R5 End-to-end RSVPreservation R6 draft-lefaucheur-rsvp-ipsec-00.txt

9. Open Items • Aggregator/Deaggregator behavior: • Clarifying text needed: • Aggregator responsible for deciding/maintaining necessary Security Associations with Deaggregator • Deaggregator responsible for requesting establishment of new aggregate reservation and for mapping of end-to-end reservation onto aggregate reservation • handling dynamic SPI/Security_Association updates: • Text currently in security section need to be moved to main body draft-lefaucheur-rsvp-ipsec-00.txt

10. Next Steps • Get feed-back • Progress in TSVWG draft-lefaucheur-rsvp-ipsec-00.txt