IPSEC and MPLS priority for 2.6?

IPSEC and MPLS priority for 2.6?

[Pekka Savola]

Hi,

Andrew characterized (or Dave) did the lack of MPLS support as a huge 
issue for serious IPSEC usage in:

ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/must-fix/should-fix-7.txt
[see below]

.. I don't agree.  MPLS is only needed for IPsec VPNs in the case that 
Linux is being used as an MPLS router, like as Provider Edge device.  
I think it's safe to say this is close to a marginal application of 
Linux.  I don't think this is Priority 1 ("we're totally lame if we 
don't do it") thing -- at least from the IPsec perspective.  I'd 
suggest pushing it down in the priority list.

But of course, if a rewrite is already almost done, I have no 
objections to merging it.  I'd just like to point out that IMHO MPLS 
is _not_ one of our "core" technologies to worry about :-).

(Btw, there's a lot of claimed IPR on MPLS technologies, not sure if 
that's a problem or not.)

****** snip *******

net/
~~~

  (davem)

o Real serious use of IPSEC is hampered by lack of MPLS support.  MPLS is a
  switching technology that works by switching based upon fixed length labels
  prepended to packets.  Many people use this and IPSEC to implement VPNs
  over public networks, it is also used for things like traffic engineering.

  A good reference site is:

	http://www.mplsrc.com/

  Anyways, an existing (crappy) implementation exists.  I've almost
  completed a rewrite, I should have something in the tree next week.

  PRI1



-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Re: IPSEC and MPLS priority for 2.6?

[David S. Miller]

On Thu, 18 Dec 2003 09:36:15 +0200 (EET)
Pekka Savola <pekkas@netcore.fi> wrote:

> Andrew characterized (or Dave) did the lack of MPLS support as a huge 
> issue for serious IPSEC usage in:
> 
> ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/must-fix/should-fix-7.txt
> [see below]
> 
> .. I don't agree.

You're probably right, it's priority can be decreased.

If the MPLS stuff is ready later in the 2.6.x series though, it
will be very easy to merge safely.

Re: IPSEC and MPLS priority for 2.6?

[YOSHIFUJI Hideaki / 吉藤英明]

In article <Pine.LNX.4.44.0312180930560.12194-100000@netcore.fi> (at Thu, 18 Dec 2003 09:36:15 +0200 (EET)), Pekka Savola <pekkas@netcore.fi> says:

> ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/must-fix/should-fix-7.txt
> [see below]
> 
> .. I don't agree.  MPLS is only needed for IPsec VPNs in the case that 
> Linux is being used as an MPLS router, like as Provider Edge device.  
> I think it's safe to say this is close to a marginal application of 
> Linux.  I don't think this is Priority 1 ("we're totally lame if we 
> don't do it") thing -- at least from the IPsec perspective.  I'd 
> suggest pushing it down in the priority list.

seconded.

--yoshfuji

Re: IPSEC and MPLS priority for 2.6?

[James R. Leu]

On Thu, Dec 18, 2003 at 09:36:15AM +0200, Pekka Savola wrote:
> Hi,
> 
> Andrew characterized (or Dave) did the lack of MPLS support as a huge 
> issue for serious IPSEC usage in:
> 
> ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/must-fix/should-fix-7.txt
> [see below]
> 
> .. I don't agree.  MPLS is only needed for IPsec VPNs in the case that 
> Linux is being used as an MPLS router, like as Provider Edge device.  
> I think it's safe to say this is close to a marginal application of 
> Linux.  I don't think this is Priority 1 ("we're totally lame if we 
> don't do it") thing -- at least from the IPsec perspective.  I'd 
> suggest pushing it down in the priority list.

I would agree that MPLS is _not_ "a huge issue for serious IPSEC usage".

> But of course, if a rewrite is already almost done, I have no 
> objections to merging it.  I'd just like to point out that IMHO MPLS 
> is _not_ one of our "core" technologies to worry about :-).

Dave's work has been passed off to jamal.  Jamal, myself, and Ramon Casellas
are working at combining/cleaning up the existing "crappy" implementation
(which is the very technical term davem used to describe my implementation).
None the less work is progressing.

> (Btw, there's a lot of claimed IPR on MPLS technologies, not sure if 
> that's a problem or not.)

Up till now there has not been any issues.  Most of the IPR claims state
that the holder will grant "a non-exclusive license under reasonable and
non-discriminatory terms and conditions".

To be on the safe side, I will contact the parties that feel they have IPR
related to the areas of MPLS that pertain to our implementation.  I'll use
the IETF's 'Page of Intellectual Property Rights Notices' as my source for
IPR claims pertaining to MPLS unless someone else can point out an
alternative location to look.

--
James R. Leu
jleu@mindspring.com


> ****** snip *******
> 
> net/
> ~~~
> 
>   (davem)
> 
> o Real serious use of IPSEC is hampered by lack of MPLS support.  MPLS is a
>   switching technology that works by switching based upon fixed length labels
>   prepended to packets.  Many people use this and IPSEC to implement VPNs
>   over public networks, it is also used for things like traffic engineering.
> 
>   A good reference site is:
> 
> 	http://www.mplsrc.com/
> 
>   Anyways, an existing (crappy) implementation exists.  I've almost
>   completed a rewrite, I should have something in the tree next week.
> 
>   PRI1
> 
> 
> 
> -- 
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
> 

Re: IPSEC and MPLS priority for 2.6?

[Pekka Savola]

On Thu, 18 Dec 2003, James R. Leu wrote:
> > (Btw, there's a lot of claimed IPR on MPLS technologies, not sure if 
> > that's a problem or not.)
> 
> Up till now there has not been any issues.  Most of the IPR claims state
> that the holder will grant "a non-exclusive license under reasonable and
> non-discriminatory terms and conditions".

FWIW, that's legal mumbo jumbo which means nothing in practice.  
Charging 100$ fee per computer where the code is run or deployed is
counted as reasonable :-)
 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings