IETF Logo Mail Archive

[Capwap] Please check my comments,thanks

shiyang 00338 <young@h3c.com> Sun, 24 January 2010 03:38 UTC

Return-Path: <capwap-bounces+capwap-archive=lists.ietf.org@frascone.com>
X-Original-To: ietfarch-capwap-archive@core3.amsl.com
Delivered-To: ietfarch-capwap-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 334C33A6358 for <ietfarch-capwap-archive@core3.amsl.com>; Sat, 23 Jan 2010 19:38:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.342
X-Spam-Level: ***
X-Spam-Status: No, score=3.342 tagged_above=-999 required=5 tests=[AWL=1.552, BAYES_50=0.001, CN_BODY_35=0.339, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kCqD5UUBHTd for <ietfarch-capwap-archive@core3.amsl.com>; Sat, 23 Jan 2010 19:38:20 -0800 (PST)
Received: from lists.tigertech.net (lists.tigertech.net [64.62.209.34]) by core3.amsl.com (Postfix) with ESMTP id 5B1353A69B2 for <capwap-archive@lists.ietf.org>; Sat, 23 Jan 2010 19:38:20 -0800 (PST)
Received: from zoidberg.tigertech.net (localhost [127.0.0.1]) by zoidberg.tigertech.net (Postfix) with ESMTP id 02A2AE18229 for <capwap-archive@lists.ietf.org>; Sat, 23 Jan 2010 19:38:21 -0800 (PST)
Received: from mx3.tigertech.net (morbo.tigertech.net [67.131.251.53]) by lists.tigertech.net (Postfix) with ESMTP id EFBCDE240F0 for <capwap@lists.tigertech.net>; Sat, 23 Jan 2010 19:38:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx3.tigertech.net (Postfix) with ESMTP id C0AF41CD487 for <capwap@frascone.com>; Sat, 23 Jan 2010 19:38:14 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at morbo.tigertech.net
Received: from mx3.tigertech.net (localhost [127.0.0.1]) by mx3.tigertech.net (Postfix) with ESMTP id C05E51CD486 for <capwap@frascone.com>; Sat, 23 Jan 2010 19:38:13 -0800 (PST)
X-TigerTech-Content-Filter: Clean
X-TigerTech-Spam-Status: Level 0 (High) (P0); Whitelisted TTSSA (young@h3c.com whitelisted)
Received: from huawei-3com.com (unknown [60.191.123.50]) by mx3.tigertech.net (Postfix) with ESMTP for <capwap@frascone.com>; Sat, 23 Jan 2010 19:38:13 -0800 (PST)
Received: from huawei-3com.com (localhost [127.0.0.1]) by h3cml01-in.huawei-3com.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0KWQ007N6FFN1H@h3cml01-in.huawei-3com.com> for capwap@frascone.com; Sun, 24 Jan 2010 11:38:11 +0800 (CST)
Received: from huawei-3com.com ([172.25.15.135]) by h3cml01-in.huawei-3com.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0KWQ007J3FFMQU@h3cml01-in.huawei-3com.com> for capwap@frascone.com; Sun, 24 Jan 2010 11:38:11 +0800 (CST)
Received: from [172.25.15.126] (Forwarded-For: [221.221.241.225]) by h3cmc02-in.huawei-3com.com (mshttpd); Sun, 24 Jan 2010 11:38:10 +0800
Date: Sun, 24 Jan 2010 11:38:10 +0800
From: shiyang 00338 <young@h3c.com>
To: Pasi.Eronen@nokia.com
Message-id: <38fcf3389d19.389d1938fcf3@huawei-3com.com>
MIME-version: 1.0
X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.25 (built Mar 3 2004)
Content-language: zh-CN
Content-disposition: inline
X-Accept-Language: zh-CN
Priority: normal
Cc: capwap-chairs@tools.ietf.org, capwap@frascone.com, yozhang@gmail.com, iesg@ietf.org, draft-ietf-capwap-base-mib@tools.ietf.org
Subject: [Capwap] Please check my comments,thanks
X-BeenThere: capwap@frascone.com
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: A list for CAPWAP technical discussions <capwap.frascone.com>
List-Post: <mailto:capwap@frascone.com>
X-Tigertech-Mailman-Hint: 636170776170
List-Subscribe: <http://lists.frascone.com/mailman/listinfo/capwap>, <mailto:capwap-request@frascone.com?subject=subscribe>
List-Unsubscribe: <http://lists.frascone.com/mailman/listinfo/capwap>, <mailto:capwap-request@frascone.com?subject=unsubscribe>
List-Archive: <http://lists.frascone.com/pipermail/capwap>
List-Help: <mailto:capwap-request@frascone.com?subject=help>
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
Errors-To: capwap-bounces+capwap-archive=lists.ietf.org@frascone.com

