IETF Logo Mail Archive

[Anima] Is this how BRSKI/IPIP works?

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 06 July 2017 02:19 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 084DF12F29A for <anima@ietfa.amsl.com>; Wed, 5 Jul 2017 19:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PPaplndhV80 for <anima@ietfa.amsl.com>; Wed, 5 Jul 2017 19:19:21 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ABA812EBFF for <anima@ietf.org>; Wed, 5 Jul 2017 19:19:21 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id q85so3563395pfq.1 for <anima@ietf.org>; Wed, 05 Jul 2017 19:19:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:organization:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=i8ocZFfDI1zxYErjA04ISBeDmEzzJlvQwPDQImF/PuA=; b=NGfgGEW7UKi70wnIwRkqthP7kTNqxkHO96IPOvZku4dnc669z5NSirv/Lzy4/+IxYb L7W1NkbnGt9DZpVdhYdQYR1HXei6aef11C0Khrf03xo8cQp61rKxMebxKCftu4Sj9WNd aetHAusO1zHHxDADfwiYg5Xt4w4ar35aOAWa5OylapK1B2d068hlPJ0cWqjryCuQMff+ L2mrvq2uGxFLCrBeBmcNx3dwjFOrFWARZGCOh8Db2aZ83FlMSlJ7K6w4cDnN6W9S3/MX 8rgBRux/Hh1SNHqfjv9w/IJb+KYHIjPdP5LAFh8OKu+YR1ZKnRZpS+FyqKjfcbFQZG3t S8qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:organization:message-id:date :user-agent:mime-version:content-language:content-transfer-encoding; bh=i8ocZFfDI1zxYErjA04ISBeDmEzzJlvQwPDQImF/PuA=; b=gQk3cZsvL337TCcMxv8bvB3OqJ9HemPKoN9l5cAuvjhxESGaLMHzkeopvqjcHXVwQC GUJrsdEy8dLBRnNkQqWNAQcgzU6Wu9ano/vGSNMKU8xwl4ECHh9QCRGeN7WuRMYU27L9 c1ghjN5QhFMLaz6m/uY0MRQLkANopGOmHPme/JkQNoUyHiOnjMt0B0s8j5ewsUd0IxrW gGP+TRbYuLdliC7yv1DQq4jEUTMNGPL5D2XKl+maUuNxGp3zUzgddKS2+zDk+nWSrbqg VXSZ/42iSXBq/UDs9rEziHGwFsgZ3AjTZBBadVJL9lsihEOXcFGgaLJEd6ZzyiADYxD3 MmlA==
X-Gm-Message-State: AIVw110oRHqNZm6+mM4ZcGLqUBEymDcsBE9OOdauJ5uDI58dYGPcPMr6 ouxAgKJNtia8A/bP
X-Received: by 10.84.191.165 with SMTP id a34mr25152283pld.243.1499307560526; Wed, 05 Jul 2017 19:19:20 -0700 (PDT)
Received: from ?IPv6:2406:e001:3f46:1:28cc:dc4c:9703:6781? ([2406:e001:3f46:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id q88sm821351pfa.10.2017.07.05.19.19.18 for <anima@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Jul 2017 19:19:19 -0700 (PDT)
To: Anima WG <anima@ietf.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <467b3a9b-6fe0-c01f-6165-18e6e290a28c@gmail.com>
Date: Thu, 06 Jul 2017 14:19:23 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/HzvJrAa3qy0F3PufBc36974Bq7g>
Subject: [Anima] Is this how BRSKI/IPIP works?
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2017 02:19:23 -0000

Hi BRSKI authors,

Is the following correct?

Topology (ASCII art):
                   ___________
                  | REGISTRAR |
                  |___________|
                        |Ar
                        | 
                   ...........
                  (    ACP    )
                 (   routing   )
                  (   cloud   )
                   ...........
                        |
                        |Ax
                   _____|_____
                  |   PROXY   |
                  |___________|
                   |Lx1      |Lx2 
                   |         |
                   |         |
  -------LAN1---------      -------LAN2----------
      |                                     |
      |Lp                                   |Lp
  ____|____                              ___|_____ 
 | PLEDGE1 |                            | PLEDGE2 |
 |_________|                            |_________| 

Assumptions:

Pledges have link-local address Lp. By chance, they are equal. (Nothing in
the standards prevents them from being equal. Even pseudo-random numbers can
be equal, so this case must work.)

Proxy has link-local addresses Lx1, Lx2 and ACP address Ax. We can require
that Lx1 != Lx2.

Registrar has ACP address Ar.

Packets for a UDP example:

(somewhat simplified IPv6 packets!)

Pledge sends to proxy [Lp, Lx1, 17, UDP-PAYLOAD1]

Proxy sends to Registrar [Ax, Ar, 41, [Lp, Lx1, 17, UDP-PAYLOAD1]]

Registrar replies to proxy [Ar, Ax, 41, [Lx1, Lp, 17, UDP-PAYLOAD2]]

Proxy replies to pledge [Lx1, Lp, 17, UDP-PAYLOAD2]

Note that the registrar echoes back the addresses Lp and Lx but they mean
nothing to it. The registrar simply borrows the proxy's LL address Lx
for the purpose of replying.

Note that even the 2uple {Ax, Lp} might not uniquely identify the pledge.
Since the proxy will have at least two interfaces, the address Lp might
exist on multiple LANs. However, the proxy will have different link-local
addresses on the two LANs, so the 3uples {Ax, Lp, Lx1} {Ax, Lp, Lx2}
will be unique. Hence the registrar can distinguish the transactions.

So, what the registrar needs to tell the proxy is: I accept IP in IP on address Ar.
Nothing else - no port number, no link-local address.

What the proxy needs to tell the pledge is: I accept BRSKI/TCP
or BRSKI/UDP on address Lx. And if it chooses to use IPIP to contact
the registrar, it simply forwards the packets as-is in both directions,
encapsulating and decapsulating accordingly. The pledge knows nothing about
IPIP.

Regards
   Brian

v2.15.0 | Report a Bug | By Email