[AG-TECH] MSB and Linux

[Jay Beavers]

Fyi, the use case for this scenario is to enable members of Microsoft
Research to participate in Internet2 based conferencing with other
researchers or faculty members.  The tunnelling occurs only between one
machine and the Internet2, it is not used to route or forward traffic
between network segments.  I believe this is within the Internet2
Acceptable Use Policy, though I will not offer this service to our
researchers if someone points out what policy it is violating.

The alternative is deploying two network ports to each office connected
to two separate computers in order to maintain network security.  That
has been my methodology to date and as you can imagine it has a bit of
overhead which decreases the usefulness and deployability of Internet2
conferencing between researchers.


This scenario is neither 'expedient' nor a replacement for Microsoft's
existing and continuing support for solid multicast transport,
applications, and tools.  It is a use of working, standards based
technology to solve the real world problem of how do you cross network
security boundaries that are an unfortunate requirement of the real
world.

 - jcb

-----Original Message-----
From: Tony Rimovsky [mailto:tony at ncsa.uiuc.edu] 
Sent: Thursday, August 16, 2001 8:48 PM
To: Jay Beavers
Cc: Toerless Eckert; Robert Olson; Bill Nickless; Mark Hereld; kabev;
ag-tech at mcs.anl.gov
Subject: Re: [AG-TECH] MSB and Linux


First -- that particular application (tunneling commodity Internet
traffic into I2) is a clear violation of the I2 Acceptable Use Policy.
If you have to play with this, fine.  Do it between hosts on I2 enabled
networks.


Second -- while VPN tuneling to make multicast "work" is expedient, it
is shortsighted and works against getting real multicast deployed. This
is particularly true if Microsoft were to promote it as a standard
practice as part of a conference bridging solution.  In fact, it could
practically kill future interdomain multicast deployment.

A far better solution would be for microsoft to provide solid multicast
apps, tools, IGMPv3, etc.. and then promote native multicast routing.  



On Thu, Aug 16, 2001 at 05:53:24PM -0700, Jay Beavers wrote:
> FYI, I've just confirmed that if you install VPN on Windows XP Server,

> place it on the Internet2, and have it hand out Internet2 addresses, 
> you can VPN into the box from an Internet1 computer and send/receive 
> multicast RTP traffic.
> 
> This gets us dial-up style authentication on an individual 
> username/password basis and is also compatible with hardware 
> authentication systems such as smart cards.
> 
> This is the technique we'll be trying at Microsoft Research for our 
> Internet2/Corporate Network conference bridging.
> 
>  - jcb
> 
> -----Original Message-----
> From: Toerless Eckert [mailto:eckert at cisco.com]
> Sent: Sunday, August 12, 2001 5:43 PM
> To: Robert Olson
> Cc: Bill Nickless; Mark Hereld; kabev; ag-tech at mcs.anl.gov; Toerless
> Eckert
> Subject: Re: [AG-TECH] MSB and Linux
> 
> On Sun, Aug 12, 2001 at 07:28:45PM -0500, Robert Olson wrote:
> > Did he know if the VPN boxes did indeed support multicast? Perhaps 
> > we
> > should look into what it might take (say, for the porta-ag..)
> 
> Well, i wasn't really thinking about VPN boxes directly, i was rather 
> thinking about L2TP tunnel into an aggregation router (or some 
> dedicated VPN box, right, but yes - i do not know if those support
> ip multicast). The main point is to have the tunnel endpoint software
> available on the
> designated end system platform, and L2TP seems to be the most commonly
> available, but Bill
> also said that with your particular platform (Linux at least in one
> system, GRE might also be
> an option. The advantage of L2TP for larger scaling setups is the
dialup
> style user authentication
> you can typically configure, whereas GRE is always statically
configured
> and authentication is only
> via ip address of the remote endpoint.
> 
> Cheers
> 	Toerless