Hi, Pasi:

Thanks.
Please check my comments under "///".
BTW, I am (have to) using web mail 
which may cause the format looks ugly. 

Sorry.

Regards
Richard

young@h3c.com wrote:

>> - The MIB provides a writable object for switching between X.509 certs
>> and PSK authentication for DTLS.  Since the MIB can't actually
>> configure the PSK (or X.509 certificate and corresponding private key,
>> for that matter), is this object actually useful?

> [Richard] I think the configurations such as X.509 certificate
> belong to the configuration of DTLS protocol parameters, DTLS
> protocol should have (I don't know) a MIB corresponding to such
> function, I think such function is out of the scope of CAPWAP base
> MIB.  When operators do such function, he should operate DTLS' MIB.
> For this reason, Base MIB does not offer such interface.  The
> writable object in the Base MIB is only to let operator choose the
> DTLS Authentication policy from CAPWAP tunnel security
> perspective. This operation is from CAWPAP perspective, although
> this MIB object felt lonely in the Base MIB.

I'm still not sure the MIB object is useful. First of all, such DTLS
configuration MIB does not currently exist (and is not even
planned). Second, it hard-codes an assumption that all WTPs connected
to an AC use same type of authentication. The CAPWAP protocol itself
would allow some WTPs so use X.509 and others PSK, so if your AC
implementation supports this, it can't implement this MIB object.

BTW, the same limitation seems to apply to
e.g. capwapBaseDataChannelDTLSPolicyConfig, too -- if your AC supports
configuring DTLS for only some WTPs (perhaps those located in
physically less secure environments), it cannot implement this MIB
object.

If the WG feels this MIB object is anyway useful, at the very least it
should point out that many ACs may not be able to implement it.
////////////////////
[Richard]
Any way, the configuration of such authentication parameter should not be
in the scope of CAPWAP MIB (I explained it in the last email).
As per Pasi's comments, I agree to remove both  
capwapBaseControlChannelAuthenConfig and 
capwapBaseDataChannelDTLSPolicyConfig.

>> - It seems capwapBaseWtpState indicates the AC's CAPWAP FSM state
>> for each WTP, not the WTP's FSM? (which, at any single point of
>> time, be slighly different)
>
> [Richard]
> Yes, capwapBaseWtpState indicates the AC's CAPWAP FSM state for
> each WTP, not the WTP's FSM.  The capwapBaseWtpState is a MIB object
> on the AC.

OK; please clarify the description accordingly.
//////////
[Richard]
The description would be modified:
capwapBaseWtpStateTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF CapwapBaseWtpStateEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "A table of objects that indicate the AC's CAPWAP FSM state
         for each WTP, and helps the operator to query the WTPs' current
         configuration."
    ::= { capwapBaseWtps 2 }

capwapBaseWtpStateEntry  OBJECT-TYPE
    SYNTAX      CapwapBaseWtpStateEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "A set of objects that display the AC's CAPWAP FSM state
         for each WTP.
         Also, the operator could query the current configuration
         of a WTP by using the identifier of the corresponding
         WTP profile."
    INDEX { capwapBaseWtpStateWtpId }
    ::= { capwapBaseWtpStateTable 1 }

