IETF Logo Mail Archive

Re: [Anima] IPIP in draft-ietf-anima-bootstrapping-keyinfra-07

"Max Pritikin (pritikin)" <pritikin@cisco.com> Wed, 05 July 2017 14:43 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37706132A44 for <anima@ietfa.amsl.com>; Wed, 5 Jul 2017 07:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5hcUB6Jb3un for <anima@ietfa.amsl.com>; Wed, 5 Jul 2017 07:43:02 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5ED7131D45 for <anima@ietf.org>; Wed, 5 Jul 2017 07:43:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4772; q=dns/txt; s=iport; t=1499265781; x=1500475381; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=0SiRIIGMV+ItF7XRa/mn+T5OkWisF+eH7ACY9sqsCbU=; b=GzSrDkzuH9RdqkbUKmiG09/zgnEMNUUShqjlsRTqST6XUZdjsVlphZDc f4V3B+v2A9+EHI6+VezFkiy271LoEQBcgz7c3haNTSj7DHXiE072YKjOy 5y32xK8tQ020qvxg/qEWfQ9ayGaRVfgWSNwKPxpYpKVscKz7H9LCDzl7u 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CYAADp+VxZ/4QNJK1dGQEBAQEBAQEBAQEBBwEBAQEBg1ljgRAHjgKRZ4gsjVSCESENhW4CGoJ+PxgBAgEBAQEBAQFrKIUYAQEBAQIBAQEhEToLBQsCAQgYAgImAgICHwYLFRACBAENBYoXAw0IEK4dgiaHMA2EBQEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgQuCHIUtK4J5gleBcCMXgnwwgjEFnks7AodFh1SEapIei3SJPgEfOIEKdRVJEgGHAnYBhkSBMYENAQEB
X-IronPort-AV: E=Sophos;i="5.40,312,1496102400"; d="scan'208";a="264310848"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 05 Jul 2017 14:43:00 +0000
Received: from XCH-ALN-015.cisco.com (xch-aln-015.cisco.com [173.36.7.25]) by alln-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id v65Eh0f2029590 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 5 Jul 2017 14:43:00 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-ALN-015.cisco.com (173.36.7.25) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 5 Jul 2017 09:42:59 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1210.000; Wed, 5 Jul 2017 09:42:59 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: Anima WG <anima@ietf.org>
Thread-Topic: [Anima] IPIP in draft-ietf-anima-bootstrapping-keyinfra-07
Thread-Index: AQHS9IboiBWJ8wdODkKDyZBFI49YPaJFpMGA
Date: Wed, 05 Jul 2017 14:42:59 +0000
Message-ID: <F1654AE3-C0C5-4F4C-AD4D-53B30C87F57E@cisco.com>
References: <a933b9fc-bc89-f86d-c87a-ac6d5c453724@gmail.com>
In-Reply-To: <a933b9fc-bc89-f86d-c87a-ac6d5c453724@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.7]
Content-Type: text/plain; charset="utf-8"
Content-ID: <62F6E25740A01F4B9515A3D8F538BEC0@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/8zwG7ZCqAlccykCUSkxeVkzgR4Q>
Subject: Re: [Anima] IPIP in draft-ietf-anima-bootstrapping-keyinfra-07
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jul 2017 14:43:06 -0000

Brian, I’m out for a couple of weeks but wanted to thank you for this note. 

Michael Richardson will likely have good comments but for now I’ve set a calendar event to catch up when I return and also have created a github issue to track this. 
	https://github.com/anima-wg/anima-bootstrap/issues/22

- max

> On Jul 3, 2017, at 11:32 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
> Hi,
> 
> I am still trying to figure out what you really want to say in sections 3.1.1. Proxy Discovery Protocol Details and 3.1.2. Registrar Discovery Protocol Details.
> 
> 1. Why doesn't section 3.1.1 mention IP-in-IP (protocol 41)? Surely the pledge needs to know about it?
> 
> 2. The description is wrong anyway; see https://tools.ietf.org/html/draft-carpenter-anima-ani-objectives-02#section-2.3 for something that can work.
> 
> 3. In section 3.1.2, as I already pointed out, the proposal is really a misuse of the GRASP discovery response message. Not a problem, we simply replace it with a synchronization response; see https://tools.ietf.org/html/draft-carpenter-anima-ani-objectives-02#section-2.2. 
> But regardless of that, I am confused by the example locators:
>    locator1  = [O_IPv6_LOCATOR, fd45:1345::6789, 6,  443]
>    locator2  = [O_IPv6_LOCATOR, fd45:1345::6789, 17, 5683]
>    locator3  = [O_IPv6_LOCATOR, fe80::1234, 41, nil]
> 
> The first two are OK. The ports announced by the proxy to the pledges may be different. If the registrar sends  [O_IPv6_LOCATOR, fd45:1345::6789, 6,  443], the proxy might announce [O_IPv6_LOCATOR, fe80::4321, 6, 9999] - the proxy's link-local address and a different port chosen by the proxy.
> 
> But the third locator sent by the Registrar indicates a meaningless link-local address, because it could come from many hops away. At first I thought this was a confusion with the previous (proxy-to-pledge) case, where all addresses must be link-local. But no: this text is just confused, I think:
> 
>   A protocol of 41 indicates that packets may be IPIP proxy'ed.  In the
>   case of that IPIP proxying is used, then the provided link-local
>   address MUST be advertised on the local link using proxy neighbour
>   discovery.  The Join Proxy MAY limit forwarded traffic to the
>   protocol (6 and 17) and port numbers indicated by locator1 and
>   locator2.  The address to which the IPIP traffic should be sent is
>   the initiator address (an ACP address of the Registrar), not the
>   address given in the locator.
> 
> A link local address provided by the Registrar is completely invalid except on the relevant link connected directly to the Registrar. So it definitely must not be given to anybody off that link. At the moment I have no idea how the IP-in-IP is supposed to work. Appendix C doesn't help much. Apart from anything else, it mentions a non-existent GRASP message type. I can sort of see what you want to do, but it isn't a codable spec at the moment.
> 
> Maybe you can provide a complete example of the packet flow, where the pledge has link-local address Lp, the proxy has link-local address Lx and ACP address Ax, and the registrar has ACP address Ar. And to make my concern clear, the registrar has the link-local address Lp, by chance the same as the pledge, although on a different LAN.
> 
> Regards
>   Brian
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

v2.23.0 | Report a Bug | By Email