IETF Logo Mail Archive

Re: [Anima] Is this how BRSKI/IPIP works?

Toerless Eckert <tte@cs.fau.de> Mon, 17 July 2017 07:39 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF68131A63 for <anima@ietfa.amsl.com>; Mon, 17 Jul 2017 00:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WDh6pPTqRpqU for <anima@ietfa.amsl.com>; Mon, 17 Jul 2017 00:39:03 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 911E6131945 for <anima@ietf.org>; Mon, 17 Jul 2017 00:39:03 -0700 (PDT)
Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 7AEF758C4B5; Mon, 17 Jul 2017 09:38:59 +0200 (CEST)
Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id 42A92B0C5E9; Mon, 17 Jul 2017 09:38:59 +0200 (CEST)
Date: Mon, 17 Jul 2017 09:38:59 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Eliot Lear <lear@cisco.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Anima WG <anima@ietf.org>
Message-ID: <20170717073859.GD23525@faui40p.informatik.uni-erlangen.de>
References: <467b3a9b-6fe0-c01f-6165-18e6e290a28c@gmail.com> <14885.1499820271@dooku.sandelman.ca> <20170716182749.GC23525@faui40p.informatik.uni-erlangen.de> <23694.1500273241@dooku.sandelman.ca> <ac374936-2718-c737-e871-e9f97ea6f78a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ac374936-2718-c737-e871-e9f97ea6f78a@cisco.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Wv8uO-HZNtSuhWxxpwRXqGU1P7o>
Subject: Re: [Anima] Is this how BRSKI/IPIP works?
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 07:39:06 -0000

Can you propose a stateless proxy model that would not pass the link-local
addresses on to the registrar and that uses Michaels beloved IPinIP encap ?

Alas i have fallen in love with UDP encap because i like to see more
networking software now be build like any othrer application on top of
UDP/TCP APIs and not mess around with OS kernel features, so all
my answers would be "the proxy is an app that either statefully proxies TCP
or stateless proxies UDP".

If you want to statelessly proxy TCP and on the registrar use some existing 
TCP stack, then i would begrudgingly agree with Michael, that i also need some
kerne level handling of the encap so that i get kernel level TCP.

I am still waiting for some better explanation from Michael about the
"Linux kernel and overlapping TCP" to fully understand his proposal.

So, here is one proposal for IPinIP using the current -07 draft ULA addressing:

 A) We assign one of the 8 (3 bit) "T"ype codes to "Subnet Identifier for Encap".

 B) The proxy allocates a separate "Zone" number for every subnet. Zone = Subnet.
    In result it now has for every subnet a separate ULA address for the IPinIP encap.

 C) The registrar announces its ability to support IPinIP BRSKI via GRASP

 D) Each ACP device need to use its ACP DeviceID also as the host-part of its
    link-local address.

 E) The proxy as part of its tunnel functionality also assigns itself the Registrar
    link local address on every subnet. At least logically. Whether it really needs
    to do this physcially is implementation specific.
 
 F) The proxy announces via GRASP BRSKI-IPIP with the Registrar Link-Local address
    (which it can do because according to E) it owns it on its subnets - GRASP
     DULL does not permit third-party announcements, so E) is to make it legal for
     the proxy to announce this in GRASP).
 
 G) Any packets sent by pledges to the Registrar link-local address are IPinIP
    encapsulated using the "Subnet Identifier for Encap" as the source IP address and
    the Registrar ULA as the destination address.
 
 H) The registrar can create a separate IPinIP tunnel per remote proxy, per-subnet-on-proxy.
    It does not need further addresses.

Some more details might be needed, eg:
 - If a proxy has more than 2^13 interfaces it needs to dynamically allocate
   subnet encap addresses.
 - A proxy might want to map different subnets to differen registrars for load balancing.

Cheers
    Toerless

On Mon, Jul 17, 2017 at 08:54:46AM +0200, Eliot Lear wrote:
> On the other hand, maybe it's fundamental, but is relying on LL in this
> architecture to go beyond LL boundaries the right thing to do?
> 
> 
> On 7/17/17 8:34 AM, Michael Richardson wrote:
> > Toerless Eckert <tte@cs.fau.de> wrote:
> >     > I thought i had asked that question already but not sure, and not seen
> >     > an answer: - I have never seen that a device has more than one
> >     > link-local addr on an interface.  Is this permitted by IPv6 arck ? Can
> >     > you configure this in eg: Linux. I thought i tried on linux/cisco-ios
> >     > in the past and i do not quite remember, but i think it failed (only
> >     > one address).
> >
> > dooku-[~](2.3.0) mcr 10879 %sudo ip -6 addr add fe80::1234/64 dev wlan0
> >
> > dooku-[~](2.3.0) mcr 10788 %ifconfig wlan0
> > wlan0     Link encap:Ethernet  HWaddr 08:11:96:01:81:e0
> >           inet addr:31.133.129.16  Bcast:31.133.143.255  Mask:255.255.240.0
> >           inet6 addr: fe80::1234/64 Scope:Link
> >           inet6 addr: fe80::a11:96ff:fe01:81e0/64 Scope:Link
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >
> > dooku-[~](2.3.0) mcr 10788 %ip -6 addr ls dev wlan0
> > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
> >     inet6 fe80::1234/64 scope link
> >        valid_lft forever preferred_lft forever
> >     inet6 fe80::a11:96ff:fe01:81e0/64 scope link
> >        valid_lft forever preferred_lft forever
> >
> >
> > --
> > ]               Never tell me the odds!                 | ipv6 mesh networks [
> > ]   Michael Richardson, Sandelman Software Works        | network architect  [
> > ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> >
> >
> > --
> > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> >  -= IPv6 IoT consulting =-
> >
> >
> >
> >
> >
> > _______________________________________________
> > Anima mailing list
> > Anima@ietf.org
> > https://www.ietf.org/mailman/listinfo/anima
> 




-- 
---
tte@cs.fau.de

v2.14.0 | Report a Bug | By Email