[conex] Review: draft-ietf-conex-destopt-06

Bob Briscoe <bob.briscoe@bt.com> Mon, 11 August 2014 23:26 UTC

Return-Path: <bob.briscoe@bt.com>
X-Original-To: conex@ietfa.amsl.com
Delivered-To: conex@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2B0EF1A011B for <conex@ietfa.amsl.com>; Mon, 11 Aug 2014 16:26:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.269
X-Spam-Status: No, score=-3.269 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WafsCJY-knrc for <conex@ietfa.amsl.com>; Mon, 11 Aug 2014 16:26:13 -0700 (PDT)
Received: from hubrelay-by-04.bt.com (hubrelay-by-04.bt.com []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B2D71A04E7 for <conex@ietf.org>; Mon, 11 Aug 2014 16:26:12 -0700 (PDT)
Received: from EVMHR71-UKRD.domain1.systemhost.net ( by EVMHR04-UKBR.bt.com ( with Microsoft SMTP Server (TLS) id 8.3.348.2; Tue, 12 Aug 2014 00:26:10 +0100
Received: from EPHR01-UKIP.domain1.systemhost.net ( by EVMHR71-UKRD.domain1.systemhost.net ( with Microsoft SMTP Server (TLS) id 8.3.348.2; Tue, 12 Aug 2014 00:26:10 +0100
Received: from bagheera.jungle.bt.co.uk ( by EPHR01-UKIP.domain1.systemhost.net ( with Microsoft SMTP Server id; Tue, 12 Aug 2014 00:26:09 +0100
Received: from BTP075694.jungle.bt.co.uk ([]) by bagheera.jungle.bt.co.uk (8.13.5/8.12.8) with ESMTP id s7BNQ6Gd022734; Tue, 12 Aug 2014 00:26:07 +0100
Message-ID: <201408112326.s7BNQ6Gd022734@bagheera.jungle.bt.co.uk>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Tue, 12 Aug 2014 00:26:01 +0100
To: Suresh KRISHNAN <suresh.krishnan@ericsson.com>, Mirja KUEHLEWIND <mirja.kuehlewind@ikr.uni-stuttgart.de>, Carlos Ucendo <ralli@tid.es>
From: Bob Briscoe <bob.briscoe@bt.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.56 on
Archived-At: http://mailarchive.ietf.org/arch/msg/conex/SpdCzewfeZNI6Szr5cMrEUTq0ME
Cc: ConEx IETF list <conex@ietf.org>
Subject: [conex] Review: draft-ietf-conex-destopt-06
X-BeenThere: conex@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Congestion Exposure working group discussion list <conex.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/conex>, <mailto:conex-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/conex/>
List-Post: <mailto:conex@ietf.org>
List-Help: <mailto:conex-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/conex>, <mailto:conex-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 23:26:16 -0000

Suresh, Mirja, Carlos,

As promised at the authors mtg in Toronto, I have reviewed 

At this late stage, I prefer to suggest text, not just criticise. But 
pls don't take this to mean I expect you to use my suggested text.

I had a lot of nits, so I thought it easiest to deal with these by 
annotating the draft (using MS Word, but also supplied as PDF output):

I have also included all my more substantial concerns in the above 
annotations - highlighted in yellow.

I've listed the major items here, as hooks if mailing list discussion 
is needed on any of them (but see the annotations for detail before 

My most controversial disagreement is around IPsec compatibility, 
which we ought to spin into a separate thread if you want to discuss/argue.

Most of the other additions are because conex-abstract-mech says a 
concrete protocol spec has to address specific aspects, which weren't 

* Added scoping in Intro (solely wire protocol; specific transport 
protocol specs will determine when specifically to set each marking, 
e.g. conex-tcp-modifications)

* Standards Track -> Experimental
* Added subsection of intro on experiment goals: criteria for success 
and duration


* Referred to abstract-mech for requirements, explained that it would 
be hard to satisfy them all, and explained which one wasn't satisfied 
(visibility in outer), referring to section on fast-path performance.


* For any text about ignoring invalid fields, explicitly said that 
intermediate nodes MUST NOT normalise. Also, specified to treat 
packets with invalid fields like a non-ConEx-capable packet.

* Specified precisely which IP header is included in the byte count.

* Suggested deleting example of Not-ConEx-capable packets (see 
separate thread to conex-tcp-modifications authors about TCP pure ACKs).


* CDO as first destination option: changed from MUST to SHOULD (with 
an example of when not to).

==Config & Management==

* Added section, mainly to say there is no config & mgmt (required by 

==IPsec compatibility==

* Suggested ConEx counts the AH header, and the outer tunnel mode 
header, with reasoning.

* Suggested the section is restructured because I believe the 
visibility problem is not related to tunnel mode, but only to ESP in 
tunnel mode.

* Added a para about the possibility of implementing a ConEx proxy 
(without breaking e2e authentication).


* Section added, to generalise from just IPsec to any IP-in-IP 
tunnelling (particularly relevant to mobile scenarios).

* Suggested optional copying of CDO to outer, but also a simpler 'Do 
not copy CDO' alternative.

==Security Considerations==

* Added lots, all pointers to where security issues are discussed in 
other places (which is what security directorate reviewers need).


* I think the act bits need to be 00 not 10 to avoid ConEx packets 
being dropped by non-ConEx nodes (including by non-ConEx receivers)? 
But I'm willing to be corrected.



Bob Briscoe,                                                  BT