Re: [Anima] review of grasp-08
Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 24 November 2016 21:35 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09E96129D6B for <anima@ietfa.amsl.com>; Thu, 24 Nov 2016 13:35:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kGKINLgAYXt5 for <anima@ietfa.amsl.com>; Thu, 24 Nov 2016 13:35:19 -0800 (PST)
Received: from mail-pg0-x229.google.com (mail-pg0-x229.google.com [IPv6:2607:f8b0:400e:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92184129D66 for <anima@ietf.org>; Thu, 24 Nov 2016 13:35:19 -0800 (PST)
Received: by mail-pg0-x229.google.com with SMTP id f188so21851591pgc.3 for <anima@ietf.org>; Thu, 24 Nov 2016 13:35:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:organization:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=9uIoau2of2bLFhwSuPo1oNXub13UixPHrQYXV75biOM=; b=zCrh3WVmTWyiI4jdG9w0+yKMEWQSyJmjHvix/zwcCfcN0cTB9IMiyDyh+bffBHWTrc OCEMi3My5Ov1hLwECUA/PL0oO/mIGzVr3OkpcqbzEUCzENoCaVVCSMi+GEXv+K60/mhZ JnTiXKmQ+thHk5JwJvVaFDQ46r270vNa3JeRVyS1++xdVQ57rUbYeWwtQJ5q9G5v/czK LgDRG/Aqx7f55R9JaZ4DVlbVad5ZGQTyV9gA5GZg6MiUyxmMTaRpduhr1ZFVfYZ8v313 HhU+Oo6cxF9tjoVAjX/FkOuVX1O5rLRxtAxXmyn6/1oPWxs+QGzDCBDdrddQQJqUhuen 6JEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=9uIoau2of2bLFhwSuPo1oNXub13UixPHrQYXV75biOM=; b=OmeG8CmsOJ/ZUhAPAgW6fAsGfs9RuaFzt63z6LMYr/d2hVlA6H/PhNPB8jhjTueV3P wUMXRK5mmSmkNzrzV4yBZQ/A7YdEyedMGPHC/Tpr8ZGk3rwNj52W8PESM/tj4EyH7elp cFyyykj7TwJtpAgkx/CRinbqeYa4zukCXXtTIThYl/hOtjqX47VYKu6cGvvv2Q4e4TeF gEgZ493iw/uY9O0fV+6kIfnCa3hEJMzV8cjYO9PfzmQLecdfM8Aw3oJWtU2X2MHlMiyS bTVU0hUKTJiulPel8O+F8IiHjmoxPawoczvJodF1fC0vNBXtHZS/8glgDtjxwq5bM+dR OULQ==
X-Gm-Message-State: AKaTC02dsp2TsqOavbrg3e3dd2CUCiFkYbWIlqXL27BGzAqr4XPtG+zVsyWVaciglGgLqA==
X-Received: by 10.99.168.10 with SMTP id o10mr7853848pgf.105.1480023318862; Thu, 24 Nov 2016 13:35:18 -0800 (PST)
Received: from [192.168.178.23] (133.22.255.123.dynamic.snap.net.nz. [123.255.22.133]) by smtp.gmail.com with ESMTPSA id w5sm62504010pfl.31.2016.11.24.13.35.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Nov 2016 13:35:18 -0800 (PST)
To: Michael Richardson <mcr+ietf@sandelman.ca>, anima@ietf.org
References: <4565.1479941260@obiwan.sandelman.ca> <dee9e527-4e32-5abf-9b17-e6d96cc34f97@gmail.com> <10713.1480019847@obiwan.sandelman.ca>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <dcd5711b-904d-fc6d-1f1d-5beba8d8816c@gmail.com>
Date: Fri, 25 Nov 2016 10:35:24 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <10713.1480019847@obiwan.sandelman.ca>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/NLg2jtVyvk-tQ_ItJU-IyZ9J688>
Subject: Re: [Anima] review of grasp-08
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2016 21:35:21 -0000
Comments in line.. On 25/11/2016 09:37, Michael Richardson wrote: > > Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: > > Thanks Michael, we will wait a few more days before rolling up all > > comments received. I am fine with most of your suggestions. A few > > things caught my eye: > > Cool. > > >> 3.5.4.4: QUERY re: The relayed discovery message MUST have the same > >> Session ID as the incoming discovery message and MUST be tagged with > >> the IP address of its original initiator (see Section 3.8.4). > >> > >> I thought we were adding something about Link Local addresses here? > > > What was the point there? (Clearly, discovered link-local addresses > > MUST NOT be sent on to another interface, is that it? But that affects > > the Discovery Response process, not the relay process. Must check my > > code, too...) > > I think that's the point. Should we even relay discovery messages from LL > origins? No. I definitely need to check this and add some words. > > >> 3.5.5: re: The details, including the distinction between dry run and > >> an actual configuration change, will be defined separately for each > >> type of negotiation objective. > >> > >> I would very much like it if dry-run/real-run request was > >> standardized. This would make external auditing/debugging (such as > >> via network sniffer) much easier to see. > > > Hmm. That needs some thought. I thought that the semantics of this was > > very hard to