capwapBaseWtpStateEntry  OBJECT-TYPE
    SYNTAX      CapwapBaseWtpStateEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "A set of objects that display the AC's CAPWAP FSM state
         for each WTP.
         Also, the operator could query the current configuration
         of a WTP by using the identifier of the corresponding
         WTP profile."
    INDEX { capwapBaseWtpStateWtpId }
    ::= { capwapBaseWtpStateTable 1 }
    
    capwapBaseWtpState  OBJECT-TYPE
    SYNTAX      INTEGER {
                  dtls(1),
                  join(2),
                  image(3),
                  configure(4),
                  dataCheck(5),
                  run(6),
                  reset(7),
                  dtlsTeardown(8),
                  unknown(9)
                }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "Represents the various possible the AC's CAPWAP FSM state
         for each WTP.
         The following enumerated values are supported:
           dtls(1)         - DTLS negotiation states, which include
                             DTLS setup, authorize, DTLS connect
           join(2)         - The WTP is joining with the AC
           image(3)        - The WTP is downloading software
           configure(4)    - The WTP is getting configuration from
                             the AC
           dataCheck(5)    - The AC is waiting for the Data Channel Keep
                             Alive Packet
           run(6)          - The WTP enters the running state
           reset(7)        - The AC transmits a reset request message
                             to the WTP
           dtlsTeardown(8) - DTLS session is tear down
           unknown(9)      - Operator already prepared configuration
                             for the WTP, while the WTP has not contact
                             with the AC till now"
    REFERENCE
        "Section 2.3.1. of CAPWAP Protocol Specification, RFC 5415."
    ::= { capwapBaseWtpStateEntry 5 }

The section 6 also needs change:
   4) capwapBaseWtpStateTable
   The WTPs status table is used to indicate the AC's CAPWAP FSM state
   for each WTP, and helps operator to query WTPs' current configuration.


> >- Section 9.1/9.2: it looks like these should be new CAPWAP Message
> >Element Types, not Vendor Specific Payloads? (and the current text
> >doesn't say what vendor ID would be used)
>
> [Richard] The Section 9.1/9.2 to let those CAPWAP variables
> manageable.  The messages are important.  Yes, the current text
> doesn't say what vendor ID would be used.  Could I put my company's
> ID (now it is H3C which belongs to 3com, would be HP soon since HP
> acquire 3com)? I don't know whether it is a acceptable way.  The
> vendor use their private ID could work, but not a good way.

This is not compatible with the way Vendor Specific Payloads are
defined in RFC 5415: unless the AC is from the same vendor (or
explicitly supports the other vendor's extensions), it cannot
know what Element ID value "1" means (or what the contents are).

Since these payloads are supposed to be work even when the AC and WTP
are from different vendors, they need to be normal message elements.
////////////////
[Richard]
What's CAPWAP WG opionion?

> > - Why is "dns" allowed as capwapBaseWtpStateWtpIpAddressType?  (the AC
> > obviously sees the IP address the WTP's connection comes from, but not
> > the DNS name?)
>
> [Richard]
> You are correct. "dns"?should be removed.

OK.

>> - capwapBaseWtpStateWtpIpAddressType: is this the IP address of the
>> WTP as seen by the AC, or as sent in the "CAPWAP Local IPv4/6
>> Address" message element?
>
> [Richard]
> In case that a MIB object of InetAddress type is defined,
> one more MIB object of InetAddressType type is required.
> For this reason, the capwapBaseWtpStateWtpIpAddressType is defined.

This does not answer my question: is this the address as seen by the
AC, or the address sent in the message element? (which will be
different if the WTP is behind a NAT)
//////////////////////////
[Richard]
Should be the address sent in the message element. I would
give confirm after checking RFC5415 more.

>> - A question: Did the WG consider including NAT-related information
>> CapwapBaseWtpStateEntry? For example, whether NAT was detected, and
>> what the other address (depending on the question above) was?
>> [Richard]
>
> Yes, CAPWAP has NAT Considerations. But other tunnel protocol
> (suppose GRE or any other example) may also have such function.  I
> think there should have a generic MIB interface (no matter it exists
> or not) Which would offer NAT-related information, while such
> function is not A part of CAPWAP MIB (or other similar tunnel
> protocol).

