IETF Logo Mail Archive

Re: [Anima] Is this how BRSKI/IPIP works?

"Eliot Lear (elear)" <elear@cisco.com> Mon, 17 July 2017 07:41 UTC

Return-Path: <elear@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34A1A131A81 for <anima@ietfa.amsl.com>; Mon, 17 Jul 2017 00:41:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CiWTcAfRexbC for <anima@ietfa.amsl.com>; Mon, 17 Jul 2017 00:41:43 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5ECD131945 for <anima@ietf.org>; Mon, 17 Jul 2017 00:41:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5017; q=dns/txt; s=iport; t=1500277302; x=1501486902; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KWQxxIpngaMD5/nsQsJljmhO+iZCEfJS7IcJvF5qxec=; b=ZS/1uvXX+Qay4kIqEDpPqChQDuR+3cYehf/xQ030VQQz55SRaKUw8hOR 8x6iYM4l3TYFuOWcnX87BFmnEeAsNSdP1/0MQLMOutU+ziH6ChwSC9IIP pMc/4w89Y77GzLqA9mf0h+vBQ75xGyvBneponIeBInDqF5A3o4nwExbyI s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CdAQB/aWxZ/5RdJa1cGQEBAQEBAQEBAQEBBwEBAQEBg0EIEWSBFI4LkV+QU4UxghEhC4FggzsCg3Y/GAECAQEBAQEBAWsohREHAQEBAQIBAQE4NAsFCwIBCA4EBh4QJwsXDgIEDgWFSQeEVwgQsH+LEwEBAQEBAQEBAQEBAQEBAQEBAQEBAR2DKINNgWErgnmEaoNDgjEFiF14iGGMfgKUFJIvlVYBHziBCnUVSRIBhwN2iQwBAQE
X-IronPort-AV: E=Sophos;i="5.40,374,1496102400"; d="scan'208";a="273876194"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Jul 2017 07:41:41 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v6H7ffss022432 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 17 Jul 2017 07:41:41 GMT
Received: from xch-aln-005.cisco.com (173.36.7.15) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 17 Jul 2017 02:41:40 -0500
Received: from xch-aln-005.cisco.com ([173.36.7.15]) by XCH-ALN-005.cisco.com ([173.36.7.15]) with mapi id 15.00.1210.000; Mon, 17 Jul 2017 02:41:41 -0500
From: "Eliot Lear (elear)" <elear@cisco.com>
To: Toerless Eckert <tte@cs.fau.de>
CC: Eliot Lear <lear@cisco.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Anima WG <anima@ietf.org>
Thread-Topic: [Anima] Is this how BRSKI/IPIP works?
Thread-Index: AQHS/sa3hXYPyKDfSk2Y9mtBFL5KYKJX6WoAgAAMW4D//6zvZw==
Date: Mon, 17 Jul 2017 07:41:40 +0000
Message-ID: <7B3FD2E7-D0B8-4F7F-A583-D125ECA2F70E@cisco.com>
References: <467b3a9b-6fe0-c01f-6165-18e6e290a28c@gmail.com> <14885.1499820271@dooku.sandelman.ca> <20170716182749.GC23525@faui40p.informatik.uni-erlangen.de> <23694.1500273241@dooku.sandelman.ca> <ac374936-2718-c737-e871-e9f97ea6f78a@cisco.com>, <20170717073859.GD23525@faui40p.informatik.uni-erlangen.de>
In-Reply-To: <20170717073859.GD23525@faui40p.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/0g5hSJc2TS0ARATciWjwaokty8M>
Subject: Re: [Anima] Is this how BRSKI/IPIP works?
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 07:41:47 -0000

Sure. Use normal unicast addresses (ULA or other) if available. 