capture in a generic way. > > > (One way would be to add a new flag value, so that an objective could > > be labelled F_NEG for negotiation and F_NEG_DRY for dry-run > > negotiation. That has a great advantage - it could be retrofitted any > > time, and can be rejected with an M_INVALID by a node without dry-run > > capability.) > > I very much like this. It's low cost to add to the spec, and harmless if not used. I also think I like it, but what do other people think? > > >> 3.8.6, about: > >> > >>> If a node receives a Request message for an objective for which no > >>> ASA is currently listening, it MUST immediately close the relevant > >>> socket to indicate this to the initiator. > >> > >> if the time sequence is: initiator ----M_DISCOVERY---> responder > >> (GRASP core) (UDP) > ...> pass details to ASA > >> initiator<----M_RESPONSE----- ASA (TCP) > initiator-----M_REQ_NEG-----> ASA (same socket) > >> > >> then, according to above, why would an ASA have responded in the first > >> place if not be the right ASA? > > > This covers the case where the ASA crashes at the critical moment - > > without this provision (depending on implementation details) the socket > > would be left hanging. Also consider that discovery results can be > > cached, so there might be a real time gap between the M_RESPONSE and > > the M_REQ_NEG, giving more chance that the ASA crashes or even exits > > cleanly. > > So, are you saying that on some systems that the ASA could crash without > closing the socket that is opened for the M_RESPONSE? Yes - if the the actual listen() and accept() are in a separate thread started by the GRASP engine, whereas the listen_negotiate() call is in a thread started by the ASA. (I have a lot of threads and queues in my prototype, because Python makes this extremely easy...) > >> Can we please have an example for M_FLOOD? > >> > >> Is this valid: > >> > >> [M_FLOOD, 124567, fe80::1234, 27, [[O_IPv6_LOCATOR, fe80::1234, > >> IPPROTO_UDP, 500]], ["ACP", flags, 1, ["bootstrap-okay"]] > > > I think so, but I'll need to run it through my primitive validation > > chain... > > okay, I want to make sure that I understand it. > > >> Could an O_DIVERT occur in an M_FLOOD? > > > Not in the current syntax, and I'm not sure why we'd need it. > > I don't think we do, but I'm just asking random questions as to why not... > > >> Can we have more than one locator option? > > > No. That is a feature - if you embed multiple objectives in a single > > M_FLOOD, they are all associated with the same locator option. If > > that's a problem, now would be a good time to say so ;-). > > I think that we physically can, it's an object inside an array. > Could we have an IPv4 and an IPv6 address? Or a UDP and a TCP locator, or...? > > I'm thinking about how to construct the ACP neighbour awareness M_FLOOD such > that it can also carry the Proxy locator. I think it's probably not a > problem, as the locator can be the Proxy locator, and the ACP is implicitely > port-500 IKEv2, except that I'm reading the ACP document, and see that > actually there are many options for ACP security, but I haven't gotten that > far yet. Right. But to be very clear, at the moment the M_FLOOD syntax is flood-message = [M_FLOOD, session-id, initiator, ttl, (locator-option / []), +objective] but to associate a locator with each objective it would need to be flood-message = [M_FLOOD, session-id, initiator, ttl, +[(locator-option / []), objective]] That would be more powerful for the case you describe. Since the locator option could be a URI, it would suit EST quite well, wouldn't it? Rgds Brian
- [Anima] review of grasp-08 Michael Richardson
- Re: [Anima] review of grasp-08 Brian E Carpenter
- Re: [Anima] review of grasp-08 Michael Richardson
- Re: [Anima] review of grasp-08 Brian E Carpenter
- Re: [Anima] review of grasp-08 Michael Richardson
- Re: [Anima] review of grasp-08 Brian E Carpenter
- Re: [Anima] review of grasp-08 Michael Richardson
- [Anima] Discovered link-local addresses [was revi… Brian E Carpenter
- [Anima] example for M_FLOOD? [was review of grasp… Brian E Carpenter
- Re: [Anima] review of grasp-08 Brian E Carpenter