I disagree. The NAT traversal functionality here is a functionality of
the CAPWAP protocol, and probably cannot be managed by any generic
MIB.

However, the question I asked was whether this was discussed
in the WG. Chairs, you do recall?
////////////
[Richard] 
Yes, it is valid to have such NAT info. 
I do fully agree. The question in my mind is how to design MIB to support such function.
For MIB design, I alway try to keep the MIB file short and reuse any existing MIBs. My initial point is that may could have a generic MIB for NAT function. I am not sure and want to ask: Anyone could you tell me whether it could have? Thanks.
I am ok to add such MIB objects in the CAPWAP MIB, but I really want to give a good design without any unnessary redundancy.

> >- capwapBaseMacAclId: this seems to limit the number of ACL entries to
> >255 -- why? (although RFC 5415 doesn't support sending more than 255
> >ACL entries in a single "Add MAC ACL Entry" message element, the AC
> >could send more than one of those)
>
> [Richard] You are correct, it is not required to give a scope limit
> to the capwapBaseMacAclId. The editors misunderstood the value 255
> mentioned in the RFC5415.

OK. 
////////////////
[Richard]
the change would be:
capwapBaseMacAclId OBJECT-TYPE
    SYNTAX      Unsigned32
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "Represents the unique identifier of an ACL."
    ::= { capwapBaseMacAclEntry 1 }

>> - capwapBaseWtpProfileWtpStaticIpType: How would the "ipv4z" type
>> be used by the CAPWAP protocol? (it doesn't seem to use the zone
>> index in any way)
>
> [Richard] In fact, I am not sure. Dan, Could you confirm whether
> CAPWAP support it?

OK; looking forward to hearing the answer...

Best regards,
Pasi





----- 原邮件 -----
从: Pasi.Eronen@nokia.com
日期: 星期五, 一月 22日, 2010 下午10:18
主题: RE: comments to Pasi's opinion (draft-ietf-capwap-base-mib)