Eliot

> On Jul 17, 2017, at 9:39 AM, Toerless Eckert <tte@cs.fau.de> wrote:
> 
> Can you propose a stateless proxy model that would not pass the link-local
> addresses on to the registrar and that uses Michaels beloved IPinIP encap ?
> 
> Alas i have fallen in love with UDP encap because i like to see more
> networking software now be build like any othrer application on top of
> UDP/TCP APIs and not mess around with OS kernel features, so all
> my answers would be "the proxy is an app that either statefully proxies TCP
> or stateless proxies UDP".
> 
> If you want to statelessly proxy TCP and on the registrar use some existing 
> TCP stack, then i would begrudgingly agree with Michael, that i also need some
> kerne level handling of the encap so that i get kernel level TCP.
> 
> I am still waiting for some better explanation from Michael about the
> "Linux kernel and overlapping TCP" to fully understand his proposal.
> 
> So, here is one proposal for IPinIP using the current -07 draft ULA addressing:
> 
> A) We assign one of the 8 (3 bit) "T"ype codes to "Subnet Identifier for Encap".
> 
> B) The proxy allocates a separate "Zone" number for every subnet. Zone = Subnet.
>    In result it now has for every subnet a separate ULA address for the IPinIP encap.
> 
> C) The registrar announces its ability to support IPinIP BRSKI via GRASP
> 
> D) Each ACP device need to use its ACP DeviceID also as the host-part of its
>    link-local address.
> 
> E) The proxy as part of its tunnel functionality also assigns itself the Registrar
>    link local address on every subnet. At least logically. Whether it really needs
>    to do this physcially is implementation specific.
> 
> F) The proxy announces via GRASP BRSKI-IPIP with the Registrar Link-Local address
>    (which it can do because according to E) it owns it on its subnets - GRASP
>     DULL does not permit third-party announcements, so E) is to make it legal for
>     the proxy to announce this in GRASP).
> 
> G) Any packets sent by pledges to the Registrar link-local address are IPinIP
>    encapsulated using the "Subnet Identifier for Encap" as the source IP address and
>    the Registrar ULA as the destination address.
> 
> H) The registrar can create a separate IPinIP tunnel per remote proxy, per-subnet-on-proxy.
>    It does not need further addresses.
> 
> Some more details might be needed, eg:
> - If a proxy has more than 2^13 interfaces it needs to dynamically allocate
>   subnet encap addresses.
> - A proxy might want to map different subnets to differen registrars for load balancing.
> 
> Cheers
>    Toerless
> 
>> On Mon, Jul 17, 2017 at 08:54:46AM +0200, Eliot Lear wrote:
>> On the other hand, maybe it's fundamental, but is relying on LL in this
>> architecture to go beyond LL boundaries the right thing to do?
>> 
>> 
>>> On 7/17/17 8:34 AM, Michael Richardson wrote:
>>> Toerless Eckert <tte@cs.fau.de> wrote:
>>>> I thought i had asked that question already but not sure, and not seen
>>>> an answer: - I have never seen that a device has more than one
>>>> link-local addr on an interface.  Is this permitted by IPv6 arck ? Can
>>>> you configure this in eg: Linux. I thought i tried on linux/cisco-ios
>>>> in the past and i do not quite remember, but i think it failed (only
>>>> one address).
>>> 
>>> dooku-[~](2.3.0) mcr 10879 %sudo ip -6 addr add fe80::1234/64 dev wlan0
>>> 
>>> dooku-[~](2.3.0) mcr 10788 %ifconfig wlan0
>>> wlan0     Link encap:Ethernet  HWaddr 08:11:96:01:81:e0
>>>          inet addr:31.133.129.16  Bcast:31.133.143.255  Mask:255.255.240.0
>>>          inet6 addr: fe80::1234/64 Scope:Link
>>>          inet6 addr: fe80::a11:96ff:fe01:81e0/64 Scope:Link
>>>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>> 
>>> dooku-[~](2.3.0) mcr 10788 %ip -6 addr ls dev wlan0
>>> 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>>>    inet6 fe80::1234/64 scope link
>>>       valid_lft forever preferred_lft forever
>>>    inet6 fe80::a11:96ff:fe01:81e0/64 scope link
>>>       valid_lft forever preferred_lft forever
>>> 
>>> 
>>> --
>>> ]               Never tell me the odds!                 | ipv6 mesh networks [
>>> ]   Michael Richardson, Sandelman Software Works        | network architect  [
>>> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>>> 
>>> 
>>> --
>>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>>> -= IPv6 IoT consulting =-
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Anima mailing list
>>> Anima@ietf.org
>>> https://www.ietf.org/mailman/listinfo/anima
>> 
> 
> 
> 
> 
> -- 
> ---
> tte@cs.fau.de

v2.23.0 | Report a Bug | By Email