> young@h3c.com wrote:
> 
> >> - The MIB provides a writable object for switching between 
> X.509 certs
> >> and PSK authentication for DTLS.  Since the MIB can't actually
> >> configure the PSK (or X.509 certificate and corresponding 
> private key,
> >> for that matter), is this object actually useful?
> 
> > [Richard] I think the configurations such as X.509 certificate
> > belong to the configuration of DTLS protocol parameters, DTLS
> > protocol should have (I don't know) a MIB corresponding to such
> > function, I think such function is out of the scope of CAPWAP base
> > MIB.  When operators do such function, he should operate DTLS' MIB.
> > For this reason, Base MIB does not offer such interface.  The
> > writable object in the Base MIB is only to let operator choose the
> > DTLS Authentication policy from CAPWAP tunnel security
> > perspective. This operation is from CAWPAP perspective, although
> > this MIB object felt lonely in the Base MIB.
> 
> I'm still not sure the MIB object is useful. First of all, such DTLS
> configuration MIB does not currently exist (and is not even
> planned). Second, it hard-codes an assumption that all WTPs connected
> to an AC use same type of authentication. The CAPWAP protocol itself
> would allow some WTPs so use X.509 and others PSK, so if your AC
> implementation supports this, it can't implement this MIB object.
> 
> BTW, the same limitation seems to apply to
> e.g. capwapBaseDataChannelDTLSPolicyConfig, too -- if your AC supports
> configuring DTLS for only some WTPs (perhaps those located in
> physically less secure environments), it cannot implement this MIB
> object. 
> 
> If the WG feels this MIB object is anyway useful, at the very 
> least it
> should point out that many ACs may not be able to implement it.
> 
> >> - It seems capwapBaseWtpState indicates the AC's CAPWAP FSM state
> >> for each WTP, not the WTP's FSM? (which, at any single point of
> >> time, be slighly different)
> >
> > [Richard]
> > Yes, capwapBaseWtpState indicates the AC's CAPWAP FSM state for
> > each WTP, not the WTP's FSM.  The capwapBaseWtpState is a MIB object
> > on the AC.
> 
> OK; please clarify the description accordingly.
> 
> > >- Section 9.1/9.2: it looks like these should be new CAPWAP Message
> > >Element Types, not Vendor Specific Payloads? (and the current text
> > >doesn't say what vendor ID would be used)
> >
> > [Richard] The Section 9.1/9.2 to let those CAPWAP variables
> > manageable.  The messages are important.  Yes, the current text
> > doesn't say what vendor ID would be used.  Could I put my company's
> > ID (now it is H3C which belongs to 3com, would be HP soon since HP
> > acquire 3com)? I don't know whether it is a acceptable way.  The
> > vendor use their private ID could work, but not a good way.
> 
> This is not compatible with the way Vendor Specific Payloads are
> defined in RFC 5415: unless the AC is from the same vendor (or
> explicitly supports the other vendor's extensions), it cannot
> know what Element ID value "1" means (or what the contents are).
> 
> Since these payloads are supposed to be work even when the AC and WTP
> are from different vendors, they need to be normal message elements.
> 
> > > - Why is "dns" allowed as capwapBaseWtpStateWtpIpAddressType?  
> (the AC
> > > obviously sees the IP address the WTP's connection comes from, 
> but not
> > > the DNS name?)
> >
> > [Richard]
> > You are correct. "dns"?should be removed.
> 
> OK.
> 
> >> - capwapBaseWtpStateWtpIpAddressType: is this the IP address of the
> >> WTP as seen by the AC, or as sent in the "CAPWAP Local IPv4/6
> >> Address" message element?
> >
> > [Richard]
> > In case that a MIB object of InetAddress type is defined,
> > one more MIB object of InetAddressType type is required.
> > For this reason, the capwapBaseWtpStateWtpIpAddressType is defined.
> 
> This does not answer my question: is this the address as seen by the
> AC, or the address sent in the message element? (which will be
> different if the WTP is behind a NAT)
> 
> >> - A question: Did the WG consider including NAT-related information
> >> CapwapBaseWtpStateEntry? For example, whether NAT was detected, and
> >> what the other address (depending on the question above) was?
> >> [Richard]
> >
> > Yes, CAPWAP has NAT Considerations. But other tunnel protocol
> > (suppose GRE or any other example) may also have such function.  I
> > think there should have a generic MIB interface (no matter it exists
> > or not) Which would offer NAT-related information, while such
> > function is not A part of CAPWAP MIB (or other similar tunnel
> > protocol).
> 
> I disagree. The NAT traversal functionality here is a 
> functionality of
> the CAPWAP protocol, and probably cannot be managed by any generic
> MIB. 
> 
> However, the question I asked was whether this was discussed 
> in the WG. Chairs, you do recall?
> 
> > >- capwapBaseMacAclId: this seems to limit the number of ACL 
> entries to
> > >255 -- why? (although RFC 5415 doesn't support sending more 
> than 255
> > >ACL entries in a single "Add MAC ACL Entry" message element, 
> the AC
> > >could send more than one of those)
> >
> > [Richard] You are correct, it is not required to give a scope limit
> > to the capwapBaseMacAclId. The editors misunderstood the value 255
> > mentioned in the RFC5415.
> 
> OK.
> 
> >> - capwapBaseWtpProfileWtpStaticIpType: How would the "ipv4z" type
> >> be used by the CAPWAP protocol? (it doesn't seem to use the zone
> >> index in any way)
> >
> > [Richard] In fact, I am not sure. Dan, Could you confirm whether
> > CAPWAP support it?
> 
> OK; looking forward to hearing the answer...
> 
> Best regards,
> Pasi 
> 
> 

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/capwap

Archives: http://lists.frascone.com/pipermail/capwap

v2.23.0 | Report a Bug | By Email